Key Control Guidelines 1421
NJA last edited by
Key Control Guidelines
We are fairly new to SOX and jumped right in minus appropriate training, etc., We are now realizing that there are quite a few points of focus that we listed as being a key control, that may or may not be a key control. I am asking everyone to review their key controls to determine if in fact they are. I would like to send them a list of guidelines if you will, on how to make the decision on whether or not a control is key or not. Thank you in advance. :?
milan last edited by
See the previous Forum discussion at:
AS2, Audit Standard No. 2 addresses important controls that should be tested to comply with SOX. It provides significant guidance about other information that might be helpful in making a decision to determine if a control is considered a ‘key control’ for SOX purposes and should be tested.
Characteristics of a Key Control
Factors management should consider in determining which controls to test include:
The magnitude of the potential misstatement that could result from failure of the control
The likelihood that failure of the control could result in a misstatement
The degree to which other controls, if effective, achieve the same control objective
Controls to be tested include:
Controls over initiating, recording, processing, reconciling, and reporting significant account balances, classes of transactions and disclosures, and related assertions embodied in the financial statements
Controls over the selection and application of accounting policies in conformity with GAAP
Controls related to the prevention, identification, and detection of fraud
Controls on which other significant controls are dependent (includes IT controls e.g. information security, program change control, computer operations)
Each significant control in a group of controls that functions together to achieve a control objective
Controls over significant non-routine and non-systematic transactions (such as accounts involving judgment
Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (e.g., consolidating adjustments, report combinations,
harrywaldron last edited by
Hi - This thread might be worthwhile to review as a starting point. In particular, Milan’s post defines some of the standards related to controls:
The backend accounting systems that provide SEC reporting information are obvious candidates. As noted in the thread above there are also ‘indirect’ system relationships, where front-end customer service systems will feed the backend accounting applications. It’s important to have a comprehensive approach from front-to-back. So when in doubt, it’s better to ‘include’ than ‘exclude’
Your work might actually be right on track, as you’ve most likely developed an overall inventory of your business systems and potential control points. Hopefully it’s mostly fine tuning for you all in the days ahead.
NJA last edited by
I really appreciate the feedback and help that both of you offered. Thank you so much, this is exactly what I was looking for. Yes, we did inventory our system and it is a matter of fine tuning. We are almost 1 year into our ISO 9001:2000 certification which helped speed up this initiative.