Sox Analysis

Software Analysis
In this article I have tried to analyze a business requirement which eventually translated to technical specs. Though the analysis is debatable, focus on how I try to identify the entity and relationships. This is the key to software analysis. I tried to follow the principles laid out by Grady Booch and, James Rumbaugh.

This article might be handy for some new entrant to business analysis.

For my case study I have chosen a relatively hot topic, Section 404 of Sarbanes Oxley act. I straight copied SEC specs from this
SEC site.
Though this is not the entire SOX specs, I thought it is a relatively simple place to start with.

SEC specification
Section 404 of the Act directs the Commission to adopt rules requiring each annual report of a company, other than a registered investment company, to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting.

Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board.

Analysis 1

Financial statement is an entity
Control is an entity
A FS has controls

SEC specification
Under the final rules, management's annual internal control report will have to contain:
a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

a statement identifying the framework used by management to evaluate the effectiveness of this internal control;

management's assessment of the effectiveness of this internal control as of the end of the company's most recent fiscal year; and

a statement that its auditor has issued an attestation report on management's assessment.

Analysis 2
The above points will be attributes of the entity "Control". The attributes being
Control Statement responsibility
Control Statement framework
Control statement effectiveness
Control Statement assessment



SEC specification
Under the new rules, management must disclose any material weakness and will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in such control.

Analysis 3
Weakness - A candidate for being an entity
A Control can have weaknesses - One to many

SEC specification

Furthermore, the framework on which management's evaluation is based will have to be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.

Analysis 4
This means that the control identified should have some authenticity and cannot be some arbitrary control. Taking a more common example (not related to auditing) the control can be something like "Alphanumeric passwords for login"

From software analysis part it might not mean anything because a control a auditor is entering into the application might have already undergone such a process. Another attribute can be added which describes this process.

The attribute can be- Control Procedure
(I later identified this as a separate entity. It is ok to list all the nouns and verbs which could possibly become relationships, entities or attributes and later filter them out)


The following is lot of information to comprehend. But if you read carefully it can translate in to the relationship I have identified in Analysis 5.


SEC specification
The new rules implementing Section 404 of the Act will define the term "internal control over financial reporting" to mean
a process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that
pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;

provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and

provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements.

Analysis 5
Financial Statement (FS)- can Have Policies and Procedures
So, policies and procedures become candidates for entities.
Each FS is related to one or more policies.
Each FS is related to one or more procedures.
Each FS has one or more receipts.
Each FS has one or more expenditures.
Each FS has one or more Asset transactions.
Each FS has one or more Asset dispositions.

Reciepts, expenditures, asset transactions, asset dispositions a FS has can have one or more material effects.

Reciepts, expenditures, asset transactions, asset dispositions a FS has, may or may not be related to the policies and procedures of the FS.

Auditors might incorporate policies and procedures such a way that reciepts, expenditures, asset transactions, asset dispositions is related to atleast one policy and/or procedure.


SEC specification

The Commission also voted to adopt amendments requiring companies to perform quarterly evaluations of changes that have materially affected or are reasonably likely to materially affect the company's internal control over financial reporting.

Analysis 6
Each material effect has evaluation


Ok, let's pause here. This can be considered as step1 in the process of analysis. I will soon be posting articles on this site to show the entire process till we come up with entity relationship model. If you get the ER right, you are on your way to become guru of software analysis.

Note: The above article is intended only to aid software analysis in general and does not claim accuracy in actual SOX analysis. The author has experience in building audit applications and is a certified Microsoft professional.

Loop without Cursors

Every one talks about avoiding cursors. The simplest possible way to do this is what I mentioned below.

Before you look at the example, here is what I am aiming at:
I have a students' grades table. I need a set of rows from this table which meets certain criteria, in this case students' whose grade is C.
After I get the set of rows I want to loop through this set of rows.
Though not a great reason to loop through the table, the basic aim is achieved in the following stored procedure i.e traverse the table with out the need of cursors in a simple way.

Create proc sp_looptable

as
-- temptable is the table which holds the result set.
-- Note that I used PrimaryKey field which is set to autoincrement by 1 for each
-- insert

declare @temptable table(PrimaryKey int IDENTITY (1, 1) NOT NULL,SSN int)

-- rCount is a variable which is the number of rows in the table we need to loop
declare @rCount int

-- value to store SSN in temporary table
declare @tempSSN int

-- Insert values into temporary table. Fk_SSN is the foriegn key
-- in the students' grades table
Insert Into @temptable
Select Fk_SSN From TblStudentGrades where Grade = 'C'

-- rCount holds the value of number of rows inserted
SET @rCount = @@ROWCOUNT

-- loop through the table
While @rCount <> 0
Begin
-- Here, you can retrieve the values from the temporary table
select @tempSSN=SSN From @temptable where PrimaryKey= @rCount

Set @rCount = @rCount -1
End

-----------------------------------------------------------------------
Do visit to see more useful articles being added not found in any book.