SOX Initiatives to Reduce the Overall Project Scope
By: Mitchell H. Levine, CISA - Audit Serve, Inc.


Most organizations have not effectively utilizing the ammunition provided by Auditing Standard 5 (AS5) to significantly
reduce the scope of the ITGC (IT General Controls) testing. AS5 specifically states that the top-down risk based
approach to identifying the controls to be tested could include the testing of entity level controls and not having to test
their associated activity/process level controls.

This would require an organization to define the entity level controls would covers each activity/process level control.

As stated in AS5, this top-down approach should also consider the likelihood that the control which is not effective could lead to material misstatement of the financial statements which is not disclosed. In this case, the activity/process level ITGC control would still need to be tested even if there is an entity level control which proven effective.

These ITGC activity/process level controls which could lead to material misstatements which are not disclosed are limited to few possible scenarios. However, one possible scenario is granting of individuals direct update access to data outside the control of the application since it would not be possible to turn the required level of audit trails at a database level to disclose changes to the financial statements.

Alternatively, if there was not an associated entity level control for an activity/process level control, the testing of the activity/process level control could be removed from being tested because it would not lead a material misstatement of the financial statements. This was the ammunition that organizations have used in the past to distinguish between their key and non-key controls.

Organizations should establish a cross-reference table of all the activity/process level controls which tie to specific entity level controls.

Example #1:

Activity/Process control: All software elevations are tested prior to deployment to production

Entity Level control: A workflow management system is deployed for all software changes

Example #2:

Activity/Process controls: An effective test process is used for all software deployment to production

Entity Level control: A software development methodology is used and deployed across all organization units

Documenting the rational for the removal of controls to be tested is critical. With AS5 removing the external auditors review of management’s assessment of controls over financial reporting, the external auditor needs to be solicited for their concurrence of the controls which will be eliminated from testing using the top-down risk based approach deployed. Otherwise, these controls still may be included in the external auditor’s test which is not disclosed by management’s testing.

Subscribe to the Audit Vision email newsletter to receive the next SOX article entitled "SOX Re-Engineering: Establishing and Testing Entity-Level Controls"


Mitchell Levine is the founder of Audit Serve, Inc. whose primary mission in 2008 has been to provide SOX scope reduction consulting services. Audit Serve conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.

Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.