Five Decisions Which Must be Made Regarding the SOX 404 Project Strategy
(Part 1 of 2)
By: Mitchell H. Levine, CISA - Audit Serve, Inc.
Regardless of whether one’s organization is in the first year of SOX compliance or third year, the SOX project strategy must be reassessed on an ongoing basis to ensure risks are identified and mitigated. In addition, reducing the cost of the SOX project without increasing the risk to a material level has become a high priority in most organizations.
1) What is in-scope?
Once an organization defines the financial processes, applications, databases or servers which are in-scope for SOX, they are committed to define the controls within each of these components and test them. Defining what is in-scope for the SOX project is the single most important decision which will impact the overall size of an organization’s SOX project. Unfortunately, most organizations did not approach this task in a cost-conscience manner to reduce the number of in-scope components. This was attributed to not having measurable criteria for identifying in-scope components. In addition, organizations did not reassess these components to determine whether these in-scope components should still be in-scope based on the criteria used by an organization.
Organizations have utilized different approaches to identify components which are in in-scope. The most common approach used is to identify the financial processes which represent an organization-specified percentage of revenue, asset valuation or expenses. These financial processes are then traced to the applications, databases and servers which they utilize. The percentages of revenue, asset valuation or expenses could be adjusted upwards by organizations which would reduce the number of in-scope financial processes and therefore reduce the number of applications, databases and servers which would need to be included in the SOX project.
For organizations which are in their third year of the SOX project, a justification would need to be made as to why these changes to the in-scope criteria do not increase the residual risk to a material level. This analysis would be evaluated by the external auditors.
2) Will controls be required to be implemented for out-of-scope systems?
Prior to SOX, most organizations implemented controls throughout their organization in the same manner. In some cases, organizations utilized a risk assessment to determine which financial, operations and system components would be required to implement the organization mandated controls. Audit departments also utilized a risk assessment approach to identify auditable entities and the frequency of these audits.
The question organizations must answer is whether they will implement the same base level of controls established for in-scope SOX components for components which are not in-scope for SOX. Knowing that components can be placed in-scope based on an annual assessment, it would be prudent to have these components SOX-ready. If it is decided to implement the SOX-level controls with non-SOX in-scope systems, it would not necessarily be required to test these controls. However, in order to determine whether the control design is effective, some level of testing should be established.
The next edition of the Audit Vision Newsletter will cover the 3 remaining decisions which must be made regarding the SOX 404 Project Strategy.
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs all types of integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.