Internal Audit Handbook（2007）C8-SOX Audits.pdfVIP

Examples from Audit Practice at SAP C | 8 SOX Audits 8 SOX Audits Key PO intS ••• • There are three types of SOX audits: audits of the implementation of SOX in each of the company’s units, audits of the quality of SOX work undertaken locally, and audits of various SOX-related process groups, processes, and control sys- tems. • Preparation for a SOX audit for process groups is of crucial importance and should include the following steps: review of the available documentation re- garding the processes to be audited, review of the results of design assessments and testing procedures, and discussion of issues with the local SOX champion and the central SOX team. • The execution of the SOX audit for process groups includes reviews of design assessment tests, control effectiveness tests, and of the existing flowcharts. • Auditors must ensure that the population and any samples have originated in the current fiscal year. Samples taken from the previous year cannot prove that the controls are effective at the time of the audit. • Auditors must document the sampling method so that the audit can be reper- formed. SOX audits focus on section 404 of the Sarbanes-Oxley Act (Management Assess- iintroductionntroduction ment of Internal Controls). This section requires that management provide an assessment of the effectiveness of internal controls as part of the annual financial reporting process. With regard to section SOX 404, there are three possible types of audit that Internal Audit may perform (for details, see Section D, Chapter 14): • audits of the implementation of SOX 404 in the company’s entities (loca