FY2006 Sarbanes-Oxley Act Project Approach for IS Processes
FROM: Corporate Controller
TO: Memorandum for the Files
SUBJECT: FY2006 Sarbanes-Oxley Act Project Approach for IS Processes
The purpose of this memo is to document management’s approach for the FY2006 Sarbanes-Oxley (SOX) compliance project for IS processes. This is not meant to replace the professional judgment required at each juncture of the project, but to document the approach. The following four areas are addressed:
1) SOX Process Identification and Risk Classification – Identify the IS processes and the overall risk classification for each IS process that will be evaluated as a part of the FY2006 SOX compliance project.
2) SOX Process Documentation – Identify the documents that will be created and used by the project team and management to assess the design effectiveness of internal controls
3) SOX Testing – Identify the testing approach that will be used by the project team and management to assess the operating effectiveness of internal controls
4) SOX Documentation Review – Identify the review process that will be used by the project team and management to facilitate a thorough review of the SOX documentation
SOX Process Identification and Risk Classification
Management has determined that the evaluation of the below listed IS processes is critical for evaluating internal controls over financial reporting. An overall risk classification has been assigned to each of these IS process, refer to the FY2006 Risk Classifications matrix for a more detailed risk assessment.
IS Processes in Scope for SOX
IS Process | Risk Classification |
Physical Security | Medium |
Network Security | Medium |
Logical Access | High |
Change Management | High |
Backup and Restore | High |
System Interfaces | Medium |
SOX Process Documentation
The following documents will be created for each IS process:
1) Scope Memo – Defines the scope of the process
2) Documentation of the Process Flow - Policies and Procedures, Process Maps and/or Narratives
3) Risk and Control Matrices - Used by management to evaluate the design effectiveness of controls
4) Test Plans - Created for select controls that need to be tested (see Process Testing for further details)
5) Remediation List - Identifies ineffectively designed and ineffectively operating controls.
1) Scope Memo
We will define the scope of each process in a memo. The purpose of the scope memo is to articulate all applicable sub-processes and locations/systems/networks to be covered in the SOX documentation.
2) Documentation of the Process Flow
We will document the process in the form of policies and procedures, process maps and/or narratives. This documentation will be used to obtain a full understand the process, including the controls that exist within the process. Additionally, control owners will be identified in the documentation.
3) Risk and Control Matrices (RCMs)
We will evaluate the design of internal controls for each process by using a risk and controls matrix. Within this matrix we will identify the SOX related risks and document the controls that mitigate the identified risks. Risks within the RCMs will be identified with a COBIT domain reference number to identify each risks relation to COBIT.
An assessment of the mitigating controls will be performed by management to determine if the control environment as a whole is designed effectively. Testing will be performed for select controls (see SOX Testing for further details) where we deemed the control environment to be designed effectively to mitigate the risk. Controls that were deemed to be not designed effectively will be added to the design remediation list (see the Remediation List section for further details).
Defining and Classifying Controls
We define controls to include any procedures that we rely on to: 1.) prevent material misstatements, whether caused by error or fraud, from occurring during transaction processing or 2.) detect and correct material misstatements on a timely basis that may occur in processing transactions. We classify controls into the following three categories:
I. Primary or Secondary
Primary- we view these controls, relative to the suite of controls over a specific risk, as imperative to the mitigating that risk.
Secondary- these are controls that add to suite of controls over a specific risk. However, relative to the suite of controls over a specific risk, they are not viewed as imperative (i.e., without these controls, we may still be able to conclude on the effectiveness of control environment).
Primary- we view these controls, relative to the suite of controls over a specific risk, as imperative to the mitigating that risk.
Secondary- these are controls that add to suite of controls over a specific risk. However, relative to the suite of controls over a specific risk, they are not viewed as imperative (i.e., without these controls, we may still be able to conclude on the effectiveness of control environment).
II. Preventative or Detective
Preventative- policies and procedures designed to prevent an error or fraud.
Detective- policies and procedures that are designed to detect and correct errors or fraud
Preventative- policies and procedures designed to prevent an error or fraud.
Detective- policies and procedures that are designed to detect and correct errors or fraud
III. Automated or Manual
Automated- IT programmed application controls (i.e., controls performed by a computer). For example, system access controls.
Manual- Controls reliant upon human intervention (i.e., initiation, performance, etc.). For example, manual reviews
Automated- IT programmed application controls (i.e., controls performed by a computer). For example, system access controls.
Manual- Controls reliant upon human intervention (i.e., initiation, performance, etc.). For example, manual reviews
4) Test Plans
Test plans will be created for select controls (see SOX Testing for further details) where we deemed the control environment to be designed effectively to mitigate the risk.
5) Remediation List
There will be two types of remediation lists created: 1) Design Remediation and 2) Operating Remediation
I. Design Remediation – List of controls that require remediation because the design of the control is not effective to mitigate the risk.
II. Operating Remediation – List of controls that require remediation because the control is not effectively operating to mitigate the risk.
The remediation documents are used by management to assess control deficiencies as either internal control deficiencies, significant deficiencies or material weaknesses. Management determines the necessary remediation actions based on an evaluation of the remediation list.
Control Remediation Timeline
The below guidance will be used when determining the required timeframe for new controls to be in place to consider them to be effective for the fiscal year. The guidance is based on a 04/30 fiscal year end.
Frequency of Control | New controls need to be in place by* |
Daily / Multi-Daily | March 31 |
Weekly | March 15 |
Monthly | February 28 |
Quarterly | Third Quarter Close |
Annually | Year End Close |
*assuming controls are in place and operating effectively
SOX Testing
When determining the controls to test and the sample sizes the following considerations will be made:
1) The risk classification of the overall process as identified in the FY2006 IS Risk Classifications matrix.
2) The extent of reliance of the external auditor on internal testing
3) The type of control (a test of one will be performed for systematic controls)
4) The frequency of the control
Exception Testing Guidance
The below guidance will be used when determining whether or not additional samples should be tested in the case where exceptions are found during testing:
More than one exception found in the initial sample
If more than one exception is found during testing of the initial sample, we would conclude that the control is not operating effectively and would not further expand our sample (i.e., a control deficiency exists). These exceptions must be added to the Operating Remediation List. Once remediation for the control has been completed, the control must be re-tested using the originally required sample size (i.e. 25 samples for a daily control).
One exception found in the initial sample
If we find one exception during testing of the initial sample and determine that the control exception is systematic (the exception will always occur) or otherwise believe the control is not operating effectively, we do not expand our sample size, but instead conclude that the exception is a control deficiency. These exceptions must be added to the Operating Remediation plan. We discuss the deficiency with management and challenge management’s decision to rely on the control. Management will need to determine if there are other controls that address the assertion that may be tested in lieu of the ineffective control(s) (and if so, we determine an appropriate testing strategy).
If we find one exception during testing of the initial sample and determine that the control exception is not systematic, the rate of exception appears sufficiently low, and we believe that expanding our sample size will not result in any additional exceptions, we will expand our sample size by 60% (e.g., sample size would increase from 25 to 40 for daily controls).
One or more exceptions found in the expanded sample
If we expand our sample size and find one or more additional exceptions, we would conclude that the control is not operating effectively and would not further expand our sample (i.e., a control deficiency exists). These exceptions must be added to the Operating Remediation List. Once remediation for the control has been completed, the control must be re-tested using the originally required sample size (i.e. 25 samples for a daily control).
Testing Procedures
See the charts below for the controls that will be tested for each process (based on high, medium or low risk classification, refer to the FY2006 Risk Classifications matrix) and the associated sample sizes that will be used.
Testing of controls
Process Risk Classification | Test the following controls | |
High Risk | All primary and select secondary controls will be tested | |
Medium Risk | All primary controls will be tested | |
Low Risk | One primary control will be tested |
| | | If Audit Company X is performing independent testing | If Audit Company X is relying on testing performed by IA | ||
| | Risk Level | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples |
| | High Risk | 15 | 9 | 25 | 15 |
| | Medium Risk | 15 | 9 | 25 | 15 |
| | Low Risk | 15 | 9 | 25 | 15 |
Sample sizes for a WEEKLY control
| | | If Audit Company X is performing independent testing | If Audit Company X is relying on testing performed by IA | ||
| | Risk Level | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples |
| | High Risk | 5 | 3 | 5 | 3 |
| | Medium Risk | 5 | 3 | 5 | 3 |
| | Low Risk | 5 | 3 | 5 | 3 |
Sample sizes for a MONTHLY control
| | | If Audit Company X is performing independent testing | If Audit Company X is relying on testing performed by IA | ||
| | Risk Level | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples |
| | High Risk | 1 | 1 | 2 | 2 |
| | Medium Risk | 1 | 1 | 2 | 2 |
| | Low Risk | 1 | 1 | 2 | 2 |
Sample sizes for a QUARTERLY control
| | | If Audit Company X is performing independent testing | If Audit Company X is relying on testing performed by IA | ||
| | Risk Level | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples |
| | High Risk | 1 | 1 | 2 | 2 |
| | Medium Risk | 1 | 1 | 2 | 2 |
| | Low Risk | 1 | 1 | 2 | 2 |
Sample sizes for an ANNUAL control
| | | If Audit Company X is performing independent testing | If Audit Company X is relying on testing performed by IA | ||
| | Risk Level | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples | Initial Sample Size | If one exception is noted in the initial sample, add the following number of samples |
| | High Risk | 1 | 1 | 2 | 2 |
| | Medium Risk | 1 | 1 | 2 | 2 |
| | Low Risk | 1 | 1 | 2 | 2 |
Types of Tests
We will perform the following types of control tests:
1) Testing the actual operation of the control (re-performance or re-application of selected transactions)
2) Inspection of relevant documentation
3) Inquiry (inquiry alone generally will not provide sufficient evidence to support operating effectiveness of controls; it should be supplemented with another test like observation)
4) Observation of specific operations (observation is only relevant at the specific point in time; it should be supplemented with another test like inquiry)
Testing Sample Selections
70% of the samples tested will be from Q1 - Q2
30% of the samples tested will be from November 1, 2005 – to date
100% of the samples tested for controls that require remediation will be from “remediation date” – “to date.”
Evaluation of Testing Results
Test results will be evaluated by management to determine if the control is operating effectively to mitigate the identified risk. If the control is not operating effectively, the control will be added to the operating remediation list (see Remediation List for further details).
SOX Documentation Review
Process Managers for each process are identified in the FY2006 SOX Review and Sign-Off Responsibilities document. Process Managers must review and sign-off on the accuracy of the SOX documentation. Process Managers are responsible for reviewing the documentation with the control owners, as necessary, to obtain a complete understanding of the documentation. Control owners for each process are identified in the FY2006 IS Control Owners document.
Additionally, the Process Owner, Person A, Vice President, MIS, is responsible for reviewing the documentation and also providing a sign-off on the accuracy of the documentation. A Financial Chair (Controller or the Director of Credit / Assistant Treasurer) is also required to review and sign off on the SOX documentation.