SOX priorities 1647



  • Please tell me about the priorities for each of these categories. I realize each company is different, but I would like to hear your experiences and have your personal input.
    Corporate governance priorities
    IT priorities
    Operational Priorities
    Please at least provide some examples of subjects that might fall under each category (ex.: which category would ‘signing in/out’ fall under? I know this is something that our company is going to have to work on).



  • Corporate Governance Should be number 1 due to the legal requriements associated with it. This should be included in your Company Level Controls so as to ensure that there is a proper and ethical ‘tone at the top’.
    IT and operational actitivity controls get eual ranking and will be reviewed on an equal basis by your auditors.
    what these controls conist of depends on your day to day activities and the risk associated with each transaction.
    You need to ensure that you cover COSO Components and Financial statement assertions for your operations controls, and COBIT for your IS controls



  • Hi,
    IT activity should take priority over operational activity and for SOX compliance purposes, operational actitivity is not considered within scope.
    Due to the significant dependence on IT applications and their impact on internal controls over financial reporting (ICFR), one can successfully assert that IT activity, as it relates to the design effectiveness and operational effectiveness of the application controls embedded in the financial applications, should be a pervasive consideration when determining resource priorities to comply with SOX requirements.
    Hope this further helps,
    Milan



  • Milan,
    should Corporate Governance not be number one so as Company Level controls would normally be reviewed in all locations ( even -out of scope locations), and, if they are deemed effective, reduce the level of testing performed by External Auditors ( and therefore audit fees?)
    in addition, operations could include the finance function ( depending on the nature of the trade), Sales, Shipping and Receiving, inventory etc, all of which can be mapped to financial controls (in one way or another)



  • Entity level controls (ELC) should always be considered a high priority, generally, they are considered to be highest priority by many professionals. No comment was made about ELC…rather, the reply posted addressed the 2nd and 3rd items…IT Priorities and Operational Priorities in that order.
    Operations is specifically excluded from consideration for SOX purposes. It is excluded from SOX as addressed in the COSO Framework (COSO Cube).
    sox-online.com/coso_cobit_coso_cube-old.html
    Using the COSO Framework, Operations and Compliance are not considered within scope for SOX purposes. SOX focues on Financial Reporting.


Log in to reply