What is the sound of one hand clapping? Questions like drive a lot of people nuts because the answer is, there is no answer. In much the same way, I sense a great deal of frustration in IT about the Sarbanes-Oxley Act of 2002 (SOX).
The good news is things are clearer now that the Public Accounting Oversight Board (PCAOB), a private-sector, non-profit corporation created by SOX to oversee the auditors of public companies, has released its standard and the audit firms are finalizing what they want to see.
Also, the IT Governance Institute (ITGI) is planning to release its final document on the control objectives for Sarbanes-Oxley in the next several weeks. This absolutely is a key document for you to understand and share with your team. Be sure to monitor http://www.itgi.com for its release.
The bad news is many people are still scrambling for answers with little time left and are asking third parties what to do about section 404 compliance. While section 404 compliance deadlines (depending on what type of “filer” you’re company is) have been extended from June 15, 2004 and April 15, 2005 to November 15, 2004 and July 15, 2005 respectively, they are rapidly approaching.
To meet the requirements, the guidance being given to auditors is “If it is not in writing, then it does not exist.” No longer can auditors rely on verbal attestations. They must see everything in writing to prove management is following a process to put controls in place, has records to show those controls are being followed and the controls are working.
(Note: There is such a thing as too much documentation. Over documentation can cause everything to grind to a halt. Still, you must document processes, meetings and so on so an external party can conclude the salient steps have been identified and are being followed.)
First off, the scope of attention for section 404 is such that organizations must focus on material risk regarding financial reporting. Nobody can tell you what is important (materially) to your organization and this is one of the reasons people have not written “How to comply with Sarbanes-Oxley Section 404 in 20 easy steps.”
For example, $10,000 may be material in one organization but very immaterial in another. Hence, IT must work with accounting to identify the key general ledger accounts that are significant to the organization and pose the greatest risks if compromised.
Next, the compliance team, comprised of IT, accounting and other stakeholders must focus on identifying systems core to the business processes and those that feed key accounts. The teams must be sure to document the decision making used to identify key accounts including the processes and systems that feed those accounts. Documentation is mandatory and the need for it can not be stressed enough.