Five Decisions Which Must be Made Regarding the SOX 404 Project Strategy
(Part 2 of 2)
By: Mitchell H. Levine, CISA - Audit Serve, Inc.


Regardless of whether one’s organization is in the first year of SOX compliance or fourth year, the SOX project strategy must be reassessed on an ongoing basis to ensure risks are identified and mitigated. The first part of the article discussed two of the five decisions (1- What is in-scope? 2- Will controls be required to be implemented for out-of-scope systems?) which must be made regarding the SOX 404 Project Strategy. This article focuses on the final three decisions.

Decision #3: What is the criteria for opening and closing reportable items?

Organizations have established a process for tracking reportable items which represent control deficiencies. These control deficiencies eventually are reported in the Summary of Aggregated Deficiencies (SAD) document.

The basis for reportable items are control design deficiencies and failed SOX tests. Based on entering the fourth year of SOX compliance, there should not be any new control design issues identified by management except if a new pervasive control area is being added. External auditors accumulate knowledge each year from their other clients which they may try to use in subsequent years to identify missing controls. These missing controls would represent control design deficiencies. An example of control design deficiencies for existing controls would be repeated failed SOX tests which may be attributed to a poor control design.

Failures relating to SOX tests are reported as a deficiency in the operating effectiveness of a control. Unlike audit compliance tests where one test failure would not necessarily represent an audit issue, SOX testing has less of a threshold for failure. Even one single test would represent an operations deficiency which would need to be reported. However, isolated test failures would not rise to the level of a “significant deficiency” or “material weakness”.

When reportable items are opened for failed tests, in order to close the reportable item subsequent SOX tests are required. Two factors must be considered when closing a reportable item for failed tests: sample size and sample period. It is recommended that full annual sample sizes be tested in order to close a reportable item relating to a prior SOX test failure. It is also important to perform the re-test over a period to allow for the required number of test samples to be available. Therefore, if the SOX test failure occurs too close to the end of the year, there may not be sufficient samples available to close the reportable item prior to the end of the fiscal year.

Decision #4: Who will perform the testing?

The decision on who will be conducting the testing may be different based on whether an organization is in the first or fourth year SOX 404 compliance. During the initial year of testing, when the test approach is first being established, an experienced person is needed to identify the alternate approaches to conduct the testing.

The initial test plans are normally developed by the same team that establishes the control. This allows for the experts to design effective test plans which would include proven methods for extracting the test data needed to evaluate the effectiveness of the control. Most internal audit departments which take on the testing responsibility require that test plans be established. If Internal Audit is not able to perform the test, they will fail the test.

Once the test plans have been used for one cycle of SOX testing, consideration should be made to transfer the testing to an independent group such as Internal Audit. External auditors can place reliance on the testing performed internally for a portion of their sample size requirements. However, the external auditors typically would want assurance that an independent group performed the testing such as Internal Audit.

It should be noted that Internal Audit often combines the SOX testing with their normal audits which would include the evaluation of systems which are not in-scope for SOX. Since many organizations did not have the resources to implement and maintain the same level of controls for systems not in-scope for SOX, additional audit issues would be raised. Another concern relating to Internal Audit performing SOX testing is the frequency of the SOX testing. Most organizations require two separate test periods to allow for additional testing to be performed for failed tests and “roll forward” testing. This may not be possible if the Internal Audit staff needs to travel to perform the SOX testing.

Decision #5: Handling Audit Issues as SOX Reportable Items

Reportable Items are typically comprised of controls which are missing or were proven not to be effective based on SOX testing. The source of these control requirements are the Risk & Control Matrices established by each organization.

One of the critical decisions for an organization is whether to include audit issues as SOX reportable items. If the audit issue related to an in-scope SOX process then it would be included as a SOX reportable item. However, if the audit issues do not relate to a control or a risk contained within an organization’s Risk & Control Matrix, then an organization should not categorize these issues as SOX reportable items.

Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.


Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.