February 22, 2005
The Sarbanes Legislation a important reform in ensuring adequate controls are in place. The challenge faced both from a business and IT aspect is to determine the level of depth one has to go to to achieve adequate assurance that controls are in place. I have worked on SOX for the last 2 and half years with many man hours spent in determining what constitute a control and is it a key control. These activities shifted business dollars from adding value to the share holder by growing the business to adding assurance to share holders.
The level of detail is my main concern. What level does one determine to be the correct level that ensures complinace to Sarbanes. I have seen approached that mirror the same amount of external audit activity that would be required internally. This to me is not achieving operational efficiency as testing has to be completed on a yearly basis. In addition, the external auditing body cannot rely on internal testing , but has to re-perform to have their primary evidence.
If the legislation was clearer on which process or level of detail that meets compliance, this guidence will be appreciated by all. At present, all companies are complying, but is the standard the same.