SOX 404 Compliance « SOX 404 Compliance

SOX 404 Compliance

While completing their first SOX attestation, one of the world’s largest biopharmaceutical outsourcing organizations with operations throughout 43 countries in 56 locations and approximately 6,200 employees, knew that building and maintaining a Sarbanes-Oxley compliance program presented challenges — unearthing and solving the issues that stood in the way of compliance and managing the myriad of spreadsheets and documents that are needed for the task.

In 2005, the Company completed its first year of SOX primarily by performing the tasks in shared services centers in the United States, the United Kingdom and Germany. The Company identified over 1,000 key business controls; remediate and re-tested several hundred key controls and implemented a document control process; tracked remediation; and then tested and re-tested its program.

The company passed the first year of SOX compliance, but at what cost ? Approximately 25,000 internal and external labor hours were needed, and several million dollars were invested.The Company knew it needed to find a better way.

April 28, 2008 - Posted by Nick | SOX 404 & 302, sarbanes oxley | sox 404 | 1 Comment

1 Comment »

Organizations identifying and testing a large number of Key Controls is usually the result of two mistakes:

1. Inclusion of operational controls as Key financial controls – i.e. the control cannot be mapped to an account/assertion intersection.

2. Over-reliance on detailed, transaction level process controls when Entity Level Controls, which occur less frequently and closer the external financial reporting cycle, can often provide the required degree of precsion for identifying material misstatements.

Comment by Chris | June 30, 2008 | Reply

| Next »

About

Ever since its first year of required compliance in 2004, Sarbanes-Oxley and Section 404 in particular has been criticized for the excessive cost and disruption it created for companies. The public debate about whether its been worth the effort has at times reached a fever pitch, as recently noted by the former Chairman of the SEC, Harvey Pitt[1], “As costs mounted, and auditors became defensive in their audits of internal control, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance to make the beneficial purposes of the SOX 404 more obtainable, with lower costs and more focused efforts”. In this regard, certain statements from both the SEC and PCAOB December releases especially stand out[2]. At the same time, greater use of a risk based approach seems to reflect a return to the original principles of SOX and certainly of the COSO Framework.

[1] Compliance Week, March 2007 issue

[2] SEC Release # 33-8762, 34-54976 (12/15/06) and PCAOB Release # 2006-007 (12/19/06)

About the Author

Christopher D. Coigne CPA, CIA, CFE is the Senior Manager of Client Services and Product Development for BI International. For the past 5 years Chris has worked extensively with organizations seeking compliance with Sarbanes-Oxley (SOX). He has performed materiality planning and risk assessments, led facilitated control discussions, participated in client SOX Project Management Organizations, and overseen global control testing. Other projects have included managing outsourced Internal Audit activities, performing forensic and fraud investigations to aid in management’s deterrence and detection of fraud, and working to develop a web-based SOX and Internal Audit tool.

A graduate of Rowan University, Christopher’s experience includes public accounting financial audits, controllership in the insurance industry, internal audit management at Philadelphia-based ARAMARK, and consulting work for a variety of global organizations including McDonald’s, Sony, ING and Waste Management.

Search for:
Recent Posts
Pages
- About
- Sarbanes Oxley 404
Tags
AS5 assertions compliance ERM ICFR internal control Key Control sarbanes oxley sox 404 SOX Testing
Meta
Spam Blocked

1,230 spam comments

blocked by
Akismet
GRC Software
- GRC Software
SOX 404 Software
- Non-Accelerated Filers
- SOX 404 Optimization

Archives
- August 2008 (2)
- July 2008 (2)
- May 2008 (1)
- April 2008 (3)
Categories
- compliance
- ERM
- ICFR
- sarbanes oxley
- SOX 404 & 302
- SOX Testing
- Uncategorized
RSS
Entries RSS
Comments RSS

SOX 404 Compliance

Sarbanes Oxley Sections 302 and 404