Identifying Key Controls in Work Instructions/Flowcharts 509

  • The auditor implementing SOX for our company, states that the section number of where the Key Control info is located in our documentation, must be entered in the database that houses all control/risk info, along with listing the section numbers for the controls in the actual flowcharts and work instructions. Example: the control is outlined in section 9.3.4 of work instruction 15.3.1. They want this section number listed in the documentation. We can understand the requirement for this information to be in the database, but question if it must be in the documentation as well. By using the information outlined in the database, the auditor would be given a report outlining what work instruction/procedure had the control it in. They would know right where to go to audit us in that process.
    They state this is required, but we’ve heard that not all auditing houses require it in the documentation - only in the database. Any information would be greatly appreciated.

  • The auditor implementing SOX for our company

  • If it’s not the same company that is doing the final auditing, I see no problem hiring an auditor to help kicking off the process

  • Two things:

    1. ‘Implementation’ of SOX should be down to management, that responsibility cannot be delegated or outsourced
    2. If the Accounting Firm assisting you is not your auditor then it is not the auditor doing the implementation is it?

  • We’ll assume you’re calling this person an ‘auditor’ but in fact they are a consultant. If you’re hiring this consultant to help with your SOX documentation, then you’re probably paying them well and the consultant’s ‘suggestions’ should be taken as just that, a suggestion. If it provides usefulness to the documentation and will increase the ease at which a 3rd party (your auditor) will be able to review and understand the information, then take it as a serious suggestion and consider using it.

  • Auditor’ likely refers to a public accounting firm who is consulting with the company to implement SOX.
    SOX does not require any specific form of documentation or related cross-referencing of that documentation. That said, however, organization of your documentation will be one factor that feeds into how your external auditor views management’s thoroughness of documenting its understanding of processes, and controls.
    The easier you make it for your auditor to understand your processes and where certain controls are executed, the quicker he will get through his work and the less he will bill you for his audit services (in theory).

Log in to reply