Gaps in controls that are formal out of scope for SOX 1578

  • How to deal with discovered gaps in controls for organization activities that are out of scope for SOX? Please help.

  • You should decide what is an appropriate response based on risk of loss versus time and cost to fix.

  • Denis makes a great point as it’s all about the likelihood and impact of risks associated with non-SOX controls (a.k.a. ‘Frequency and Severity’). Risk Management should be conducted on an on-going basis as business and technology are constantly changing.
    Maybe some of these ideas will help:

    1. SOX controls must take precedence unless there is something paramount that needs correction in conjuction with the SOX requirements.
    2. Where you can use SOX controls to tie-in with non-SOX areas that need strengthening, that’s always beneficial. For example, it’s better to employ IT controls as a whole to everything, whether it’s a financial system or not. This way folks don’t have to learn multiple approaches and everyone is singing out of one song book 😉 🙂
    3. In addition to the Frequency and Severity analysis, each area of risk must be assessed from a ‘Cost v. Benefits’ viewpoint. Is it worth the additional costs to cover these gaps in controls.
    4. Develop a Project Plan for the undertaking and gain management approval and backing before starting. A good planning effort might stimulate some efficient and cost-effective ideas for handling the area of exposure.
    5. Measure your results after implementation of the controls to ensure they are closing the gap as you envisioned.

  • Hi,
    It might be a good idea to categorize the identified control gaps as ‘SOX’ and ‘Non-SOX’. As suggested by others, you can prioritize the control gaps based on risk (3-category approach: High, Moderate, Low) considerations.
    If resources permit, you can address the high risk ‘non-SOX’ control gaps after addressing the moderate SOX control gaps. You can defer remedication efforts related to the low risk SOX control gaps and consider them as a group with any compensating controls, so that you can consider the total risk in the aggregate for SOX purposes.
    Hope this further helps,

  • Agree with Milan, sounds like the same approach we’re using at the moment

Log in to reply