Must key controls be Documented in Process Narrative? 1027



  • Risk control matrices (RCM) have previously been developed for various processes and includes key controls and other pertinent info. However, the business process narratives (developed before SOX project) did not specifically label the control activity as a key control. My position is that it should be done so that the key controls listed in the the RCM could be easily tied back to the narrative. I suspect that there are no official guidance on this. What is the general practice out there?



  • We are including our controls in our narratives, but the classification as primary or secondary is only noted in our controls matrix. Mitigating controls would be noted as such in our narratives if the primary controls were not designed effectively.



  • My Observation in various audits (different clients and with all Big4) Client Management and Auditors have more tendency to depend on the RCM to identify the Key Controls. However, it is essential that the Narratives and Process Flows documents are accurate and up to date.
    While Narratives and Process Flows are very important part of the Sarbanes Documentation, keep in mind that the detailed review of Risk Assessment, Control Inventory, Classification of controls, (Primary Vs Secondary, Automated Vs Manual, Frequency etc), Development of Test plans, Sample sizes, Actual testing, Exception Reports , Management Reviews, External Audit Management review - all begins with a sound RCM’s for each process area.
    In ideal scenarios, I have seen the narratives that are tightly integrated with RCM’s. Control ID # numbers from RCM’s were referenced within the Narratives/Process Flows.
    If your time and budget permits, I suggest that you go back to the Narratives and fix them as well to reflect the key controls.



  • of course, there is no prescribed solution on this and you can do things in a way that makes sense fr your organisation.
    It is perfectly acceptable for your process documentation to encompass several items e.g. flowchart plus narrative plus risk and controls matrix just so long as you can demonstrate that you’ve met your financial statements assertions and your auditors can follow the documents.



  • My position is that it should be done so that the key controls listed in the the RCM could be easily tied back to the narrative. I suspect that there are no official guidance on this. What is the general practice out there?
    We’ve tried to tie as much information as possible together, to make it easier to get the general overview of the process


Log in to reply