This document includes two sample reports that can be used to communicate the results of a Sarbanes-Oxley Section 404 review and improve an organization’s internal control structure.
In these samples, testing involved activities such as documenting responsibilities for security administration at the operating system, database and application levels for all in-scope applications; completing a gap assessment of responsibilities that conflict with the standard; and working with the application owners and information technology to realign security responsibilities where necessary. The following observations were noted as a result of testing:
- Prioritization is processed adequately and appropriately per internal audit.
- The project team employed innovative techniques to defining the scope and assessing the risk.
- A fraud assessment is completed at the entity level and the process transaction control level.
- Internal audit is regularly included in project scoping decisions.