What happens after the deadlines? 310



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • The Act requires an annual certification by management that internal controls over financial statements are effective. This means on going monitoring and testing of all controls. Our company (as will most) will be doing quarterly reviews and updates to the documentation so that as of the year end date we are comfortable that our controls are adequate to cover all of the risks we have identified.
    The Sarbanes Oxley work does not end on December 31st - it has only just begun.



  • Actually management have to add a statement about their internal controls with the quarterly SEC filing - so testing has to be done quarterly too to provide something to support mangement’s statement.
    Some of the higher risk controls will be tested even more frequently. IA’s work is never done…



  • A question about ongoing compliance… my Firm is implementing new software in the 1st quarter, and they’re asking whether the new software (and processes that surround it) must be fully compliant prior to implementation.
    Is that everyone else’s understanding? Or, is it feasible to implement the application, then identify and remediate any control deficiencies?



  • A question about ongoing compliance… my Firm is implementing new software in the 1st quarter, and they’re asking whether the new software (and processes that surround it) must be fully compliant prior to implementation.
    Is that everyone else’s understanding? Or, is it feasible to implement the application, then identify and remediate any control deficiencies?
    Assuming that you were required to be compliant at YE 2004, you should make every attempt to remain compliant throught 2005 and beyond. Ideally, you would ensure that controls were in place prior to going live with new software. What type of software is being installed? If it is for your GL, you really do need to have compliant when it goes live as , to meet SOX reporting requirements, you will likely need to disclose that you have installed new software in your quarterly finings. You should have someone documenting controls as a part of the configuration / tersting process so that you won’t have to test as much after you go live.



  • This will be a continous effort. You better spend some thoughts about how to get SOX from a Project into the Day-to-Day Buisness.



  • I am trying to find that ‘hard evidence’ and article ANYTHING on what has to happen at the quarters. Do we have to test every quarter, all critical (key) controls? Anyone see anything out there that could help?? Also, I just started this company as the internal audit manager… they have intstructed everyone to only keep their audit evidence ofr 90 days… which my gut tells me just isn’t right… since we may have issues when the auditors want to come and test… anyone know where I can find anything on document retention( besides the PCAOB one for the auditors)… to me, it is common sense… but I unfortunately need more than that
    Thanks…



  • Michael Ramos’s book states the following:
    Section 302 requires quarterly reporting on the effectiveness of an entity’s ‘disclosure controls and procedures’. Also, the compnay’s quarterly report must disclose material changes in the entity’s internal control over financial reporting.
    Management is not required to evaluate or report on internal control.
    Internal audit (Management’s little helpers) will therefore need to show that the disclosure controls and procedures are effective - which are not exactly the same as ‘the system of internal control’ but will cover a lot of common ground.
    Material changes would suggest to me the use of a new It system for example.
    We are therefore planning to test most controls quarterly.



  • at guest: You have to test every year, every daily, monthly, quarterly and yearly key control in order to show that your controls are in place and effective for each disclosure in the respective year. This will be an ongoing effort.
    at bigmak: No, a new systems doesn’t have to be SOX compliant before it is productive. But it is the better approach to include that effort already whilst still in the project status to make sure that it contains the appropriate automated controls you want/need. Instead of finding that out beeing in the productive stage and having the need to change a running system.



  • Michael Ramos’s book states the following:
    Section 302 requires quarterly reporting on the effectiveness of an entity’s ‘disclosure controls and procedures’. Also, the compnay’s quarterly report must disclose material changes in the entity’s internal control over financial reporting.
    Management is not required to evaluate or report on internal control.
    Internal audit (Management’s little helpers) will therefore need to show that the disclosure controls and procedures are effective - which are not exactly the same as ‘the system of internal control’ but will cover a lot of common ground.
    Material changes would suggest to me the use of a new It system for example.
    We are therefore planning to test most controls quarterly
    guest: You have to test every year, every daily, monthly, quarterly and yearly key control in order to show that your controls are in place and effective for each disclosure in the respective year. This will be an ongoing effort

    After reading above:
    I don’t get it Once you have tested controls then why do you need to continuously test those same controls? If you have in place an effective change control and process, and no significant changes have occurred, then the need for continuous testing is not needed… This interpretation of compliance is analogous to taking your car to the mechanic every day for a smog check
    I do agree if a controls process or systems have changed then reasonable testing would be needed.
    So please set me strait.



  • I don’t get it Once you have tested controls then why do you need to continuously test those same controls? If you have in place an effective change control and process, and no significant changes have occurred, then the need for continuous testing is not needed… This interpretation of compliance is analogous to taking your car to the mechanic every day for a smog check
    I do agree if a controls process or systems have changed then reasonable testing would be needed.
    That’s it. You need to show every year and even if processes haven’t changed that your controls are still are there and effective.
    You have to divide between 302 and 404 reporting. The Statement of Accountability doesn’t really care about testing. That’s were you have to show what has hit your statements. Potentially every 404 deficiency can be a 302 issue but every 302 issue necessarily has to be a 404 deficiency.



  • I don’t get it Once you have tested controls then why do you need to continuously test those same controls? If you have in place an effective change control and process, and no significant changes have occurred, then the need for continuous testing is not needed… This interpretation of compliance is analogous to taking your car to the mechanic every day for a smog check
    I do agree if a controls process or systems have changed then reasonable testing would be needed.
    That’s it. You need to show every year and even if processes haven’t changed that your controls are still are there and effective.
    To show continuous compliance then can I utilize the 302 process(monitoring) and audits (testing)?



  • Testing (i.e. evaluation of control effectiveness) is an annual requirement to meet your 404 assertion. 302 compliance can be a bit more high level e.g. have my processes, people, systems changed? Have my main recs and management review thrown up any major problems?


Log in to reply