Sarbens Oxley IIA

Global Auditing Information Network - GAIN 247 Maitland Avenue Altamonte Springs, FL 32701 +1-407-937-1365
SOX 404 Tools

244 responses from 2000 Invitations including 680 Fortune 1000 companies Survey prepared on July 9, 2004 Invites issued on May 24, 2004
1
http://www.gain2.org
Table of Contents
TITLE
Company's performance by revenue Company's Sarbanes-Oxley compliance philosophy Biggest challenge in your company's compliance efforts How do you enable your external Auditor? Which SOX tool are you using? What is the primary reason you chose this product? Is the tool you are using mature enough to meet your project requirements?
PAGE:
3 4-5 6-7 8 - 12 13 - 15 16 21 22
Which enhancements to this tool will be important to you?

What is your overall compliance budget and what portion are you spending on software? What type of 404 status reporting do you provide/review with your audit committee? How often does this occur? Additional questions or topics Title of Survey Respondent Country Respondent Resides in Industry Public listed exchange company?
23 - 31
32 - 37 38 - 50 51 - 53 54 55 56 57
2
Company's performance by revenue
45 40 35 30 25 20 15 10 5 0 Under $1B $1B - $5B $5B - $10B $10B $40B Over $40B
Choice Under $1B $1B - $5B $5B - $10B
Count 57 107 31
% 23.4% 43.9% 12.7%
$10B - $40B
Over $40B
36
13
14.8%
5.3%
3
Which best reflects your company's SarbanesOxley compliance philosophy?

Choice
Will do the basics required to pass the 404 attestation and will determine our long-term strategy later. Will approach with a long-term plan to achieve sustainable compliance, beyond attestation. Will not only approach with a long-term plan to achieve sustainable compliance, but also will view SOX as an opportunity to create value for the company. Other, explained on next page:
Count
55
%
22.5%
74 101
30.3% 41.4%
14
5.7%
4
Which best reflects your company's Sarbanes-Oxley compliance philosophy? We are focused on the basics presently and are starting to develop our longer-term strategy. Not applicable - Swiss based quoted group. Not required, but will comply. Being private we will implement more slowly than public companies. As a non-profit we are complying with the spirit of the law only. Currently not required to comply but if Sr. Mgmt decide to comply, we will approach with longterm plan to achieve sustainable compliance with the perspective of also providing value. Not a requirement. Awaiting NAIC rule changes. Our company is not publicly traded but is implementing SOX where it makes good business sense. the third bullet - but also adopt COSO for other objectives (operations and compliance) by 12/31/05. Will complete 404 attestation although our organization is not required to complete it. UK Public Authority outside the reach of the US's crappy legislation! We are not a public company and not required to do 404 reporting. However, we are implementing 404 for our 2005 Annual Report, in conjunction with SEC "late filers. Voluntary compliance for increased governance and stewardship. Will voluntarily comply with provisions that make good business sense and comply with other provisions when/if SOX is applicable to company.
5
What do you see as the biggest challenge in your company's compliance efforts?
Choice Staffing with qualified resources (e.g., IT auditors, testers, etc.) Conflicts with internal priorities Communicating requirements and internal training Timing Multiple and international regulatory requirements/mandates Defining and maintaining a substantiated document trail Other, explanations are on next page:
Count 149 146 91 87 29 104 24
% 61.1% 59.8% 37.3% 35.7% 11.9% 42.6% 9.8%
6
Cost. Travel demands on IA staff. Culture Change. Not applicable - Swiss based quoted group. Ensuring continuity of documentation and employee communications as process changes occur. Financial outlay. Finding the time and resources for SOX. SAS 70 reports - reports are not timely - relying on prior year. Costs and expenses. Demonstrating benefits, other than need for legal compliance, to offset the costs. getting External Auditors to commit to the approach. Adjusting workscope to meet changing interpretations by outside auditors. Workload. Logistics with numerous international locations. Management ownership of what is NOT just an internal audit project.
7
Complying with IT requirements with multiple systems in existence Senior Management Changing culture/behavior to own there own processes/controls and understand 404 work is now part of their everyday duties Conflicting, incomplete or lack of, and consistently changing guidance from public accountants, regulators, and professional organizations on expectations and requirements. Change Management over the control environment / documentation. manual reports supported by software We are OK with Internal Audit resource for testing, but not yet sure about with Company resources outside Internal Audit. lack of real commitment, flows on to resources, etc. Changing the tone at the top and within the company
8
How will you enable your external auditor to walk through, review, and rely on management testing on internal controls to issue their attestation?
Choice
Will leverage software Will create manual reports Other, explained on next pages:
Count
134 75 32
%
54.9% 30.7% 13.1%
9
Will do both of the above. Combination of software and manual reports. Leverage software and work with externals each step of the process. Probably a combination of both. Create Excel templates and supplemental workpaper binders. Relying heavily on work of internal audit for testing/validation/monitoring. By their review of our documentation for each site, which includes narratives. Combined Internal / External audit efforts. Unsure. Provide control matrixes, flowcharts, and narratives. Consummate documentation, internally developed feedback electronic and manual as required. Unknown at this time. Not sure yet. Excel Spreadsheets loaded into an Access Database. They will review our electronic workpapers - they are on their own to document their testing.
10
Combination of the two; utilize software, but a lot of testing documentation will be outside of the software for now. Currently manual reports, but after pilot phase will review available SOX 404 software. Hopefully top vendors will surface at that point since a lot more companies will have had the opportunity to utilize the software in production. Not yet determined. Testing performed independently by Internal Audit, rather than by business, using sampling methodologies and sizes that meet external auditor's standards; documenting results using standard workpapers (electronic and hard copy) to document results. provide electronic copies of all testing in Microsoft Office format. Will provide paper documents and copies of supporting documents and results of internal audit tests and walkthroughs. A report on internal control is issued by internal audit annually. Combination of software and manual reports. Created documentation of process and examples. Initially, manual reports with software implemented in mid 2004.
11
Narratives supported any pointers for controls in our SOX documentation. Documented Flowcharts and Risk Control Matrixs documenting the assessment of controls; results of testing; and related assessment of risk. We are still determining to what extent we will automate this process. Not sure yet. Coordinated testing with external auditor. Still discussing - foreign registrant, not due to comply until 2005. our voluntary compliance does not include the external auditor attestation. We have worked with them, from the start, to develop a workable solution.
12
Which SOX tool are you using?

Which SOX tool are you using?
No tool selected Deloitte E&Y KPMG
Count
73 36 5 13
%
29.9% 14.8% 2.0% 5.3%
PwC
In-house Certus Handysoft Paisley Axentis Cartesis
15
17 2 5 22 3 0
6.1%
7.0% 0.8% 2.0% 9.0% 1.2% 0.0%
SAS
Protiviti Oracle SAP PeopleSoft Plumtree Resources Connections OpenPages Movaris Other, explained on next pages
0
10 4 3 1 0 3 2 1 32
0.0%
4.1% 1.6% 1.2% 0.4% 0.0% 1.2% 0.8% 0.4% 13.1%
13
Other SOX tools being used:

Opvantage - Fitch Risk. Microsoft Excel. Microsoft SOX Accelerator. Microsoft shared documents. PwC TeamMate, LotusNotes Databases. CARDmap. SO Comply. Microsoft Office. FOCUS by Paisley. Pentana Audit Work System (PAWS). Started with KPMG but moved to IBM when they purchased intellectual property from KPMG. Providus - Risk Resolve. Protiviti. Microsoft Accelerator for Sarbanes Oxley. Teammate (Using existing audit workpaper software).
14
Other SOX tools being used:

Poloicy IQ (Snap River/Resource Associates). Excel. Providus RiskResolve. Pentana. Rely on testing as documented in a risk control matrix. Will leverage Protiviti's TSA software to facilitate. Magique. SO Comply. ERA from Methodware. RiskResolve. Have chosen Handysoft -- will implement for 2005 testing. Microsoft office. Horizon. Risk Register. ICT from Grant Thornton.
SOXA. Internally created "tool. SOXTools.
15
Primary reason you chose your SOX tool?
Choice
Ease of use Integration with existing systems Leverage existing investment Reporting Flexible framework Other, explain on next pages:
Count
56 26 30 27 37 71
%
23.0% 10.7% 12.3% 11.1% 15.2% 29.1%
16
Other reasons you chose your SOX tool:
Combine with other operating risk requirements of our industry. coordinates with external auditors. web-based for use by global operations. Collaboration Strength. Security. One of the first commercially available tools when our project was started 15 months ago. KPMG is also our external auditor so their familiarity with it is expected to provide ongoing efficiencies for reviews and testing. Tailored and COSO based, ease of use. Came with services provided by PWC. Best of what was available at the time we chose the software. Selected by parent company, I believe for the sake of transparency. Current audit tool. Chose tool used by independent auditor. At the time we started, not many to select from. Shortly after we selected, more products started to show up in the market place.
17

Deloitte is our external auditor, so using their tool seemed logical We expect to go beyond compliance, address all of internal control, and merge with enterprise risk management. We relate to Protiviti's risk model (formerly Arthur Andersen's) and felt that Protiviti has always maintained a long-term view. Easier sign-off with attestation. Costs. Best overall value and use beyond SOX compliance Some one else chose it. Low cost until shakeout. Cost. Reasonable Price. KPMG hired to do SOX documentation and this was their tool. Web based. Format and structure; COST! (low). EA tool.
18

When we selected KPMG we felt it was the best of a very weak grouping of 404 products. Most cost effective solution that met requirements. Best available when we started the search process in March '03. External auditor can't object to design of their own tool. E&Y recommendation. We are using Deloitte to assist us. This tool is short-term use only. Cost. Provides a repository for the majority of information related to a control, including test. results, and an assessment report with detail and an exec. summary. Cheap, meets needs, inhouse capability existed. Familiarity of external auditor with tool. Same page as external auditors. Price. Free use and training. Free and externals are familiar with it.
19

None of the others are adequate. Using Deloitte to do the documentation. All that was available at the time. Coordination with external auditors. cost, trust, and wanting software market to more fully develop before making a long term commitment. Customizations. The system was part of the overall consulting relationship. TSA is web based questionnaires to assist in control environment or Top Down view. The software was offered for free. One of few available in early 2003 plus E& Y are our advisors. leverage benefits by using EA tools. KPMG is our auditor. Tool that external auditor uses. Reference and need. Cost - tool to capture data with some reporting capabilities.
20

Limit cost. Sustainable documentation & consistent approach across multiple entities. Wanted to couple the tool with consulting assistance. Are using D&T consultants to help; their familiarity with product and cost ($0). Greatest functionality at lowest cost. Implemented the CSA system in 2000. Recommendation from external auditor. (1) Handysoft is based on the E&Y framework/approach; and 2) platform is compatible with corporate architecture (i.e., not Lotus Notes). Deloitte is Assisting with Documentation. Low cost and availability when project started in February 2002. We really selected our SOX partner and they brought with them their tool. Recommended by external auditor. Bilingual version. PWC was assisting on SOX project, so we used their software. Cost. Structured framework.
21
In your judgment, is the tool you are using mature enough to meet your project requirements today?
70 60 50 40 30 20 10 0 Yes No
Choice
Yes No
Count
117 50
%
70% 30%
22

Reporting flexibility Don't know yet, installation is currently underway Leverage ERM Linking completed work to the tool. ongoing reporting - notification of needed assessments - a tickler file More user friendly and also need to have more space for detail descriptions reporting document and version management, reporting, simple, easy to change to meet needs Better reporting capabilities. Greater ease of use. Integration w/ audit workpapers Need to get through the first cycle. progress tracking and status summary reporting Long term we will look for a product from our our ERP vendor SAP and therefore are not overly involved in enhancements of the current tool.
23

Ability to track changes to documentation in subsequent years. The ability to identify other controls that can show your entire control environment, but not have ongoing testing of the controls. The ability to revise risks and the ability to make the assign the appropriate organization. Not as flexible as it could be. Attestation are not that easy to indicate. Ability to manipulate the data in order to do custom reporting is not as good as it could be. Lean our future monitoring and reporting activities. the tool is not yet ready for production and will not be fully available until August. I haven't seen the tool yet. Enterprise wide capture of control documentation at the control steward level. Better storage and reporting capabilities. User friendly and more logical. Improved reporting. This tool is very cumbersome to use - needs to be simplified. The tool was mainly used to develop our control questionnaires. We will be evaluating other tools at some point for ongoing maintenance of the documentation. Ease of up-date.
24
Which enhancements to this tool will be

important to you?
Ability to assign control activities directly to employees, rather than just control objectives. Also, improved integration with internal audit test documentation. Improved user interface. Enhancing the tool to address all of internal control, including operations and compliance in addition to reliable financial reporting. There are too many to list. We are actively pursuing other options at this time. More reports specifically designed to meet 404 - areas tested, etc. Account mapping. Version 2.0 has better reporting capability. Not using a 404 software tool. Importing documents reporting links. Management for changes in documentation to simplify ongoing review. Direct communication to users through software by administrator.....(i.e., a welcome page when users log on where we could post significant communications). Flexibility.
25

important to you?
There is no one enhancement that is more important than any other. All of the tools we have seen, including the one from IBM are in early stages of evolution; use as SOX 404 is. The custom reporting capabilities. We are relying on a number of supplemental tools for reporting results and project management. Data Archival. Further integration into Oracle system. We are using the basic package this year, next year we will move to their enhanced package called Navigator. Reporting; Improving ease of use by process owners. Integration with other company systems. Reporting Ease of use. Ernst & Young's tool not likely a sustainable platform after initial effort. Adding a controls library. Additional access levels to documentation. Better reporting for testing plan and test results. Efficiently facilitate control owner assertions on a quarterly basis after year 1; the software can do this, but it needs to be enabled.
26

Better reporting, better test documentation, easier updating. Reporting financial statement assertions matched with key internal control activities to highlight coverage. Better issue tracking and better integration with financial software. Report generation; summary results. We just started so haven't seen enough to judge yet. Automated escalation of test requirements. Summary reports. Ability to analyze results. improved reporting. Dashboard. Reporting enhancements. Dashboard compliance management. Reporting. We are in the configuration stage. The only potential concern we have is that we not overly complicate the process of management assessment by over-engineering the configuration.
27

important to you?
More robust reporting. Keep up with changes in compliance legislation. N/A. ICW (from PWC) will be transitioned to the Open Pages product. Have not yet committed to Open Pages. Continue to seek a permanent solution. Ease of use, reporting. Update capability for non-internal control people We would eventually like to move to a tool that includes enterprise wide risk assessment as well as 404 compliance. Reporting functionality. Ability to monitor on-going updates and regular monitoring outside of year zero Ease of use. Reporting capabilities. Don't know - we are just starting to use it. Creation of standard reports will be a priority. Enabling control self-assessment by business owners and improved security & accountability within the tool.
28

User friendly, better edit and entry methods, flexibility. More robust reporting. Global capability. Needs to link with a suite of audit tools. Specifically, a solution that links Risk Assessment; Annual Audit Planning; Audit Execution (e.g., Project Planning, Workpapers, Reporting); Communications and Reporting; Issue Tracking. Paisley's software and no one else integrates this. It feels like an additional risk assessment and audit process when a higher standard that accomplishes the SOX 404 and non SOX 404 audit. Change management features that will be able to re-capture the control environment as it existed at various previous points in time. Ease of use. Better and more flexible reporting system. Reduce the need for writing the same information more than once. Reporting feature should be accessible for key-users to create their own reports. Size of database tool can support. Automatic e-mail capability. Report writer.
29

important to you?
Reporting, process flow. Make it easier to use with better reporting capabilities. Further enhance to improve ease of use. Better ease of use and more robust reporting. Increased ad hoc reporting and ability to setup data (i.e., controls, test scripts) more easily. Internal security as to who has access to certain fields, security will allow for more flexibility. Reporting. Reporting capabilities and data transparency. The ability to view, input and report on multi-dimensions. Such as by assertion or by objectives or by control activity or by function or by process. Currently our framework view is by objective which makes it difficult to discern if the assertions are covered. This view is also inefficient in that it is. difficult to group control activities to identify work synergies. Also used for Basel II and project management for the business lines. Meets current requirements -- will evaluate later for long-term use. None identified.
30

important to you?
Bad decision. Don't believe enhancements will save this product (KPMG CAAT tool, now sold to IBM). Will replace. Some internal "existence" tools to check for completion. Currently have developed these external to the system...so not overly burdensome. Needs to be updated with assertions per revised PCAOB standards. Maintenance and change tracking. Will need to supplement tool to provide robust documentation record. Improved reporting, ease of use. Ability to take in the new COSO requirements when finalized. Ability to (eventually) merge with risk management database, currently handled internally. Tool needs to be more flexible with more reporting levels. Change management and version control over multiple control environment instances will be a challenge. Special testing applications for Internal Audit purposes (separate evaluation tool to recommend the results of the Self Assessments). Ease of making changes. Connection to auto-audit. Reporting Tool (custom designed reports) Configuration to interface with Outlook to notify associates of assigned tasks. Tracking db changes. The tool could be easier to use. The report writer is a challenge. Roll-up reporting needs major improvement.
31
What is your overall compliance budget and what portion are you spending on software?
Company Revenue: Under $1B $0, $0 $1.0M. $100K (we've well passed that). Spent less than $10K on compliance software. $100K, about half on software. $300k with 1/3 on software. 800,000, about 50,000. Approximately $1 800,000, of which only $23,000 was software (license). Compliance budget is approximately $1 MM. Software spending is negligible. Estimated softcost $75,000 Software and implementation, an additional, $10,000 internal costs only. No budget. Must spend what it takes to get this done. No set budget but so far the software costs have been < 10%. Not known. Overall ~$1Million. about $580K for initial software licensing and implementation. Overall budget was $1.5 million, spent $35,000 on tool. Software 1m. the software was free, but we utilized Protiviti staff for SOX work. Also, there is going to be a $10k or so maintenance fee. This is incorporated into IT and they budget for all software. We will have to budget for visiting locations - but that will depend on number we are required to visit. Software will be in $2030,000 range. Travel is unpredictable at this point.
32
Company Revenue: $1B - $5B
$1.5M - less than 5%. $150-$200K $2 million; $250K $2+ mm compliance budget. The software cost was insignificant. $225,000 overall. $10,000 software. $250k. Around $50 - $100 on software. $250K; $60K $3 Million/$25,000 $350,000 - overall $140,000 - software $3m $40,000. Nothing is being spent on software. $5.0 million; $100,000 $500,000--basically zero $500K and $25K for Focus $500k, 10% $600,000. One-quarter we expect. $700,000 and $90,000 $800,000 of which we spend approximately $20,000 on our tool. 1.0 million / $25k 1.5M, 100K 1.8 million, 0 spent on software Deloitte's Start database was free 10% of overall budget 2.0 million, 25,000. 300K DLLS 20%
33
70k out of 2M A small portion Approximately $1.5 million (approx $25,000 spent on software) Approximately $80,000 for implementation of a process for SOX 302 that can leverage in to assist with a SOX 404 Tool (i.e., TSA). However, most tools offered by companies such as E&Y and Paisley either offer minimal savings from a more manual process when it cannot be integrated in to the Audit Process as a whole. Budget for external resources is $1.8 million and software was free with services. Came with engagement Capital expense on software is $385,000 Compliance budget is $300,000 not including the additional fees for SOX testing that will be paid to our external audit firm. The software portion was not significant. Difficult to determine. Less than $500,000 per year. Less than 5%. Minimal negligible No budget for 2004, 2005 will need a budget. Deloite software included with engagement. No defined budget No fee - built into contract rates. No firm budget No incremental spending No overall budget. Software around 55K.
34
No overall compliance budget, although I would estimate $1,000,000. Initial software costs are approximately $100,000. No specific budget, doing as much work internally as possible; no plans to purchase software until a more mature tool available. No specific budget. Added one auditor, compliance administrator. Not budgeted separately Our budget is $700K - no software purchased. Outside budget $400,000 25% on software. Inhouse budget roughly 7,000 hours overall - appox. $2M ; software - appox. $25k Overall budget is "whatever it takes" but only 35k spent to purchase software with 2k annual maintenance thereafter Overall compliance budget $1,500,000. First year software costs $54,000 or 4% Overall--$1.6 million excluding internal labor costs. Software--$100K software was paid for in 2003 approx. $35k This information is not yet available to the subsidiaries. under $1 million overall, under $100K for software Unknown; $20,000. Using existing resources and $50,000 for consulting, software already owned. We do not have a specific SOX budget. Our software cost will be about $350,000. We only spent about $10K on the software (we were early to sign-on with Protiviti and received some incentives). Monthly hosting charges are 1K for Portal and $1K for TSA (The Self Assessor).
35
Company Revenue: $5B - $10B $2 million of external consulting costs of which $0 was for the software.. Based on spend, cost of software was built into cost for real of work. 750K Software 0 Allowed all reasonable resources. Budget - $450,000 Software - $25,000 Budget is really buried in multiple areas (404 project team, internal audit, process owners). Estimate total to be $5-7 million. $50k spent on software. Do not know overall compliance budget, but software ( and related equipment) costs are aprox. $1.0 million Don't have an overall compliance budget less than 1% No budget! No budget. Software is about $150,000 software investment was minimal (less than 75,000 USD) - most of the compliance budget is going into additional testing by IA and a newly established 'Business Controls' function. Those increases will add over $2M per year to our previous $2M IA budget.
36
$1.5 for audit / $3,000 for Notes DB. $30 million. Perhaps a few hundred thousand on software. $7,000,000.00 $100,000.00 + internal development ~$50K for the software. 1.7 million for 2004 Software - $5,000 for enhanced reporting. Don't have a separate compliance budget within Internal Audit. We have hired two additional FTE's for SOX testing. EUR 5 mio 5%. Exact amount still to be determined, estimated at $2 Million with software tool at $100000. External cost only are approximately $4 million. Software costs will be covered in our 2005 capital plan, but we will spend what is necessary. No overall compliance budget. No separate software budget given the bundled relationship with D&T. no specific "compliance budget". probably spending 300K on SW. software spending relatively immaterial (under $100k), and less than 10% of total SOX compliance budget Software will probably represent about 5% of initial compliance costs. SOX compliance is pushed to the process owners and is not budgeted in aggregate. Software cost is very low relative to overall estimated costs. Spending on software is less than 5% of total anticipated SOX 404 compliance spending for 2004. There was no budget established as this is a "need to have" project. Very small portion on the tool. We do not have a compliance budget for 2004. We are in the process of developing one for 2005. Software will not be a large component of the budget as labor costs will be significant. We have a Control Office who owns the tool and facilitates 404 work. They have a director, manager, 3 supervisors, 5 staff, 3 QA and 8 consultants. The budget is just the payroll, software cost was insignificant.
37
What type of 404 status reporting do you provide/review with your audit committee? How often does this occur?
Monthly general updates with more in-depth updates every few months. Quarterly updates. Full update on status at every meeting. Quarterly, the status report shows work from the phases completed and outstanding. project status; issues summary and past due follow up quarterly. Audit committee updated at every meeting (~ quarterly). Reports by cycle. update every meeting. Quarterly written and oral reports. Quarterly status update, with project status, key issues identified, any anticipated problem areas. N/A. One page summary of Key Messages plus recaps of Time and Spending. Presented quarterly. No formal discussion of individual gaps. Usually every meeting (6/year). Project update each audit Committee meeting. High level with list of needed improvements.
38
Progress by business. Report at quarterly meetings. Status reports on progress of project vs. plan. 1/4 provide complete detailed update. Every meeting. None to date. Provide an overall timeline of the project as well as detail status with a particular phase i.e.documentation, testing. Every meeting. Where we are, issues, and upcoming activities and goals. Power Point presentation, 5 times per year. We must officially comply by Dec. 31, 2005. Internally, we are committed to comply by Dec. 31, 2004. The audit committee does not receive regular 404 Compliance updates at this time. 6 times a year, overview of status by area. quarterly status presentations to Audit Committee. Quarterly status report of activities and progress towards project schedule. We are just starting our compliance efforts. Initially, we were not moving down the path of compliance because we're a privately held company. However, recent regulation, specific to my industry has been published that mirrors SARBOX and, therefore, we're somewhat frantically trying to respond by the due date.
39
We report to the AC approx every 2 months with updated info on sox issues. Monthly Updates report and quarterly update at AC meeting. Quarterly updates to reassure that we're on track. Provide a report at 2 audit committee meetings per year. Each Audit Committee meeting - 4 times pa. Overview provided quarterly. Update status quarterly. High level quarterly meeting. (1) An executive dashboard from the SOX software is used to provide a summary to the Committee. (2) We also use a simple timeline chart to review the status and timing of our overall SOX efforts. Quarterly. Written and verbal reports on status and any other issues that may arise. Quarterly, we update the Committee concerning our activities and results to-date, our schedule to complete, and our plans to go beyond compliance and realize the value proposition. High level critical path and location status at the quarterly meetings Status reports by department/business cycle at each Audit Committee meeting (6x/year). We also provide monthly status reports to the CEO/CFO.
40
8 times per year Quarterly updates and one detailed reporting session. Status update every in-person meeting % complete, issues & concerns, Update each scheduled meeting Quarterly report with examples of documentation as well as our updated schedule. Status update on detailed timeline quarterly. Quarterly high level status report showing percentage of processes documented and tested. Annual summary of financial risks and controls. Status updates for provided quarterly. high level progress to date at every meeting Written reports semi-annually and verbal reports quarterly. Every meeting ... 5-6 slides of a PowerPoint presentation. We report to the audit committee quarterly on status. Detailed report of progress at each Audit Committee meeting. More often when requested. We provide a quarterly power point update to the Audit Committee.
41
Quarterly report summarizing scope, test results and key issues. Audit Committee Chairman periodically sits in on our SOA Steering Committee meetings and we provide periodic reports to the whole Audit Committee on our progress. Update current status, including % complete etc. We report quarterly. None now since we are private. Oral reporting supported with some power point slides. Reported at each audit committee meeting. Quarterly Updates. We initially provided the Committee with a "PROJECT CALENDAR". This calendar is updated quarterly and reviewed with the Committee at the quarterly meeting. Monthly status report: - Assessment completed & The result - Testing Completed& the result - Implementation of action items - Summary of top issues. Readiness assessment based on internal audit testing underway. Ongoing reporting not defined. Every meeting - customized reporting from our system. Status Update periodically. Report of status and cost is provided to audit committee at each quarterly meeting.
42
Quarterly updates. We are creating a one-page dashboard showing progress toward key milestones. We decided to do this outside of the software due to how customized we wanted it. Quarterly status report on project, will advise them on significant weaknesses if identified and of course any material weakness if any identified. Gant charts supported by power point presentations. Quarterly project and issue status reporting. quarterly update by Controller at regular meeting, showing status versus target date to complete readiness phase (6/30/04); more detailed report will be presented in July with results of internal and external testing completed to date. Quarterly. This will be the first regular presentation. Quarterly presentations reflecting project status, upcoming deadlines, and challenges/issues Currently a high level 404 project update every quarter. Auditors kept updated on regular basis; quarterly and period meetings and teleconferences. status on project and findings quarterly.
43
Quarterly updates. Power point presentations. Quarterly. Recap of issues in a quarterly report. Quarterly. Quarterly. Monthly status reporting of documentation and testing progress and gap identification Audit reports and a matrix of significant deficiencies are covered at each quarterly meeting. Time and cost budgets are also reviewed quarterly. High level, quarterly. Breakdown by BU the processes, testing completed/outstanding. Issues identified; Green /yellow / red status. Every meeting give update on project plan and open issues. Quarterly project reporting. Manual and oral presentation on a quarterly basis. Reports showing status, responsibility, by reportable area. Quarterly.
44
None - We report up through corporate HQ and they report to the BOD Informal discussions at virtually every quarterly meeting. Formal presentation as needed. Provide written report monthly. Regular updates on progress/issues on a quarterly basis. update quarterly on status of documentation, walk-through and testing plan. Once testing in place, will update quarterly (beginning in 9/04) on status of testing and findings. Quarterly updates by location. Quarterly status report - report completion by critical process 1. Progress update against plan 2. Resource constraints 3. Presentation of results from each SOX process review. We present updates quarterly. Status/project completion update at least quarterly. Quarterly Presentation to management and the AC. Monthly status reporting. Quarterly with existing BOD meetings. Overall status memo; quarterly.
45
They are getting quarterly updates on our progress and any issues that they need to be aware of. Quarterly; review disclosure controls and progress towards 404 compliance every two months, general update of status, plans, and problems. Memo report with graphs Quarterly progress reports, although the frequency and depth of reporting will likely increase General project progress. 6 month interval at the moment. We are starting to provide quarterly 302 certifications to periodically assess key controls over financial reporting that would be part-in-parcel of a larger 404 effort. We also are performing an assessment as required by 404. We are giving Management the opportunity to assess the results and determine what they feel is adequate. We will be complete after the 2nd quarter 2004 and will coordinate with the Parent Company's external auditor to determine the nature and extent of any follow-up testing between interim and year end. IA is the principal assessor. Reports to audit committee include an audit plan (primarily driven by coverage vs. risk); progress against the plan; key control weaknesses identified by audit project; overall adequacy of control documentation, self assessed control effectiveness, control adequacy to assure reliable financial reporting and safeguarding of assets. Quarterly - manual report.
46
Quarterly progress reporting. Risk Management - Key Risks but not 404 style or level of detail. Main reporting is to management. Infrequent general updates to ACOB. Quarterly. Quarterly narrative on progress. Summary status reports at every quarterly AC meeting. Yearly. Quarterly detailed report. Broad overviews, including statistics, heat maps, etc. Present at each audit committee meeting - typically every other month Exceptions Status update of progress against plan provided at each meeting throughout this fiscal year. High level summaries. Every three months. Regular updates at each audit committee meeting. Committee meets 5 times per year. Updates on training, areas and locations to be tested, gap identification and remediation approach.
47
We present a high level overview of what we have accomplished and what we have yet to accomplish, and a timeline as to when it will be accomplished. Details are provided to answer specific questions only. This is a part of every formal audit committee meeting, 6 times a year (quarterly plus 2 special meetings. Monthly status reports to the audit committee. Presentations with questions and answers. Update by CFO Quarterly. Provide quarterly status reports to Steering Committee as well as Audit Committee. Percent of plan complete by control center and status of remediation items shared monthly. Not here yet. Progress report including issues identified. Progress report including issues identified. Quarterly. Discussed 404 topic at each meeting, will do presentation in June and one at year end on status at this point. Currently monthly due to late start. Basic status report at each meeting - roughly every other month.
48
Status of implementation - Progress against Plan, Completed, Open, Past Due Status of Action Plans - Completed, Open, Past Due Needs to be determined. At each meeting (at least quarterly) now. Will evolve to probably twice a year. Quarterly updates. Update at each quarterly meeting. Power point including scope, execution completion, gaps, corrective action status. Every time we meet with the committee at least once a quarter. Monthly reporting. Oral reports = monthly; written reports every 3 months Project status reporting is being carried out at each meeting (quarterly). Status reporting once project complete not yet determined. SOX reporting is done quarterly. We review status and go over gap remediation. Progress against plan, issues identified, forecast for full completion. Occurs at every meeting (four per year).
49
1) annual: a written management report and if requested additionally verbal 2) occasionally: if there are relevant findings Quarterly overview by cycle. Reporting the % of compliance and any material control weaknesses identified during testing. quarterly an update on the project, since Internal Audit is now managing the documentation phase each quarter excel sheets shared Audit Committee has not requested 404 status reporting. We use a Gantt Chart to monitor progress. The chart is updated at least monthly.
50
Additional questions or topics regarding this survey:

Concern that testing requirements may get out of hand. Still a lot of unanswered questions and expectations. This is quite a large undertaking and has created a life of its own. Because this has been interpreted so broadly, the worldwide cost of compliance (see it is not well defined at the moment) doesn't seem to justify the worldwide risk. I would also ask if Consultants are involved in the implementation process, or if the process is handled internally. Will the SOX 404 testing process be completed only by Internal Audit? Or, will a substantial amount of testing be completed by internal subject experts outside of Internal Audit? Another question: How frequently will testing be performed? (I.e., Quarterly from now on? Semi-annually? Annually?). Interesting all these SOX surveys, but it would be more interesting to know why international groups, (non US based), do not adopt similar SOX systems. The real question in my opinion is: Are the holes in US GAAP and GAAS patched up adequately through SOX compliance? While compliance is a legal obligation for US based corporations, the aim of this law is to avoid future Enron's etc, or not? SOX is another piece of regulations in an already overcrowded rules based environment. Is anyone really intellectually capable to comprehend and apply all this (not just SOX)? Of course a great business for consultants and lawyers, but is that the purpose? Should rules based US GAAP be replaced by a substance of form GAAP approach? Could a substance over form rule set hold out against the very claims / legalistic oriented society, or should an overhaul of the legal system be considered?
51

Section 302 (on-going) compliance is the larger challenge. We are in the process of identifying a vendor to provide a SOX solution. We are a private company but will address Sarbanes-Oxley requirements and implement program to achieve compliance by the end of 2005. In the process of choosing a solution. We will be developing our own internal tool as we begin to transition the maintenance of the documentation and the testing to operating unit management after the initial year. (1) Is it possible to have the SEC/PCAOB "certify" which software they recommend would meet their requirements? (2) Is the software flexible enough to modify for unforeseen or additional requirements? Please create a survey on testing for SOX 404. Based on my contacts, companies are all over the board on how they will perform testing. Problem is not all externals have committed to client's what they will require. Compliance date 5/31/05-still developing plans. 1. Is your audit department considering establishing a compliance group within the IA function? 2. Have you added additional staff or FTE's to meet SOX testing for this year and beyond?
52

Available software tries to push Sarbanes-Oxley compliance into a solution developed for other problems. Products are not yet mature. It would be interesting to know what the plans are for who will make updates to tools to keep controls documentation current -- internal audit responsibility or the business owners of the controls? What still remains unclear is demonstrating that Management really owns the internal control environment and the actions or inactions are at their discretion NOT Internal Audit. The KPMG and PwC tools have been sold to IBM and Open Pages, respectively. I will be interested in knowing what your survey conclusions are regarding use of tool, and relative merits. Using Microsoft Visio and Word documents to capture 404 process activities, risks, controls and testing results. Our long term strategy will be based on if the FDIC adopts Section 404. We have taken the approach to work last year and this year on building quality into our structure, approach, check lists, testing, etc. and then automate rather that having any automated tool drive the process. Looking to select cheapest product with general reporting capabilities and easy import/export functionality, because I am guessing that these products will change after year one of SOX and would rather wait until clear leader emerges.
53
Title
Item
Manager, Internal Audit VP - Internal Audit Director, Audit Services Vice President, Internal Audit Director of Internal Audit
Count
3 3 5 4 12
%
1.2% 1.2% 2.0% 1.6% 4.9%
(Not Answered)
Director of Audit Director Internal Audit Director, Internal Audit General Auditor VP, Internal Audit Audit Manager
44
2 6 14 5 2 2
18.0%
0.8% 2.5% 5.7% 2.0% 0.8% 0.8%
Director Audit
VP Internal Audit Chief Auditor Director-Internal Audit Director of Auditing Audit Director Director
2
11 3 2 3 3 3
0.8%
4.5% 1.2% 0.8% 1.2% 1.2% 1.2%
Internal Audit Director

SVP - Internal Audit Chief Internal Auditor (Unique responses) (Total)
5
2 3 105 244
2.0%
0.8% 1.2% 43.0% 100.0%
54
Country
Item USA (Not Answered) FRANCE CANADA AUSTRALIA GBR Count 214 7 2 5 2 3 % 87.7% 2.9% 0.8% 2.0% 0.8% 1.2%
(Unique responses)
(Total)
11
244
4.5%
100.0 %
55
Industry
Item
Utilities Manufacturing Banking Insurance Transportation Chemical, Drug Services Computer High Technology Consumer Products Petroleum
Count
26 48 13 19 7 7 13 10 16 8
%
10.7% 19.7% 5.3% 7.8% 2.9% 2.9% 5.3% 4.1% 6.6% 3.3%
Telecommunications
(Not Answered) Retail, Wholesale Health Care Other Finance, Real Estate Agriculture, Construction, Mining Nonprofit Government (Unique responses) Total
7
10 28 6 4 9 4 3 3 3 244
2.9%
4.1% 11.5% 2.5% 1.6% 3.7% 1.6% 1.2% 1.2% 1.2% 100.0%
56
Public listed exchange company?

90 80 70 60 50 40 30 20 10 0 Yes No
Percent
57

Sarbens Oxley IIA

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Sarbens Oxley IIA

Transféré par

Droits d'auteur :

Formats disponibles

Global Auditing Information Network - GAIN 247 Maitland Avenue Altamonte Springs, FL 32701 +1-407-937-1365

SOX 404 Tools

Which enhancements to this tool will be important to you?

Company's performance by revenue

Choice Under $1B $1B - $5B $5B - $10B

% 23.4% 43.9% 12.7%

Which best reflects your company's SarbanesOxley compliance philosophy?

Count 149 146 91 87 29 104 24

% 61.1% 59.8% 37.3% 35.7% 11.9% 42.6% 9.8%

Which SOX tool are you using?

Other SOX tools being used:

Other SOX tools being used:

SOXA. Internally created "tool. SOXTools.

Primary reason you chose your SOX tool?

Other reasons you chose your SOX tool:

Other reasons you chose your SOX tool:

Other reasons you chose your SOX tool:

Other reasons you chose your SOX tool:

Other reasons you chose your SOX tool:

Which enhancements to this tool will be important to you?

Which enhancements to this tool will be important to you?

Which enhancements to this tool will be

Which enhancements to this tool will be

Which enhancements to this tool will be important to you?

Which enhancements to this tool will be

Which enhancements to this tool will be important to you?

Which enhancements to this tool will be

Which enhancements to this tool will be

Additional questions or topics regarding this survey:

Additional questions or topics regarding this survey:

Additional questions or topics regarding this survey:

Internal Audit Director

Public listed exchange company?

Vous aimerez peut-être aussi