Use of frameworks for SOX documentation

Subject: Use of frameworks for SOX documentation
From: Lisa Wright <liwright -at- earthlink -dot- net>
To: "TECHWR-L" <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Mon, 20 Sep 2004 15:07:25 -0600 (GMT-06:00)

Since January I've been working on Sarbanes-Oxley 404 documentation projects. Most have been at the business activity level and a bit at the entity level, but now I'm getting more involved on the IT side. The legislation declares that the company must adopt a framework against which to doument their controls. Several standards that have been adopted are:

1. COSO, for Business Activity processes (i.e., generation of financial transactions and related processes that affect the financial statements.)
2. COBIT, for IT General Application Controls. The Cobit standard has more than 300 items and is now generally considered too broad for SOX purposes. ISACA ( has worked with the big four to whittle down the list and they have issued a document detailing a more focused list of controls. The ISACA web site has a whole section on Cobit.
3. External auditor's list of questions for entity level controls (i.e., the overall environment at the company, the "tone at the top.")

One of the big four I'm working with now has adopted its own 80-item standard for IT controls, which closely resembles, but is not identical to, the Cobit list. I think they did this out of self defense, as the ISACA standard had not been released yet and no one was quite sure what to do. One of the IT auditors I am working with at my company is approaching this from the CMM model of thinking, and deriving suggested best practices from that. I have noticed among clients that it does seem to be the accepted model. The processes must be documented, and then the testing is to ensure that they are followed. I have found that approach to be helpful, too.

I have a couple of questions. First, what other frameworks have others been working with? Has anyone been through a review of their documentation with the external auditors and gotten concrete feedback yet? It may be a bit early for this second one, as 10K audits have not started yet and I believe many firms are waiting until then to start their control assessment.

Just curious to see where others are at. I haven't had the benefit of seeing through a project from beginning to end yet, and not having much feedback from the final arbiter makes it difficult. Clients seem happy, though.

Thanks, looking forward to some discussion.



ROBOHELP X5: Featuring Word 2003 support, Content Management, Multi-Author
support, PDF and XML support and much more!

WEBWORKS FINALDRAFT: New! Document review system for Word and FrameMaker
authors. Automatic browser-based drafts with unlimited reviewers. Full
online discussions -- no Web server needed!

You are currently subscribed to techwr-l as:
archiver -at- techwr-l -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- techwr-l -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit for more resources and info.


Previous by Author: RE: ADMIN: TECHWR-L's Next Steps (Part II)
Next by Author: Re: Carpal Tunnel
Previous by Thread: RE: UK friendly? --- plus a 'What if...'
Next by Thread: Errors and Omissions Insurance

What this post helpful? Share it with friends and colleagues:

Sponsored Ads