September 8, 2006
Comments on File No. S7-11-06
Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting
The extent of IT testing performed in compliance with SOX 404 requirements is overwhelming. While numerous IT systems and applications handle a myriad of transactions that directly or indirectly impact the accuracy of financial reporting, there is no directed focus or prioritization given to such testing. Instead of an all-encompassing approach, we recommend that the emphasis should be placed on controls: (i) covering the principal applications that capture accounting and financial transactions and (ii) surrounding the data interface between auxiliary systems.
Also, external auditors should: (i) attest annually to the effectiveness of general computer and application controls of IT applications that impact most significantly the financial reporting cycle, and (ii) perform rotational (i.e., every two to three years) attestation to other IT applications that are linked to the general ledger and sub-ledger systems.
Sincerely,
Lora Ho
Vice President and CFO
Taiwan Semiconductor Manufacturing Company, Ltd.