Wording of Risks, Controls, Control Activities... 893
Telco last edited by
I am in the process of accompaigning a SOX-Implemention project. I am facing the question at which level of process depth a control shall be defined (ie how many control activities a control can entail) or whether every control activity is a ‘control’ itself.
Parallely we are discussing on which hierarchial lvl of processes a risk or a control objective should be worded. What are your experiences?
Cheers in advance.
IrquiM last edited by
In my firm, each control activity is a control on its own
We have different processes identified through finding what’s in scope or not
These processes we have different risks (or control objectives if you’d like)
These risks are mitigated by different controls (-activities)
Melly last edited by
We do it the same - one control is one activity only.