Gaps in controls that are formal out of scope for SOX 1578
-
How to deal with discovered gaps in controls for organization activities that are out of scope for SOX? Please help.
-
You should decide what is an appropriate response based on risk of loss versus time and cost to fix.
-
Denis makes a great point as it’s all about the likelihood and impact of risks associated with non-SOX controls (a.k.a. ‘Frequency and Severity’). Risk Management should be conducted on an on-going basis as business and technology are constantly changing.
Maybe some of these ideas will help:- SOX controls must take precedence unless there is something paramount that needs correction in conjuction with the SOX requirements.
- Where you can use SOX controls to tie-in with non-SOX areas that need strengthening, that’s always beneficial. For example, it’s better to employ IT controls as a whole to everything, whether it’s a financial system or not. This way folks don’t have to learn multiple approaches and everyone is singing out of one song book
- In addition to the Frequency and Severity analysis, each area of risk must be assessed from a ‘Cost v. Benefits’ viewpoint. Is it worth the additional costs to cover these gaps in controls.
- Develop a Project Plan for the undertaking and gain management approval and backing before starting. A good planning effort might stimulate some efficient and cost-effective ideas for handling the area of exposure.
- Measure your results after implementation of the controls to ensure they are closing the gap as you envisioned.
-
Hi,
It might be a good idea to categorize the identified control gaps as ‘SOX’ and ‘Non-SOX’. As suggested by others, you can prioritize the control gaps based on risk (3-category approach: High, Moderate, Low) considerations.
If resources permit, you can address the high risk ‘non-SOX’ control gaps after addressing the moderate SOX control gaps. You can defer remedication efforts related to the low risk SOX control gaps and consider them as a group with any compensating controls, so that you can consider the total risk in the aggregate for SOX purposes.
Hope this further helps,
Milan
-
Agree with Milan, sounds like the same approach we’re using at the moment