From: James Clendenen
Sent: February 22, 2006
Subject: File No. 4-511

Thank you very much for setting a date for the Sarbanes-Oxley roundtable on May 10, 2006 to solicit feedback from the different constituent groups. I have provided Sarbanes-Oxley services to my clients for the past 3 years as well as participated in the compliance for our own company which is public.

My comments focus around the IT Controls. It seems that the extent and nature of the scope, documentation and testing continues to evolve. There is no clear framework that companies should follow. Any of the exising frameworks are generally useless unless the company is very large (over one billion in revenue). For my clients and for our company, we have had to significantly rework the IT controls including application controls because a new interpretation has been published or circulated. For small to medium size companies, there is no clear consensus of what are the right IT processes to include in the scope. It seems to make no sense to document (IT Operations as defined by CoBiT) when the company does not have a nightly production schedule. Many newer companies utilize real time server capability so the "old school" of production batch jobs is not applicable.

Auditors are starting to focus more on IT controls and application controls in year two. That is good because the lack of strong IT controls can make the company more prone to significant deficiencies or material weaknessess. However, it is bad because companies were led to believe that the documentation in year one was sufficient. Now they are being told by auditors that the documentation must be strengthened and companies have less time and manpower to accomplish this. Many of my clients have expressed frustration regarding the change in scope from their auditors. I understand that in year one, there was not that much focus on IT controls, but in year two, I believe the following should be considered:

1) Adopting a framework that all companies can use;
2) Developing a standard set of IT processes that auditors would use to evaluate controls;
3) Developing clearer definitions of application controls.

These suggestions would allow companies to get the IT controls and application controls to a common level despite differences in complexity, size, geography, industry or diversification.


James Clendenen
Director - SOX
Answerthink, Inc