The Sarbanes Oxley statute stresses on documentation of internal controls. However, I have seen organizations getting too bogged down trying to document everything. Right from entity policy documents, IT policies and procedures, flowcharts, procedural write-ups, questionnaires etc organizations generate a lot of documentation. The amount of documentation required depends a lot on the size and complexity of the organization. In a recent international conference on Sarbanes Oxley, a member in the audience posed a question, "How much documentation is required for Sarbanes OXley"? I chose to answer the question describing the minimum level of documentation which organizations should ideally prepare. My answer waht somewhat like this....

1. At the company level, documentation should include a statement of control which asserts the design and continued existence of a set of controls.

2. At a detailed activity level, an organization should ideally, document the fiollowing:

- all processes and sub-processes with a process document describing the process as well as a flowchart depicting the process in a graphical manner.

- Documenting the risks within the process alongwith the impact and probability of occurence of each identified risk.

- Apart from the above, organizations should document the controls intended to mitigate the risks to an acceptable level. These are normally controls with a mapping of the same to COSO's control obbjectives.

- Control activities which satisfy the control objectives should be documented. This should include how the control activities will be tested for design and operational effectiveness of controls.

- Lastly, documentation should be available to determine the impact of the tested controls over the organization's financial reporting process.

Related Posts

Simple Spreadsheet Controls for SOX Compliance
Continous Auditing of Controls
How to Evaluate Internal Control Exceptions
Effect of Material Weakness on Financial Statements