SOX and Key Steps
Home Business Change Analysis & Design Agile Testing Templates About us

Introduction
Overview
Processes
Key Steps
Controls
Financials
Conclusions
Back

SOX and Key Steps

SOX guidance recommends that the steps in the (sub)process to be sufficiently detailed to allow a third party to understand the flow of the transactions. Specifically for each step in the process design the following is must be clearly highlighted:

bullet

Who is performing the step

bullet

What is the process step they are completing

bullet

Where that information is contained

However beyond this, SOX is primarily concerned in articulating the set of steps as a set of controls (see next section). Thus it would prefer a minimalist approach that is less concerned on how something is done to get the job smoothly and efficiently done, rather how to get the job done to mitigate any applicable risks.

Furthermore in describing steps within a (sub)process, SOX is primarily interesting on what are termed “significant steps”. “Significant steps” refers to any step within the process such that, if an error were to occur during that step, and in the absence of an effective control to prevent the error from occurring or detecting it if it did, there could be a potential for a material misstatement to the financial statements.  As such, it is these steps within the company’s significant business processes which require identification of effective financial reporting controls. These steps are:

bulletInformation about how significant transactions are initiated, authorized, recorded, processed, and reported
bulletSufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur

However to describe only this will is not sufficient for process design as these are primarily to give instruction to the users as to how to best perform the (sub)process. Thus a suggested approach is to cover both: to ensure that controls are described as part of the flow – but are highlighted as such (i.e. not left implicit). And to try and include the SOX mandated process elements in the text and associated models without losing detail important to the user. These are:

bullet

“initiated”,

bullet

“authorized”,

bullet

“recorded”,

bullet

“processed”,

bullet

“reported”

 

SOX Impact on Process and Owner Deliverable

These considerations have no impact to this deliverable.

They will however need to be covered in the Process design deliverable as discussed above.

 

SOX Impact on Process Design Deliverable

These considerations are directly relevant to this deliverable.

It is critical that an auditor can quickly and easily identify in each procedural step which SOX relevant action is being performed, without any domain expertise. To ensure visibility to these SOX key steps, each procedural step should be written in a stylised way to emphasise the type of action relevant to SOX. For example, rather than state that a user enters data, this can be rephrased to user records data by enter

 

Back Next

© 2002-2007 Codel Services Ltd

This paper has been prepared by Codel Services Ltd to illustrate how structured business modelling can help your organisation. Codel Services Ltd is an IT Consultancy specialising in business modelling. If you would like further information, please contact us at: Deryck Brailsford, Codel Services Ltd, Dale Hill Cottage, Kirby-Le-Soken, Essex CO13 0EN,United Kingdom. Telephone: +44 (0)1255 862354/Mobile: + 44 (0)7710 435227/e-mail: info@codel-services.com