SOX Re-Engineering: Establishing and Testing Entity-Level Controls
By: Mitchell H. Levine, CISA - Audit Serve, Inc.
2008 has been the year in which organizations have initiated projects using the guidance provided from AS5 to reduce the scope of their SOX testing based replacing activity-level controls with linked entity-level controls.
Organizations which have never established entity-level controls are hesitant to replace activity-level controls because entity-level controls have not been tested in prior years. Since the entity-level controls need be proven effective to replace linked activity-level controls, consideration should be made to run the entity and activity-level controls in parallel the first year.
Prior to an organization proceeding down the path to eliminate the testing of activity-level controls based on establishing and testing linked entity-level controls, a negotiation needs to occur with the external auditors to ensure that they agree with the established link between the entity and activity level controls and the method in which the entity-level controls will be tested. Although AS5 removed the requirement for external auditors to express an opinion on management’s SOX control design and testing, the two projects are linked because the external auditors in almost all cases rely partially on management’s testing to reduce the scope of their testing.
When establishing test plans for entity-level controls, strong consideration should be made to design the tests in which the administration processes for carrying out the control are tested instead of designing a test to identify isolated instances in which a control/event did not occur which is tied to an entity-level control. For instance, the entity-level control to ensure that Data Owners are defined for all sensitive resources should have a test which ensures that (1) a data classification standard exists which identifies sensitive resources (2) a corporate-wide tracking list is maintained which identifies sensitive resources and their respective data owners. The entity-level testing approach which should not be taken would be to randomly select a sensitive resource and determining whether it is included on the tracking list.
Although AS5 provided a basis for eliminating the need to test activity-level controls, if the absence of these controls would not cause a material misstatement that would not be prevented or detected, organizations have been reluctant to use this guidance from PCAOB as the basis for eliminating these activity-level controls.
The Re-engineering project to reduce the testing of activity-level controls based on AS5 requires a document to be established which provides the rationale to support all scope reductions measures which are taken. In addition, the activity-level controls which are eliminated from testing should be retained in a control inventory and reviewed in subsequent years to ensure the link to entity-level controls remains the same. Refer to Audit Serve’s partial list of recommended entity-level controls.
It is also important to test the entity-level controls as early in the fiscal year as possible to allow for re-testing and possible control design remediation if the test should fail. As an alternative, if the entity-level test fails, testing would need to be scheduled for linked activity-level controls which originally were not slated to be tested.
Mitchell Levine is the founder of Audit Serve, Inc. whose primary mission in 2008 has been to provide SOX scope reduction consulting services. Audit Serve conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.