Gaps in controls that are formal out of scope for SOX 1578
Margreet last edited by
How to deal with discovered gaps in controls for organization activities that are out of scope for SOX? Please help.
Denis last edited by
You should decide what is an appropriate response based on risk of loss versus time and cost to fix.
harrywaldron last edited by
Denis makes a great point as it’s all about the likelihood and impact of risks associated with non-SOX controls (a.k.a. ‘Frequency and Severity’). Risk Management should be conducted on an on-going basis as business and technology are constantly changing.
Maybe some of these ideas will help:
- SOX controls must take precedence unless there is something paramount that needs correction in conjuction with the SOX requirements.
- Where you can use SOX controls to tie-in with non-SOX areas that need strengthening, that’s always beneficial. For example, it’s better to employ IT controls as a whole to everything, whether it’s a financial system or not. This way folks don’t have to learn multiple approaches and everyone is singing out of one song book
- In addition to the Frequency and Severity analysis, each area of risk must be assessed from a ‘Cost v. Benefits’ viewpoint. Is it worth the additional costs to cover these gaps in controls.
- Develop a Project Plan for the undertaking and gain management approval and backing before starting. A good planning effort might stimulate some efficient and cost-effective ideas for handling the area of exposure.
- Measure your results after implementation of the controls to ensure they are closing the gap as you envisioned.
milan last edited by
It might be a good idea to categorize the identified control gaps as ‘SOX’ and ‘Non-SOX’. As suggested by others, you can prioritize the control gaps based on risk (3-category approach: High, Moderate, Low) considerations.
If resources permit, you can address the high risk ‘non-SOX’ control gaps after addressing the moderate SOX control gaps. You can defer remedication efforts related to the low risk SOX control gaps and consider them as a group with any compensating controls, so that you can consider the total risk in the aggregate for SOX purposes.
Hope this further helps,
IrquiM last edited by
Agree with Milan, sounds like the same approach we’re using at the moment