How to move a company to SOX Compliance?

In this topic, I'll be sharing with you some basic requirements which a company shoudl consider when going for SOX Compliance.

Pls share in case you have other tips to add.

Step 1: Embedding compliance firmly in ongoing operations will require:

• an organizational structure with clear accountability,
• an efficient operating structure, and
• an enabling technology structure

Step 2: First-year Section 404 compliance is all about project management, with companies organizing teams to:

• Identify significant business units, financial statement accounts and related processes
• Update or create process-flow documentation
• Assess risks related to financial reporting and identify control activities in place to address those risks
• Validate processes and controls via walkthroughs or other means
• Develop and execute test plans
• Evaluate test results and remediate design and/or operating control deficiencies where necessary

Step 3. A typical company having accomplished this successfully would now have the following areas addressed:

• basic documentation in place,
• key controls identified,
• test plans developed and,
• most importantly, control issues that needed remediation

Step4:  How to establish a mechanism that both confirms the evaluation of DC&P (Disclosure Control & Procedures) on a quarterly basis to support the Section 302 certification, and provides for the periodic testing of controls over financial reporting for the annual Section 404 assertion. (Under Section 404, management demonstrates through testing that internal controls over financial reporting operate effectively as of year-end. Under Section 302, management certifies that it has evaluated its DC&P as of quarter-end. Section 302 also requires management to report material changes to its internal control over financial reporting). Given the level of regulatory oversight, this is a decision that should not be taken lightly. Alternatives can be:

• Although testing is not specifically prescribed in order to comply with the requirements of Section 302, executing test plans throughout the year, allowing for timely recognition of control issues, remediation and retesting, if needed, as well as for the updating of the control evaluation at year-end can be an option. Through testing, management attains comfort with regard to quarterly reporting, while at the same time accomplishing the work required for the year-end assertion.
• Perform tests quarterly for higher-risk processes and controls, supplemented by self-assessments for other processes.
• A third possibility is to rely solely on a self-assessment process for quarterly reporting, with no reliance on testing for the evaluation of DC&P.
Complicating consideration of these alternatives are the nature and frequency of the control activities performed, which can dictate the timing and extent of testing. Choosing from among these alternatives is dependent on management’s comfort with the alternatives. Fundamentally, the chosen approach must enable the identification of material changes in internal control over financial reporting and provide reasonable assurance that controls over financial reporting are effective at quarter-end, as well as at the end of each fiscal

Step 5: Several elements must be considered in developing a compliance process that is responsible, cost-efficient and effective. These can be classified into three major categories:

• An accountability structure that ensures the appropriate level of oversight and process ownership and drives the right attitude throughout the business.
• An operating structure that facilitates cost-effective and streamlined processes for execution of Sarbanes-Oxley requirement.
• A technology support structure that supports the efficiency and effectiveness of compliance processes

Step 6: Accountability Structure


The accountability structure needs to:
• Define ownership of the design and operation of controls within the organization
• Create the appropriate tone at the top to reinforce delegation without allowing abdication.
• Define appropriate organizational roles and responsibilities
• Communicate what people are supposed to do and
• Reinforce accountability to ensure that they do it.

Why Are We Here? (The Internal Audit Department's Mission)

Before we can develop an effective internal audit department, we must first come to an understanding of the department's purpose. Why does the internal audit department exist? What's the end goal?


Is our purpose to issue reports? To raise issues? To make people look bad? To show how smart we are and how dishonest, incompetent, and corrupt the rest of the company is? To flex our muscles and show that we can do anything and tell on anyone because we report to the board of directors? Hopefully, it's obvious that none of these are the right answer. Sadly, though, you will find that many (perhaps most) internal audit departments function as if one or more of these items are the answer. Many audit departments spend their existence in adversarial relationships with the rest of the company, keeping themselves comfortably removed from and "independent" of everyone else. Unfortunately, such departments are missing the point and failing to realize the potential benefits that they could be providing to their companies.

Most audit departments were formed by the company's audit committee (a subset of the board of directors) for the purpose of providing them with independent assurance that internal controls are in place and functioning effectively. In other words, the audit committee wants a group that it can trust to be objective enough to tell it if there is anything the committee should be worried about. The committee wants to have someone it can trust to tell it what's "really going on" in the company. The committee wants someone it can trust to turn in all the evildoers in the company who refuse to implement internal controls. Internal audit departments usually report directly to the chairman of the audit committee, so they feel protected from blowing the whistle on the hordes of dishonest managers who surely have infested the company.

We cannot lose sight of this very important function. Despite the levity in the preceding paragraph, it is absolutely essential that the audit committee have eyes and ears within the company that can tell it what, if anything, it needs to be worried about. This is critical for the committee's ability to function and serve the company's shareholders. It also should be noted that most companies' audit departments dual report to an executive within the company, such as the chief executive officer (CEO) or the chief financial officer (CFO). We'll discuss later some implications of this reporting relationship, but for now, let's agree that this indicates that senior management is interested in the state of the company's internal controls, just like the audit committee. Therefore, I think we can comfortably establish that one of the internal audit department's key functions is to provide an objective body that the audit committee and senior management can go to, to find out if there's anything bad going on in the company from an internal control perspective. From an IT perspective, this means that audit committee and senior management want to be able to ask such questions as, "Are our firewalls really secure?" and "Is our plan to collaborate and share networks with our biggest rival going to expose us to any security concerns?" and believe that they will get an honest answer.

Therefore, can we say that the function of the internal audit department is to report internal control issues to the audit committee and senior management (or provide them with assurance that there are no issues)? The answer is, "Sort of." This is certainly an important role for the audit department to play. However, if we stop there, we are not getting the whole picture. We haven't totally missed the boat-it's more like we showed up as the boat was pulling away from the dock, jumped to catch it, and currently are hanging from the outside railing, holding on for dear life.

But why are we really here? What's the value of reporting issues? Merely reporting issues accomplishes nothing, except to make people look bad, get them fired, and create additional hatred of auditors. The real value comes when issues are addressed and problems are solved. In other words, reporting the issues is a means to an end. In this context, the end is to improve the state of internal controls at the company. Reporting them provides a mechanism by which the issues are brought to light and therefore receive the resources and attention needed to fix them. If I tell senior management that I discovered a hole in the wall of our most important data center, it may help in my goal of making myself look good at the expense of others, but the hole is still there, meaning that the company is still at risk. It's only when the hole is patched that I've actually done something that adds value to the company (and that's only if the company wasn't already aware of and planning to fix the hole prior to my audit).

Therefore, the real mission of the internal audit department is to help improve the state of internal controls at the company. Admittedly, this is accomplished by performing audits and reporting the results, but we must remember that these acts provide no value in and of themselves. They only provide value when the internal control issues are resolved. This is an important distinction to remember as we develop our approach to auditing and, most important, to dealing with the people who are the "targets" of our audits.

Note The internal audit department's goal should be to promote internal controls and to help the company develop cost-effective solutions for addressing issues.

In summary, the internal audit department's mission is twofold:
To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively.
To improve the state of internal controls at the company by promoting internal controls and by helping the company to identify control weaknesses and develop cost-effective solutions for addressing those weaknesses.

User Access Non-Compliance is Material Weakness

Given that 60% of CFOs lost their jobs within 3 months of reporting a material weakness, what controls do you have in place? Are they effective?
Q: Was this a one-time deficiency, or was this the result of repeated audits identifying the same deficiency, thus raising it to the level of material weakness?

Most of these are 1st time deficiencies and noted as "New Issues" according to auditors report (see Blog.Veriphyr.com for the report link).

For example, terminated users who continued to have access rights to applications is discussed on p23 and it is specificaly noted as a "New Issue" and not a "Repeat Issue".
At least one was identified as "New Issues" but the weakness had been going on for serveral years. For instance on page 37 it is reported that on one application "recertification of accounts was conducted when the application was acquired and brought online at FEMA in FY 2007 and has not been conducted since."
It appear that it was the number and severity of the deficienies that led them to be "considered a material weakness in IT controls and financial system functionality."
If you have more questions or need more details let me know

Key Traits of a Successful IT Auditor

As you begin your search to build out your audit team, here are some of the key traits of a successful IT auditor:

Ability to dig into technical details without getting lost in those details.

Analytical skills. It is critical for the auditor not only to understand technologies but also to be able to use that knowledge to uncover risk to the business and apply judgment regarding degrees of risk. This often is not a black-and-white job-you need people who can really think through a process or technology and frame up the risk to the company.

Communication skills (both written and oral). This is a huge emphasis for this job. An auditor must be able to help all levels (from the most detailed technical person to the highest level of management) understand exactly why he or she has a concern with something. This means that he or she must be able to lay it out logically in layperson's terms for management but also explain all the technical details of his or her concern to the people who work in the area day to day.

The ability to quickly learn the key concepts of new technologies and identify key risk points within those technologies.

Willingness not to be touching a specific technology daily. It's important for people to understand that while there is a lot of hands-on work when performing audit analyses, they won't be acting as the administrator of a production Unix box, managing routers, etc.

Reducing risks on big projects

Big projects (> 1 Million) have too many unknowns. The secret in managing Big projects is to be proactive about knowing what your unknowns are and planning enough room for managing the unknowns. This is the biggest challenge.


Passive management on big projects is a guaranteed recipe for failure.

In the internet startup business this philosophy doesn’t have too many followers. The idea there is to let the business grow organically and let the project be managed based on the demands. Twitter is a good example of that where a concept grew organically very fast and the team behind it had to scale the systems based on the demand.


A canadian company http://localads.org is planning to do the same thing by organically growing a unique concept and taking on the classifieds industry.


How far the concept will be accepted is something to be seen.

Scope Of An Audit

What does it mean?

The term “scope of an audit” refers to the audit procedures that, in the auditor’s judgment and based on the ISAs, are deemed appropriate in the circumstances to achieve the objective of the audit.


- Audit opinion
- Reasonable assurance
- Sufficient appropriate audit evidence
- Audit procedures (based on ISAs)

Audit-Evidence:


It is obtained by applying necessary audit procedures. Audit procedures should be based on requirements of ISAs, relevant professional bodies, legislation, regulations, and the terms of the audit engagement and reporting requirements.
Auditing is concerned with the verification of accounting date and with determining the accuracy and reliability of accounting statements and reports. Verification does not mean seeking proof or absolute certainty in connection with the data and reports being audited. It means looking for sufficient evidence depends on what experience and knowledge of contemporary auditing standards tells one is satisfactory.

An auditor obtains audit evidence regarding management’s assertions for the following areas:
a. Existence: an asset or liability exists at the Balance Sheet date. This is an obvious assertion with such items as land and buildings, stocks and others
b. Rights and obligations: an asset or liability pertains to the entity at the Balance Sheet date. This means that the enterprise has for example ownership of an asset. Ownership as an idea is not simple and there may be all sorts of rights and obligations connected with a given asset or liability.
c. Occurrence: a transaction or event took place which pertains to the enterprise during the relevant period. It may be possible for false transactions (e.g. sales or purchases) to be recorded. The assertion is that all recorded transactions actually took place.
d. Completeness: there are not unrecorded assets, liabilities, transactions or events or undisclosed items. This is important for all accounts items but is especially important for liabilities.
e. Valuation: an asset or liability is recorded at an appropriate carrying value Appropriate may mean in accordance with generally accepted accounting principles, the companies Act rules, Accounting Standards requirements and consistent with statements of accounting policies consistently applied.
f. Measurement: a transaction or event is recorded at the proper amount and revenue or expense allocated to the proper period.
g. Presentation and disclosure: an item is disclosed, classified and described in accordance with applicable reporting framework. For example fixed assets are subject to the Companies Ordinance rules and to IAS 16.
An example:
We will look at an item in a balance sheet, bank overdraft Rs. 10,250. In reporting this item in the balance sheet, the directors are making these assertions:
a. That there is a liability to the company’s bankers.
b. That at the balance sheet date this liability was Rs. 10,250.
c. That this amount is agreed by the bank
d. That the overdraft was repayable on demand. If this were not so, it would not appear amongst the current liabilities and terms would be stated.
e. That the overdraft was not secured. If it were secured this fact would need to be stated.
f. That the company has the Authority to borrow from its Memorandum and Articles.
g. That a bank reconciliation statement can be prepared.
h. That the bank is willing to let the overdraft continue.


If no item ‘bank overdraft’ appeared in the balance sheet, it would represent an assertion by the directors that no overdraft liability existed at the balance sheet date.

System Risk Management

The main goal of the IT risk assessment – is to ensure the normal and uninterruptable processing of your business. This involves normal operation of your application systems, operating systems, network equipment, database, etc. That is why the IT risk assessment process should be incorporated in every IT process. For example, let’s look at the change management process. When you plan to make any changes to your IT infrastructure, you should ensure that such changes will not negatively impact your normal operation and your business will continue to opera and generate money for you. The best way to achieve this goal is to perform preliminary IT risk assessment for each changes to IT infrastructure (application systems changes, database changes, network changes, operating system changes).

By performing IT risk assessment you should consider the following questions:

· How this change will affect existing operations?
· Will we need to disrupt our operations? If so, for how long? What would be the cost of disruption?
· What organizational units will be affected?
· How much this change will cost to the business?
· How this change will affect the existing hardware?
· How this change will affect the existing software?
· What actions must be accomplished to ensure normal operations after change implementation?
· Do we have a complete set of backup data for each affected system?
· Can we restore the previous state of the affected systems in case of failure during change implementation?
All these questions must have appropriate answers while performing an IT risk assessment.
Now let’s look at another very important part of our IT processes. It is our Business Continuity strategy. While creating of this strategy you must complete a process called Business Impact Analysis – this is for identifying of all processes and systems which should be included in the Continuity strategy. But also it would be a good practice to complete an IT risk assessment at this stage. By doing so, you need to consider the impact of your current IT systems to your Continuity strategy and the impact of the Continuity strategy to your IT systems. Such IT risk assessment can help identify any potential vulnerabilities in the processes which can be exploited in future and fail the Continuity of operations.

My personal belief is that today’s organizations should always remember about significant impact of modern IT infrastructure on their day-to-day business activities, and they should perform comprehensive IT risk assessment before considering any changes to the existing IT processes and infrastructure.

Your risk assessment procedures must be always formal and you should retain your IT risk assessment reports for future reference and resolution of possible questions.