What happens after the deadlines? 310



  • Actually management have to add a statement about their internal controls with the quarterly SEC filing - so testing has to be done quarterly too to provide something to support mangement’s statement.
    Some of the higher risk controls will be tested even more frequently. IA’s work is never done…



  • A question about ongoing compliance… my Firm is implementing new software in the 1st quarter, and they’re asking whether the new software (and processes that surround it) must be fully compliant prior to implementation.
    Is that everyone else’s understanding? Or, is it feasible to implement the application, then identify and remediate any control deficiencies?



  • A question about ongoing compliance… my Firm is implementing new software in the 1st quarter, and they’re asking whether the new software (and processes that surround it) must be fully compliant prior to implementation.
    Is that everyone else’s understanding? Or, is it feasible to implement the application, then identify and remediate any control deficiencies?
    Assuming that you were required to be compliant at YE 2004, you should make every attempt to remain compliant throught 2005 and beyond. Ideally, you would ensure that controls were in place prior to going live with new software. What type of software is being installed? If it is for your GL, you really do need to have compliant when it goes live as , to meet SOX reporting requirements, you will likely need to disclose that you have installed new software in your quarterly finings. You should have someone documenting controls as a part of the configuration / tersting process so that you won’t have to test as much after you go live.



  • This will be a continous effort. You better spend some thoughts about how to get SOX from a Project into the Day-to-Day Buisness.



  • I am trying to find that ‘hard evidence’ and article ANYTHING on what has to happen at the quarters. Do we have to test every quarter, all critical (key) controls? Anyone see anything out there that could help?? Also, I just started this company as the internal audit manager… they have intstructed everyone to only keep their audit evidence ofr 90 days… which my gut tells me just isn’t right… since we may have issues when the auditors want to come and test… anyone know where I can find anything on document retention( besides the PCAOB one for the auditors)… to me, it is common sense… but I unfortunately need more than that
    Thanks…



  • Michael Ramos’s book states the following:
    Section 302 requires quarterly reporting on the effectiveness of an entity’s ‘disclosure controls and procedures’. Also, the compnay’s quarterly report must disclose material changes in the entity’s internal control over financial reporting.
    Management is not required to evaluate or report on internal control.
    Internal audit (Management’s little helpers) will therefore need to show that the disclosure controls and procedures are effective - which are not exactly the same as ‘the system of internal control’ but will cover a lot of common ground.
    Material changes would suggest to me the use of a new It system for example.
    We are therefore planning to test most controls quarterly.



  • at guest: You have to test every year, every daily, monthly, quarterly and yearly key control in order to show that your controls are in place and effective for each disclosure in the respective year. This will be an ongoing effort.
    at bigmak: No, a new systems doesn’t have to be SOX compliant before it is productive. But it is the better approach to include that effort already whilst still in the project status to make sure that it contains the appropriate automated controls you want/need. Instead of finding that out beeing in the productive stage and having the need to change a running system.



  • Michael Ramos’s book states the following:
    Section 302 requires quarterly reporting on the effectiveness of an entity’s ‘disclosure controls and procedures’. Also, the compnay’s quarterly report must disclose material changes in the entity’s internal control over financial reporting.
    Management is not required to evaluate or report on internal control.
    Internal audit (Management’s little helpers) will therefore need to show that the disclosure controls and procedures are effective - which are not exactly the same as ‘the system of internal control’ but will cover a lot of common ground.
    Material changes would suggest to me the use of a new It system for example.
    We are therefore planning to test most controls quarterly
    guest: You have to test every year, every daily, monthly, quarterly and yearly key control in order to show that your controls are in place and effective for each disclosure in the respective year. This will be an ongoing effort

    After reading above:
    I don’t get it Once you have tested controls then why do you need to continuously test those same controls? If you have in place an effective change control and process, and no significant changes have occurred, then the need for continuous testing is not needed… This interpretation of compliance is analogous to taking your car to the mechanic every day for a smog check
    I do agree if a controls process or systems have changed then reasonable testing would be needed.
    So please set me strait.



  • I don’t get it Once you have tested controls then why do you need to continuously test those same controls? If you have in place an effective change control and process, and no significant changes have occurred, then the need for continuous testing is not needed… This interpretation of compliance is analogous to taking your car to the mechanic every day for a smog check
    I do agree if a controls process or systems have changed then reasonable testing would be needed.
    That’s it. You need to show every year and even if processes haven’t changed that your controls are still are there and effective.
    You have to divide between 302 and 404 reporting. The Statement of Accountability doesn’t really care about testing. That’s were you have to show what has hit your statements. Potentially every 404 deficiency can be a 302 issue but every 302 issue necessarily has to be a 404 deficiency.



  • I don’t get it Once you have tested controls then why do you need to continuously test those same controls? If you have in place an effective change control and process, and no significant changes have occurred, then the need for continuous testing is not needed… This interpretation of compliance is analogous to taking your car to the mechanic every day for a smog check
    I do agree if a controls process or systems have changed then reasonable testing would be needed.
    That’s it. You need to show every year and even if processes haven’t changed that your controls are still are there and effective.
    To show continuous compliance then can I utilize the 302 process(monitoring) and audits (testing)?



  • Testing (i.e. evaluation of control effectiveness) is an annual requirement to meet your 404 assertion. 302 compliance can be a bit more high level e.g. have my processes, people, systems changed? Have my main recs and management review thrown up any major problems?



  • Testing (i.e. evaluation of control effectiveness) is an annual requirement to meet your 404 assertion. 302 compliance can be a bit more high level e.g. have my processes, people, systems changed? Have my main recs and management review thrown up any major problems?
    I understand the annual 404 requirement what I am suggesting that if 404 is based on continuous compliance then we should be monitoring and auditing on a regular basis not continuous testing such it could be combined with the 302 schedule Also, with the 404 quarterly monitoring and audits will by default substantiate the high level information needed for the 302 But, what I am really asking is why do we need to be continuously testing the controls when we have confirmed control compliance by initial compliance testing, monitoring, change control process, and auditing again, continuous testing of compliance is analogous to taking your car to the mechanic every day for a smog check.



  • Not 100% sure I get your point.%0AIf you’re saying that by spreading your 404 testing throughout the year you can also cover the 302 requirement at the same time then I would generally agree. That’s about setting up a steady state process that suits your business.%0AIf you’re suggesting that because you have continuous monitoring to satisfy 302 you don’t need to do testing for 404 I would not agree as the 302 work would probably not be sufficiently detailed to qualify as an evaluaiton of control effectiveness.%0AApologies if I’ve picked you up wrong :oops:



  • I would say the main difference between 302 and 404 is that 404 is covering the internal controls to establish and maintain a preventive environment and behaivior. Whereas with 302 you basically state that nothing actually occured which could lead to a financial misstatemend.
    Having that in mind, it becomes clear that you have to do continuous 404 work e.g. and that 404 help to detect some 302 issues but 302 can’t possibly do the 404 part.



  • Not 100% sure I get your point.%0AIf you’re saying that by spreading your 404 testing throughout the year you can also cover the 302 requirement at the same time then I would generally agree. That’s about setting up a steady state process that suits your business.%0AIf you’re suggesting that because you have continuous monitoring to satisfy 302 you don’t need to do testing for 404 I would not agree as the 302 work would probably not be sufficiently detailed to qualify as an evaluaiton of control effectiveness.%0AApologies if I’ve picked you up wrong :oops: %0AThanks for everyones comments. One more time…%0AWhat I am asking is: If I have tested and certified 404 (have the tested controls in place) then why do I have to keep testing them If I have quarterly monitoring, change control, and auditing then the need to keep testing is not needed. Again: If the control is effective and tested to work then why keep testing? If it’s not broke don’t fix it.



  • If I have tested and certified 404 (have the tested controls in place) then why do I have to keep testing them
    Because management has to make an assertion annually and you have to ensure you that your controls HAVE worked during the year - you can’t just assume that they SHOULD work based on monitoring.
    Broadly speaking what is required for quarterly monitoring for 302 purposes will not be sufficent to support your 404 assertion - but this partly depends on how you set up your steady state.


Log in to reply