Home Business Change Analysis & Design Agile Testing Templates About us

Key Steps

Impact of SOX and Audit on Business Process Documentation

White paper prepared by Codel Services Ltd ©


Purpose of this discussion

Business Process Reengineering should have two main objectives:


Making an organisation more efficient


Ensuring controls are robust any complete

To ensure that these are complementary and not contradictory, an understanding of SOX is useful as it is a major driver to the latter objective. The purpose of this document is to provide this background and to show how these considerations have been applied to Codel Services' process templates.

Note: for details on how to obtain the template for this deliverable, please visit the templates section.

SOX Background

To be “SOX complaint” is one of the aims of the template. This section describes some of the characteristics of SOX that may be relevant.

What is SOX

Sarbanes-Oxley Act (SOXA) is a response to a number of US corporate and accounting scandals. These resulted in a significant loss of public trust in corporate accounting and reporting practices.

It has the key objective to ensure that:

bulletThese scandals do not occur again
bulletRebuild confidence
bulletDefine and establish a higher level of corporate accountability

Specifically section 404 (SOX 404) mandates that management must assess internal controls annually, and have these attested by an external auditor.

SOX History

The scope of SOX has changed considerably over the last few years. Initially, the Public Company Accounting Oversight Board (PCAOB) was set up to oversee and advise on the implementation of SOX globally, on behalf of the SEC.

Their initial guidance was that companies should follow the industry standard best practice set out in the “Committee for the Sponsoring Organisation” (COSO) and, specifically for IT, “Control Objectives for Information and related Technology” (COBIT)

COBIT imposed very rigorous requirements on companies, and earlier this year the PCAOB yielded to pressure from early filers to lessen the degree of stringency around the more “peripheral controls, while still focussing on the critical ones such as Change management and logical access.

Whilst this is open to interpretation, most banks have taken this to allow a shift away from the COBIT approach to one of identifying a small set of “truly key “ controls that can be tested against a set of defined risk categories.

It is likely that the level of stringency of documentary evidence on this leaner set of mandated controls will be consequently higher.


© 2002-2007 Codel Services Ltd

This paper has been prepared by Codel Services Ltd to illustrate how structured business modelling can help your organisation. Codel Services Ltd is an IT Consultancy specialising in business modelling. If you would like further information, please contact us at: Deryck Brailsford, Codel Services Ltd, Dale Hill Cottage, Kirby-Le-Soken, Essex CO13 0EN,United Kingdom. Telephone: +44 (0)1255 862354/Mobile: + 44 (0)7710 435227/e-mail: