How Auditing Standard 5 Impacts the SOX 404 Project
(Part 1 of 3)
By: Mitchell H. Levine, CISA - Audit Serve, Inc.


In 2008, most companies are starting their fifth year of complying with the Sarbanes-Oxley (SOX) Act and the industry standard for compliance has been evolving towards more cost effective measures. During the past two years, companies have implemented various measures which reduced the overall size of their SOX 404 projects. These project reduction approaches included:

  • Reassessment of controls which segregated key versus non-key controls
  • Automating the test data collection and execution processes
  • Documenting test procedures which allowed for less experienced personnel to be used for SOX testing reducing the need to hire experienced external SOX consultants

On May 24, 2007, The Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 5 (AS 5) which replaced its previous internal control auditing standard, Auditing Standard No. 2. AS 5 is intended to take the final steps to integrate Internal Control over Financial Reporting with Audit of Financial Statements. Most importantly, PCAOB has attempted to reduce the overall effort required to comply with Section 404. However, most components of AS 5 still requires interpretation and are subjective in regards to its deployment. This point is further compounded by the fact there is no consistency between accounting firms, no consistency between accounting firm partners and no consistency between accounting firm senior managers.

This three-part article will discuss the various changes made within AS 5 and how it potentially impacts an organization’s SOX 404 project.

The following is a summary of the changes included within AS 5 which will be analyzed individually throughout this three-part article.

  • Focus the Internal Control Audit on the most important matters and tailor audits to fit the size and complexity of the company
  • Emphasis on fraud controls
  • Emphasize importance of the Risk Assessment which includes a top-down risk based approach
  • Revised definitions which changes the evaluation and communication of deficiencies
  • Removed requirement for external auditors to evaluate management’s process

This article will be continued in the next issue of Audit Vision.

Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.


Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.