|
What I do appreciate however, is that good, clear guidance continues to be developed. For those many professionals that have moved onto new challenges, the issue now becomes one of implementing the familiar COSO framework in a new organization. Deloitte continues to put forth webcasts and whitepapers, the most recent to hit my inbox being "Sarbanes-Oxley Section 404 for Non-Accelerated Filers: Applying a Top-Down, Risk-Based Approach", a white paper just released in January. High marks for shifting a very clear emphasis to entity controls, but also helping readers understand what makes for an effective entity level control. Certain standards should be met in order to rely on direct and precise entity-level controls: the control must be relevant to the risk (relevance); must operate with enough regularity to enablethe timely prevention or detection of misstatements (frequency); must operate at a precise level of detail to adequately address the risk of misstatement (precision); and should be performed by qualified and objective individuals (competence). My minor complaint on this guidance would be the limited discussion of risk-ranking, which I think is a very key discussion to getting alignment with internal management and key stakeholders. SAS109 sets a very clear expectation for management to understand and be capable of explaining their business in the context of industry - a challenge that many small businesses may not be prepared to address. I think this is a critical discussion from both a financing and competitive positioning view; in a world of rapid acquisition, partnerships that look much like mergers, and reporting requirements that beg very technical considerations of business interactions, the risk-ranking and regular management reporting of exposure is too critical to brush by. Being able to address business risks and not just financial reporting risks is arguably beyond the scope of an implementation brief, but an important consideration as organizations begin to consider operating under less prescriptive reporting practices. Escalating such discussions, and monitoring accountability for managing risk, remains a management challenge for businesses of all sizes, public, private and non-profit. That said, at 16 pages this whitepaper is a very reasonable primer to orient management teams, and should prove useful for articulating the importance to those outside the traditional sphere of audit impact. Labels: Deloitte, guidance, SAS109, SOX implementation
|
subscribe
to this feed
through my yahoo! 
August 2004 September 2004 October 2004 November 2004 December 2004 April 2005 May 2005 June 2005 September 2005 October 2005 November 2005 December 2005 February 2006 May 2006 September 2006 October 2006 November 2006 December 2006 February 2007 March 2007 May 2007 January 2008 February 2008
|
||
|
|||
