Key Controls by Major Cycle 2010



  • If anyone who has successfully completed the SOX exercise and has feedback to share about the number of key controls identified/test per cycle, that would be great.
    I realize that the number of key controls varies based on the industry classification, company size and centralization/decentralization, complexity, automated/manual controls, etc. However, as a high level reality check, this information would be helpful to me.
    Thanks,
    Milan

    Corp. Governance Process:
    Cycle No. of Key Controls
    Procure-to-Pay
    Order-to-Cash
    Hire-to-Pay
    Fixed Assets
    Treasury
    General Accounting
    Financial Reporting
    Tax
    Legal
    Information Technology:
    IT Governance
    ITGC
    Change Mgt.
    Security/Access
    SDLC



  • Milan,
    KPMG advised us that there should generally be about 10/15 controls per process, but that the number may vary upwards or downwards depending on the complexity of the process and the risk of error/misstatement.



  • I’d agree with that ballpark. We generally came out amongst the top end of that range but also found that a number of the controls spanned different processes thus our final average was just under 11 key controls per process.



  • Hi,
    Thank you for sharing your experiences and feedback. This information was quite helpful to me and maybe to other SOX professionals too.
    I recently heard from a qualified consultant with whom I have some confidence that companies of a similar size and complexity have about 100-120 total key controls. This number includes the SOX IT controls (20-25 key controls).
    Again, thank you for your thoughts and it would be a pleasure to return the favor at any time. So please do not hesitate to ask.
    Kind Regards,
    Milan



  • Milan,
    KPMG advised us that there should generally be about 10/15 controls per process, but that the number may vary upwards or downwards depending on the complexity of the process and the risk of error/misstatement.
    As a rule of thumb this is won’t be too far off the mark - though ultimately it is completely meaningless. A cycle will have as many key controls as are required to meet all of the control risks in that process.



  • Denis,
    Thanks also for your feeback. I recently completed an exercise to critically assess the key controls for a cycle and the number was within the range (10 to 15 key controls per process).
    Again, thank you for sharing the rule of thumb. It was also helpful and confirmation that the assessment recently completed was reasonable.
    Milan



  • As we go through our controls optimization review, we are finding that we have 2-3 company-level controls, 2-3 system controls and 3-5 process-level controls for each significant process. Testing of the company-level controls will cover all applicable processes, leaving 5-7 system and process-level controls to test for each process.



  • Mike,
    Thanks also. I am continually impressed with the useful feedback and openness by which key learnings and Best Practices are shared among the group.
    Milan



  • Hi guys,
    Having 10-15 key controls per process sounds about right to me too. But the problem we’re having is trying to narrow down our list of processes.
    We bought a piece of software that was supposed to help us pare our list down, but we’re still over 130 processes. That number sounds too high to me, especially considering we’re a small to mid-sized non-accelerated filer with a relatively flat organizational structure.
    Can anyone share their experiences in this regard?
    Thanks. Albie



  • Every business is different, so there is no one-size-fits-all answer. If you want to let us know what industry you are in and maybe post a list of the processes that you are considering, then maybe we can help you whittle them down to a manageable set to work with.
    What approach have you taken to identify your business processes? Have you tried mapping your external accounts to processes? What worked best for us was to identify who was responsible for all account reconciliations, and then use that as a starting point for mapping of accounts to processes. From there, you need to understand where information comes from and how it is analyzed and recorded to see if you need to include any other processes.
    For most businesses you will have the following major processes -
    Revenue (cash , sales, inventory-retail)
    Accounts receivable (AR, AFDA)
    Payroll
    Accounts payable
    Fixed Assets (Capital spend, depreciation, impairment, acquisitions / divestitures)
    Tax (income, sales, property)
    Treasury
    Financial applications (user-side)
    Purchasing
    Inventory-Mfg (inventory, WIP, COGS)
    Financial close (judgmental reserves)
    External reporting
    Human resources (benefits)
    Some of these areas may not be material to you or have higher-level controls that operate at a precision that will detect material errors. We have a very robust financial close process and review of retail margins and G-and-A comparing to forecast and prior year. We have high inventory turn, so we spend very little time on inventory as we know what average levels are maintained in our retail locations. We have no credit sales that we finance, so we spend very little resources on the revenue cycle other than ensuring that sales match to cash receipts.
    My goal is to work toward where we have the following controls in each process that we rely on -
    SOD
    System access
    Spreadsheets (critical calculations only); this would also cover judgmental reserves
    Account reconciliations
    Financial close (robust analysis of BS changes and variances of actual results to forecast and prior year)
    Specific high-risk transactions / reserves
    I see transactions as low-risk and hope to be able to justify the higher-level reviews to cover off on any significant miss at the transaction level.



  • Does anyone know in witch process should the ability to approve who will sing for the company (like attorney or treasury manager, that opens bank account)? Should we have a separate process for controlling all procurators?



  • I would recommend that you create an authorization matrix that notes who is authorized to approve cash disbursements, sign contracts, open bank accounts, authorize capital spending, authorize new debt, etc.
    This matrix should then be communicated to all employees who might have involvement in any of the affected processes.
    Opening bank accounts generally resides within the Treasury function in most companies.



  • Tanks for the reply - I agree with you, but we are facing some difficult to find someone to sign for the control. Who should be responsible for the preparation and the communication of the matrix?



  • Our matrix was prepared by our Legal department after consulting with the Finance and Operations teams. You will want to prepare a proposed policy and give each area impacted a chance to provide feedback. Your final policy will be a compromise between very tight controls and low operational impact. Signing levels are a judgment call for each company based on impact to the business and level of risk that you are willing to assume.


Log in to reply