Key Control Guidelines 1421



  • Key Control Guidelines
    We are fairly new to SOX and jumped right in minus appropriate training, etc., We are now realizing that there are quite a few points of focus that we listed as being a key control, that may or may not be a key control. I am asking everyone to review their key controls to determine if in fact they are. I would like to send them a list of guidelines if you will, on how to make the decision on whether or not a control is key or not. Thank you in advance. :?



  • See the previous Forum discussion at:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-p=4037-and-highlight=#4037
    AS2, Audit Standard No. 2 addresses important controls that should be tested to comply with SOX. It provides significant guidance about other information that might be helpful in making a decision to determine if a control is considered a ‘key control’ for SOX purposes and should be tested.
    AS2:
    http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf
    Characteristics of a Key Control
    Factors management should consider in determining which controls to test include:
    The magnitude of the potential misstatement that could result from failure of the control
    The likelihood that failure of the control could result in a misstatement
    The degree to which other controls, if effective, achieve the same control objective
    Controls to be tested include:
    Controls over initiating, recording, processing, reconciling, and reporting significant account balances, classes of transactions and disclosures, and related assertions embodied in the financial statements
    Controls over the selection and application of accounting policies in conformity with GAAP
    Controls related to the prevention, identification, and detection of fraud
    Controls on which other significant controls are dependent (includes IT controls e.g. information security, program change control, computer operations)
    Each significant control in a group of controls that functions together to achieve a control objective
    Controls over significant non-routine and non-systematic transactions (such as accounts involving judgment
    estimates)
    Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (e.g., consolidating adjustments, report combinations,
    reclassifications)
    Regards,
    milan



  • Hi - This thread might be worthwhile to review as a starting point. In particular, Milan’s post defines some of the standards related to controls:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1390
    The backend accounting systems that provide SEC reporting information are obvious candidates. As noted in the thread above there are also ‘indirect’ system relationships, where front-end customer service systems will feed the backend accounting applications. It’s important to have a comprehensive approach from front-to-back. So when in doubt, it’s better to ‘include’ than ‘exclude’
    Your work might actually be right on track, as you’ve most likely developed an overall inventory of your business systems and potential control points. Hopefully it’s mostly fine tuning for you all in the days ahead.



  • I really appreciate the feedback and help that both of you offered. Thank you so much, this is exactly what I was looking for. Yes, we did inventory our system and it is a matter of fine tuning. We are almost 1 year into our ISO 9001:2000 certification which helped speed up this initiative.


Log in to reply