This action might not be possible to undo. Are you sure you want to continue?
Corporate Compliance of Sarbanes Oxley Act (Section 404)
Page 1 of 24
Sarbanes Oxley Compliance
Table of Contents
Purpose of this document ................................................................................................................ 3 Overview of Sarbanes Oxley Act ................................................................................................... 4 Concepts of Internal Controls......................................................................................................... 5 Section 404 of SOX ........................................................................................................................... 7 COSO framework of Internal Control ........................................................................................... 9 Three Pillars of SOX Implementation ......................................................................................... 11 Standard SOX Implementation methodology .......................................................................... 11 Design of Controls ........................................................................................................................... 12 Assessment of design effectiveness ........................................................................................... 17 Testing of operational effectiveness ........................................................................................... 18 Remediation ....................................................................................................................................... 19 Appendix - Application Controls .................................................................................................. 20
Page 2 of 24
Sarbanes Oxley Compliance Purpose of this document This document explains how to comply with Sarbanes Oxley Act (SOX) 2002 from an Internal Control perspective. SOX requirements of controls life cycle. and How to do in order to meet SOX compliance requirements. Page 3 of 24 . This document provides practical aspects of SOX compliance and would help organizations to comply with SOX and yield a better cost benefit ratio. This document also explains the Year 1 and Year 2 issues of SOX. and approach to comply with internal control requirements. The document addresses three key aspects: Concepts. It provides a detailed introduction to internal controls. What to do.
documented and tested. the risks involved in those processes should be identified. the primary intent of SOX is to have adequate internal controls over financial reporting. Role of Information Technology (IT) in SOX? Nowadays. Page 4 of 24 . Therefore. Sarbanes-Oxley (SOX) only applies to companies having market capitalization above a particular threshold.e. especially under Section 404. The approach for IT is similar to the standard approach given in the previous item. and remediated. i. which is the market capitalisatin of 75 million US Dollars. assessed. Operational related processes like Production Change Management. The processes should be documented. Continuity planning etc. Production Transition and Incident Management 4. and corresponding procedures for mitigating the risks should be identified. internal controls related to financial reporting should be identified. it is important to ensure that IT processes and procedures used are in order so that financial reporting is done properly. This legislation was promoted and supported by US Senator Paul Sarbanes and US Representative Michael Oxley hence it is called the Sarbanes Oxley Act or SOX. These controls should also be tested to ensure that they are operating effectively. SDLC (System Development Lifecycle)Processes and Controls 3. documented. Other relevant processes related to Vendor Management. The focus of this act is to ensure that the financial reporting of the corporate is accurate and hence shareholders will have confidence in the company. apart from other requirements of the Act. Therefore. assessed for risk. This may generally include: 1. Physical Security. Information Security Policies. Procedures and Controls 2. the internal controls over financial reporting are given emphasis in the Act. The law also covers companies that are headquartered in other countries but have market capitalization in the US as well. As most of the processes use IT in one way or the other. companies that have US based shareholders. IT is the backbone of most organizations in the world.Sarbanes Oxley Compliance Overview of Sarbanes Oxley Act What is SOX? The Sarbanes Oxley Act is US legislation passed in 2002 with the intention of protecting investors’ interests in US corporates. What needs to be done for SOX? As mentioned. Any deficiencies like non-existence of such procedures or procedures not being followed properly shall be identified and remedied (fixed).
There can be several different types of financial transaction happening such as payroll process. When this process is enabled by an application. etc. These numbers could be large or small but they should be accurate. Internal controls can be classified into Business and IT controls. the same steps involved are nothing but application controls. The financial figures must be correctly obtained. IT controls are also called General Computer Controls. Control Activities are the steps taken for implementing a particular control objective. accounting. Internal Controls Business controls IT Controls Process Controls Process documentation Process flow charting Risks and Control Matrix Test of Design Test of Operating Effectiveness Remediation Application controls Process documentation Application flow charting Identification of key application controls Preparation of Test Plan Testing and reporting application controls Remediation General computer controls IT Policies System Development IT Operations Information Security IT Continuity Others Control Objective is a statement explaining the purpose of the requirements of control. There would most likely be a structured method or process to raise the request. Page 5 of 24 . entered. Business Controls can further be classified into Process Controls and Application controls. Application Control Consider a business process where the purchase request for new large computer system for the company is raised. shared and reported.Sarbanes Oxley Compliance Concepts of Internal Control What is Internal Control? Internal Control is nothing but the process or activities in place to mitigate risks. get quotations and approval. All these are examples of business process controls. etc. calculated. asset management. procurement. make payment. which is most likely the case in recent times in every organization.
routers. For example. Many other controls would be dependent on General Computer Controls. certain backup programs may be specific to an application or an operating system but the control type remains General from the SOX perspective.Sarbanes Oxley Compliance General Computer Controls Some examples are. etc. data recovery may not be possible and hence other controls may not be performed. environmental security. controls in physical security. switches. without proper backup procedures in place. network controls such as Anti-Virus. Of course. They may not be specific to a business process but are common across business processes. firewalls. taking back-ups. Page 6 of 24 .
Remediation of operational deficiencies will generally include more orientation. Generally the controls are documented in processes and also a common control description document should be maintained. as per SOX.Sarbanes Oxley Compliance What is Design of Control? The manner in which a particular control is expected to perform or function. it is not required to implement comprehensive internal control within the organization to comply with SOX. if it works the way it is supposed to work. Adequate knowledge of the control should be with the control operator. the remediation steps for design deficiencies include modification of process or procedure. automation of controls etc. or improper functioning of a particular internal control needs to be remedied (fixed).e. according to this section. training. They will review the tests conducted by management and also may perform their own test before attestation. For example. the external auditors shall also audit the internal controls over financial reporting and attest to management’s assessment of internal control. companies that require compliance with SOX need to have adequate internal controls over financial reporting. Operational effectiveness includes proper creation and maintenance of control evidence and its ‘traceability’. What is the role of external auditors? Apart from auditing financial statements. identifying right control operators. Page 7 of 24 . improper design. Hence. What is remediation (action plan)? Deficiencies such as non-existence. Design of Control is to be documented. Section 404 of SOX Section 404 Section 404 of the Act. if it meets the design objective i. as appropriate for audit trail perspective. introducing new job aids etc. What is Operational effectiveness of internal control? A control activity is operationally effective. Taking necessary steps towards eliminating these deficiencies is called remediation. though that is desirable for effective management of the organization. on line help. specifies the requirement of reporting Internal Controls over financial reporting. As the focus is on Internal Control Over financial reporting.
This standard provides detailed instructions related to the compliance of the Act by external auditors. This body was established to control public accountants (generally CPAs in the USA) who audit the organization for SOX. the external auditor and the regulator to understand the level of design and operation of the controls to meet the control objectives. One such standard is “Auditing Standard – 2” entitled “An Audit of Internal Controls in conjunction with an audit of financial statements”. It is also quite helpful to organizations. typically in a Control Description document Monitoring controls for various internal controls Assessment of Design Effectiveness of Controls (called design walkthrough) report Remediation Planning and execution Testing to validate that Controls are Operating as designed Page 8 of 24 . to enable management.Sarbanes Oxley Compliance PCAOB Auditing Standard The Act established a body called the Public Company Accounting Oversight Board (PCAOB). As mentioned these control objectives are the steps required to mitigate risks to financial reporting. PCAOB issues various standards regarding SOX compliance. The documentation required to comply with SOX includes: End-to-End Business Processes Risks within a process Controls to mitigate the risks Detailed steps (control activities) of the controls. as they would understand the scope and consideration of external auditors when they perform the audit. Why is documentation important? SOX require relevant documentation to support its SOX section 404 report.
Risk Assessment .The risks are to be assessed for their impact on financial reporting and the controls which mitigate the risk are to be identified 4. This framework is simple and effective and has been rolled out across many organizations. Operations 2. the second category (Financial Reporting) is important. Financial Reporting 3. they are 1. There are five elements in the COSO Framework. Control Environment – This sets the tone of the organization and covers the entire organization. 2. Information and Communication – provides a framework for information flow across organizations 5. Control Activities – these are the actual controls which mitigate the risk 3. It has three categories: 1.Sarbanes Oxley Compliance COSO framework of Internal Control COSO framework of Internal Control The Committee of Sponsoring Organizations (COSO) is a body established in 1985 to provide a good framework of internal controls to various organizations. Compliance From SOX perspective. It has developed one of the best frameworks in the world called the COSO Framework. Monitoring – To monitor the design and operational effectiveness of the controls Courtesy: COSO Framework Document released by COSO Committee Page 9 of 24 .
or the environment changes and hence the control becomes inadequate etc. provide absolute assurance.Sarbanes Oxley Compliance The concept of reasonable assurance No framework can provide 100% assurance in any organization. So implementing COSO or any other internal controls framework will not. on its own. a control operator fails to operate the control properly. the operator changes. which was not selected as a sample might not have been operated effectively. the control itself changes. Some of them are: The operational effectiveness of the control may not always be ensured – for example. Page 10 of 24 . There are many reasons for this. The testing of the controls is done generally on a sampling basis (typically SAS 39 guidelines are used for sampling purposes) and there is always a risk that the control operation. the evidence is not traceable.
Remediate the deficiencies 2. Appoint the testing team 2. Derive Key Risks and Controls 5. Prepare test plan for each key control 4. Select appropriate samples 5. Check the existence of controls 6. Prepare Process flowchart 3. Evaluate the design of controls 7. Remediate 1. Make a list of all key controls for a particular process 3.Sarbanes Oxley Compliance Three Pillars of SOX Implementation Three Pillars Design of Controls Operating Effectiveness Of Controls Remediation 1. Document the remediation 3. Prepare Risks and Controls Matrix 4. Document the Process 2. Retest them Standard SOX Implementation methodology Courtesy: ISACA Page 11 of 24 . Execute test plan and prepare test report 1. Select appropriate testing method 6. Identify deficiencies 8.
For identifying applications controls. Key controls are the ones which mitigate key risks. Find the deficiencies during the evaluation process Take necessary steps to remediate the deficiencies Process Documentation Phase 1: During this phase. one should get a good understanding of the selected Processes and sub processes before documenting them. Short list from the above list only the key risks and controls. Page 12 of 24 . Get the description and flowchart approved by the process owner. Also the computer (IT) applications used in these processes and other General Computer Processes should be identified in this phase. No Particulars 1 Document the Process 2 Prepare Process Flowchart 3 Prepare Risks and Control Matrix 4 5 Derive key risks and controls Check the existence of controls 6 7 8 Evaluate the design of controls Identify deficiencies Remediate How to do? Interview the process owner and collect necessary information related to the process. Phase 2: In this phase. Prepare the flow chart as per the information gathered under item 1 above. Reviewing process documentation as well as discussion with process owners can achieve this. The question to ask here is "what can go wrong?. so that it is clearly understandable. An application flow chart is similar to a process flow chart but it would cover the applications that are supporting the process. Key risks are the ones which has major impact on the financial statements. a useful tool called an application flow chart is prepared. use process flow charts. For making this possible the process documentation should be in a detailed description and flowchart format. Identify the risks involved in the process and the controls which are needed to mitigate risks. For processes. Here we identify risk and expected controls.Please refer the guidance on ''Evaluation of design of Controls" for more information on this. process flow charts for the processes and sub processes should be prepared based on understanding in the previous phase.Sarbanes Oxley Compliance Design of Controls Design effectiveness of Controls Sl. Write them down as per the template given. Perform process walkthrough Check whether the design of a particular control is adequate to mitigate the identified risks. Please find below a sample flow chart.
Hardcopies are sent to Finance despatch team after 3 days SYSTEM INTERFACE Intimation sent to the employee regarding the claims not as per policy and the claim is kept on hold Special Approval YES NO Follow-up made with the supervisor for approving the claim Claim verified by Accounts Executive and Intimation sent to the employees regarding the non approval by supervisor and for expenses claim which are not as per policy SAP Page 13 of 24 . The claim copy along with the original supporting documents are sent to Accounts officer US office for scanning Claim copy and the original supporting documents are scanned and softcopy is sent to Accounts Executive. A unique system generated claim number is generated once the claim is registered in E-Portal System generated mail is sent to the supervisor once the claim is registered by employee System generated mail received by the supervisor.Sarbanes Oxley Compliance Process Flow chart for Onsite reimbursement for US Employee US Office Supervisor Start E-PORTAL Claims are entered by employee in E-Portal.
ownership etc. Risk Description. Impact. Once you have completed the assessment. A Risks and Controls Matrix could be a simple spreadsheet having this information. Probability. These documented risks are analyzed and appropriate controls. Key risks and key controls are identified based on their risk and impact on financial reporting.Sarbanes Oxley Compliance Risk Assessment The objective of this step is to identify and analyze the points in the Processes and Sub Processes where something could go wrong to compromise achievement of relevant Financial Statement Assertions – i. Normally. which can act as mitigating factors are identified.e. Page 14 of 24 . document the Risks in the Risk Matrix. operation and testing. The documentation should include Risk Reference. Cross reference to controls. to identify and analyze Risks relevant to Financial Reporting reliability. these key controls are the focus for remediation. These controls are documented in a job aid called the Risk and Control Matrix.
Sometimes. Therefore. However. These controls are documented in the Risk and Control Matrix. Key Controls As mentioned. once all the controls are identified and documented in the Risk and Control Matrix. Examples of control attributes Following are some examples of control attributes: Approval of requirement specification documents Peer review of requirement specification documents Testing of back out plans Approval of Master Test Plan Traceable requirements in design documents etc. If we reduce the number of controls further from key controls by grouping them. management applies its professional judgment in understanding the probability and impact on financial reporting. Page 15 of 24 . due to the critical nature of these controls (SOX Section 404 is all about Internal Controls Over Financial Reporting). it is important to update the external auditors and get their views (at least their negative assurance) on this scoping decision.Sarbanes Oxley Compliance Controls Documentation As already mentioned. Attributes of Controls Every control may have various steps in it called control activities. If the control has a noticeable impact it is classified as a Key control. which can be designed and tested separately. For example. production change management. it is suggested to record them in a document called the Control Description Document (CD). if the control fails. from a technology perspective. Backup and Restoration. It may be possible that these steps can be included within the process itself. In a detailed control description document (CD). they can be further grouped (within an adequately documented rationale). These CDs are baseline control documents and are a starting point for assessment and remediation of controls. controls are those activities which mitigate the risks. these activities are mentioned as control attributes. every attribute is a specific control step. SDLC controls. if there are a large number of key controls. Incident Management etc are generally classified as key controls. controls related to information security.
job aids. They can be classified into two areas. Operational walkthrough observations are generally given by way of e-mail to the concerned team (thus they need not be too formal). typically the Testing Review Boards (TRB) Page 16 of 24 . should be noted in the design walkthrough report as well as the design walkthrough gap register. including the means of design (eg process. However. reviewing the risks they mitigate. How should the Walkthrough be documented? Design walkthrough is documented in the form of a formal design walkthrough report. The operational walkthrough gaps are generally discussed with a management group. A Design walkthrough report is generally an extension of CDs. checking the approval of those processes and controls and finally ensuring that the control details given in the CD document is same as the one published in the process repository. review the documents at the work place and identify the adequacy of the control operation. Operational Walkthrough Operational walkthrough means the steps taken to ensure that the control is in fact operated as per the design. The observations/gaps. the gaps found in operational walkthrough are noted in the operational walkthrough register. links of relevant intranet pages or document repositories and the conclusion of the reviewer are also presented in the report. Design Walkthrough Design walkthrough means assessing the design of the control by means of reviewing the control description document. if any.Sarbanes Oxley Compliance Walkthrough A walkthrough is the step followed during assessment of controls. Document reference details. whether they are adequate and how they were verified. It is adequate to have one sample (if available) and to check whether or not the control is operated as per the design. etc). checking the adequacy of the controls. where each attribute of design is reviewed. procedures. These gaps are to be assigned to relevant teams and reviewed regularly until they are closed. checking the documentation of controls and related processes. This step is not testing and hence it is not necessary to select samples and test them. They are design walkthrough and operational walkthrough. If the evidence is not available due to non-operation of the controls. it is enough to interview the control operator.
Thus the CD becomes the starting point for design assessment.Sarbanes Oxley Compliance Assessment of design effectiveness The objective of assessment of design effectiveness (also called design walkthrough) is to check the adequacy of the control design to mitigate the risk or to meet the control objective. The controls are documented in the risk and control matrix and control description document (CD). the control should have been identified and mapped to risks or relevant Control Objectives. Approach to assessment of design Take the CD document Review the attributes Review the process documents where these control attributes are documented Check whether the control points in the process is given as mandatory and highlighted Check whether the processes are in line with relevant policies Check whether the control will meet control objectives or mitigate risks Check the approval of appropriate processes Check whether the process has been published in the process repository Capture the reference details of the processes and also relevant portions of the processes which mention the control objectives Prepare the design walkthrough report Note the design walkthrough gaps in the register Periodically review the gaps and ensure that they are closed Update the design walkthrough report to reflect that there are no gaps Page 17 of 24 . Thus before the assessment.
is the approval explicit etc. has written approval been given. Test results are given as Pass or Fail. the control is deemed to have failed. For example. 5 samples if it is a weekly control). and verify the control. Teams may customise as required for their business unit The samples are to be selected as given in the sampling guidance table on tesing the operating effectiveness One or more of . this means the testing of each and every control attribute. who has authorized the approval. that is. is the approval current. who has approved.g. The gaps are also noted separately in a gap register (typically in a tool based repository) and presented to management. Depending upon the test result evaluation process. additional testing of 5 more selected controls should be executed. Re-performance or a combination of the above. further action shall be taken. The testing of the control is done by selecting a few samples from the given population and executing the test scripts for those selected samples. Testing is done through Inquiry. if approval of requirement definition documents is a control attribute. No Particulars 1 Appoint a test responsible 2 Take a list of all key controls for each relevant process 3 Create testing plan for each control How to do? Appoint an independent (as much as possible) test responsible who is responsible for prepating test plans. the results are noted in test reports and updated in the test repository. 5 samples shall be taken for testing and if one sample fails. Page 18 of 24 . Observation. executing the tests and prepare test reports Central SOX team generally gives IT master template givnig various relevant controls. If two samples fail. what is the date of the approval.Inquiry / Observation / Re-performance / Examination of documents and reports Retreive the samples. Even if just one control attribute fails. in the case of weekly controls. then both the testing of the failed controls and the failure itself are considered as deficiencies. execute the test and document the results 4 5 6 Select appropriate samples Select appropriate testing method Execute test plan and prepare test report The testing of controls means testing whether the control is operating effectively. Test scripts are steps required to get the assurance that the control is operating effectively. Once the test is executed. As control attributes are part of controls. check whether the approval is in place.Sarbanes Oxley Compliance Testing of operational effectiveness The steps included in test of operational effectiveness are: Operating effectivness Sl. For example. If required. A pass or fail is determined by executing the test scripts. one should take an adequate number of samples (e. you may add other risks and relevant controls which are to be tested well Central SOX team generally gives SOX Test Plan and Test Scripts.
No Particulars 1 2 3 Remediate the deficiencies Document the remediation Retest them How to do? Establish necessary policies and procedures and implement them to remediate the deficiencies found in test of design effectiveness and test of operational effectiveness Document the steps taken to remediate the deficiencies Once the deficiencies are removed. the controls need to be tested for design and operational effectiveness once again. Page 19 of 24 . procedure. Remediation Remediation (Action Plan) Sl.Sarbanes Oxley Compliance All the gaps found in testing are generally to be fixed. The deficiencies are reported in the Deficiency evaluation forum to determine whether they are simply deficiencies. After remediation. retest the controls to ensure the same. which are seen as material weaknesses. and job aid and also might include orientation of control operators. That would generally include a change in processes. or significant deficiencies. The deficiencies found in Testing of Design effectiveness and testing of Operational effectiveness need to be fixed (remedied).
Generally applications controls are needed to ensure Completeness. IT Controls (General Computer Controls) Application controls Consider a business process where in a purchase request for buying raw materials for the company is raised. making payment.Sarbanes Oxley Compliance Appendix . mechanisms or methods in place to check something or to prevent the happenings of unwanted things or to detect if something had gone wrong. the requisition form needed to hire a new employee. approach to application control documentation and testing with some examples. the business. prior approval may need to be obtained for the purchase of a new large computer system. Comparison of application controls with other control categories Page 20 of 24 . all these are examples of business process controls. etc. the selection process for the vendor. When this process is enabled by an application which is most likely the case in recent times in every organization. the trip expense report filed after the trip. comparison of application control with other control categories. especially for financial systems that are often complex in nature from a business process perspective. For example. etc. get approval. Business Controls (Process Controls and Application controls) 2. Controls can be categorized in various ways. Other examples include an approval of travel before an employee makes a business trip. In general. This authorization is a control because the senior management person must review the proposal for acquiring the computer system. they are called application controls. controls are the processes or activities in place to mitigate the risks. At a higher level the controls are grouped as 1. not IT. This approval usually means that the signature of a senior management official to be obtained. There would most likely be a structured method or process to raise the request. defines the control requirements. However IT supports the business teams for documenting and testing the application controls.. This document also explains about application base lining and why base lining is similar to application controls. Authorization. Introduction Controls Controls are procedures. and other aspects of the intended purchase to make sure that the company's best interests are being pursued. and Segregation of duties For IT application controls. get quotation. Validity. Accuracy.Application Controls Overview This section explains about application controls.
The required evidences should be collected and a test report should be prepared with the required evidences. application flow charts for the processes and sub processes should be prepared based on the understanding in the previous phase. Page 21 of 24 . The operational effectiveness score shall be provided for all the applications controls. Phase 3: Test plans should be prepared for testing the application control. test must be performed. one should get a good understanding of the selected processes and sub processes.Sarbanes Oxley Compliance Application Control Business Processes Controls ERP Older applications Other Applications Including End user Computing tools Application Controls are Implemented through Applications Process documentation Application flow charting Identification of key application controls Preparation of Test Plan Testing and reporting application controls Remediation General Computer Controls Approach for Application control documentation & testing Phase 1: During this phase. This can be achieved by reviewing process documentation as well as discussing with process owners. An application flow chart is similar to process flow chart but it would cover the applications which are supporting the process. flow charts etc) should be reviewed along with identified Risks and Controls. Once the test plan is prepared and approved. Phase 2: In this phase. Also the computer (IT) applications used in these processes and sub processes should be identified in this phase. The plan should be in line with the standard test work book template circulated by the central team. For making this possible the process documentation (description.
For example. we need to prepare the test plan to test the operation of this control. Phase 5: Knowledge gained during the previous phases will be transferred through trainings and awareness programs to the relevant business cycle and IT teams for periodical enhancement of application controls and verifying the same in an on going basis. Purchase Order is not raised. The evidence should include the authorization matrix. a company automatically balances the total number of transactions processed and passed from its online order entry system to the number of transactions received in its billing system.Sarbanes Oxley Compliance Example: For example. Some types of application controls Balancing control activities — these controls detect data entry errors by reconciling amounts captured either manually or automatically to a control total. For example. evidences (screen shots. an order to a supplier by a home renovation retail store for an unusually large number of board feet of lumber may trigger a review. Check digits — these controls use calculations to validate data. In this case. Similar provisions may be made for journal entries. Authorization controls — these controls establish accountability for the initiation and approving of transactions that impact the financial reporting process. Tolerance levels — these controls specify who can initiate or authorize certain transactions over dollar limits without approval. Phase 4: The gaps identified during the testing will be remediated during this phase. a company's Intranet site might include drop-down lists of products available for purchase. if there is an application control which is the automatic emailing feature of the application which sends email to appropriate management (as defined by the cycle) for their approval before buying an asset. Page 22 of 24 . For example. a company's part numbers may contain a check digit to detect and correct inaccurate ordering from its suppliers. Etc. Data reasonableness tests — these controls compare data captured to a present or learned pattern of reasonableness. logs for automatic email generation. Predefined data listings — these controls provide the user with predefined lists of acceptable data. The detail remediation plan will be prepared and executed to fill the gaps. error messages etc) to ensure that Purchase Orders cannot be raised if the approval is not available in the master etc. For example. Typically the remediation is done by Application owner (IS team) along with the business cycle team. The test activities should (a) ensure that system understands the appropriate management users (authorization matrix) (b) ensure that emails are automatically raised and sent (C) ensure that without the approval from the appropriate management.
This is because it is difficult to clearly draw a line between assurance of control design and operation. In this case. According to SOX we need to test the application controls in this case also as it has a bearing on financial reporting whether they are older systems (legacy systems) or systems with full documentation. As mentioned already in the paper. Situation1: Let us assume that the depreciation calculation is done by an ERP system (say SAP). document the test results and apart from this also create a detailed document on how the entire application control is automated. to test this application controls. Also. In other applications (which have proper documents) these details would already be covered in user manuals or application documents. Much of Corporate America is apprehensive of the oversight and liability that derives from Sarbanes Oxley. (a) Which support one or more business cycles selected for SOX and has key application controls implemented through them AND (b) Which do not have adequate documentation The testing which is done as part of the application base lining is quite similar to that of application controls. As the adequate documentation may not be there for these systems. Let us also assume XYZ is not having any supporting documentation. it becomes important to base line them. many companies go Page 23 of 24 . we need to base line this XYZ application. these applications would still support some business cycles which are selected for SOX. Therefore. This would help us in testing the application control. As there are no documentation available (or the available documentation is not sufficient). it would be helpful for us to go through that documentation to understand how exactly this application control is automated. take the logic used for calculations. Assuming SAP has all the documentation. we will go the concerned processing department. in this context means. Example: Control: Calculation of Depreciation for Fixed Assets by a particular application. However. Base lining. Situation2: Let us assume that the depreciation calculation is done by an older system (say XYZ). testing the application controls. check the logic to ensure that the calculations are as per the depreciation rates decided by the management and so on and so forth. take the calculations done by the system. application base lining is needed for applications. the COSO framework or any other internal control framework does not give absolute assurance. Any application which is involved in supporting the cycle selected for SOX compliance shall be looked into for key application controls for documentation and testing. collect evidences like screen shots etc to ensure that processing happens properly.Sarbanes Oxley Compliance Application base lining Some of the applications may not be having adequate documentation.
I think the main reasons for this is. the remediation aspects. consultants unable to simplify the implementation.Sarbanes Oxley Compliance overboard in implementing SOX for year 1. lack of tools supporting the implementation. especially related to Information Technology controls. Other reasons for the complication are geographically distributed locations. Neither the Act or the PCAOB AS – 2 does not provide enough clarity regarding control scope. the timeframe within which the controls are to be operated etc. lack of SOX expertise in each location. lack of direction by senior management etc. lack of guidance on scope. Page 24 of 24 . companies not capitalizing their existing internal control or risk framework.
This action might not be possible to undo. Are you sure you want to continue?