The first question arises from my client after having brainstorming or preliminary meeting about Sarbanes Oxley compliance is: How long? Since the SOX impact is cover almost every significant application and department related with financial reporting. And since SOX implementation is quite new, so this common question always arrived in their mind.
Based on common practice, the SOX design control should be performed around 2-3 month. SOX is tested once every year, sometimes there are interim between middle years. So between 2-3 month, every SOX consultant must prepare their report and testing strategy for the company.
The Risk Control Matrices design is the most important part of SOX compliance consultation. This basic process will become guidance of what area of business process should be become first priority and will be affected to other department. (more…)
Popularity: 3% [?]
Since first time Sarbanes Oxley act enacted, there are many stories about SOX implementation in every company. Both sharing the same story about the happy and the sad part of implementing what so called Risk Control Matrices, IT General Control, and Application Control. Here is ten sign for successful SOX implementation.
1. Number of control implemented is increase
Number of control already implemented is one of the key of successful SOX implementation. During first year of SOX compliance implementation, most of company could not able to implement all control which already designed.
2. Every body happy with the compliances
Usually most of people will refuse new thing, and SOX compliances is one the new thing that people will find difficult to accept. Successful SOX compliances should be able to make every body happy with the policy and procedures that company accepted. Failure dealing with people issue is time bomb for bigger problem tomorrow
3. Risk Control Matrices already mature
Risk Control Matrices (RCM) is always changing due to business trend and climate. The company of course must update the RCM to meet business change. However the basic control should not be change and already mature. (more…)
Popularity: 3% [?]
Confuse implementing SOX IT Section, here is six question that every SOX auditor should answer
1. Has the organization established an IT-specific internal control framework to guide its section 404 compliance activities with respect to IT?
An IT-specific internal control framework provides vital structure to an organization’s effort to develop and maintain effective internal control in its IT environment. Failure to identify such a framework may indicate that the organization has failed to examine IT controls as systematically or as deeply as required to support section 404 compliance. One possible IT-specific control framework to build upon is the CobiT framework, described by the IT Governance Institute in its 2000 publication, “Control Objectives for Information and Related Technology.” While the full CobiT framework goes far beyond section 404 compliance requirements, companies seeking guidance regarding IT controls would be well advised to customize the applicable portions of CobiT for their own particular section 404 compliance needs.
2. Is the IT environment highly customized?
Custom-built applications and platforms are a fertile ground for internal control issues for two reasons. One, the original technology’s vendor may not be able or willing to provide technical support once its product has been significantly modified. And two, no matter how competent a company’s IT personnel or service providers, there’s always a much higher risk of errors in new, untried software than in standardized, widely used, and well-tested software.
3. Does the IT department have a high turnover rate?
Technology specialists, as a group, tend to gravitate toward best-of-breed, sophisticated, cutting-edge IT environments. A high turnover rate among IT professionals may indicate their dissatisfaction with dated, refractory technology whose unreliability could compromise internal control effectiveness.
4. Is there a large backlog of outstanding program maintenance requests?
If your IT professionals, though competent, are having trouble keeping up with program maintenance requests, chances are that the systems are overly complex and tedious to work with, casting doubt on their reliability with regard to internal control. (more…)
Popularity: 3% [?]
Taken from discussion in 5 reasons why implementing Sarbanes Oxley Act is very very difficult. I’m quite agree for the explanation. Do you have any other suggestion?
For the latest two year, I have been working with Sarbanes Oxley section 404 especially in IT general control. I have been working both in design Risk Control Matrices (RCM) or performing testing thorough the control. And after hundred hours of discussion with auditee, hundred days of never ending meeting or checking document, I have a conclusion that implementing SOX is very-very difficult and sometimes not effective. Here is the reason:
1. Multi interpretation statement
IT Auditee: “Your significant level is different than mine”
SOX Auditor: “My interpretation in this matter is more specific than you do”
IT Auditee: “I understand but in here, this process is could not be performed” (more…)
Popularity: 2% [?]