How to know if the controls are comprehensive 2170



  • I am new in SOX. When I look at the controls already designed for each process, I have a question in my head: how to ensure the controls are comprehensive for each process? Shouldn’t there be some types of templates that provide guidance as for what controls should at least be included? What if we missed some key controls?



  • Welcome to the forum.
    There are no commonly-accepted risk / control matrices. If your company is using COSO as it’s framework, then you should take a look through it as COSO describes how to perform a risk analysis and identify controls that mitigate those risks.
    For any individual significant account, you should ensure that you have controls to cover each of the financial statement assertions. While there are a few variations on a list of assertions, the most commonly used are -
    Completeness
    Accuracy
    Valuation
    Rights (Obligations)
    Disclosure (generally only applies when preparing your FS)
    In order to perform this evaluation, you need to understand how the process works - Source of data, inputs, processing, output and communication. You also need to understand the related systems that you rely on to process your information.
    Once you have this understanding, you should be able to identify risks within the process that would prevent you from having complete, accurate, information that is properly valued and presented correctly in your financial statements and that you have rights to all of your assets or that your liabilities represent true obligations of the company.
    After risks have been identified, you identify the controls that help prevent or detect those risks (of errors) from ocurring.
    As you can see, identification of a complete set of controls is not a simple process and really must be assessed with a full knowledge of each financial process.
    As you think through this and have specific questions about risks and controls within certain processes, I encourage you to come back to this forum for advice. We have several knowledgeable contributors who are more than happy to help you out. The one thing that I would ask you to do prior to posting a specific question would be to utilize the search functionality of this forum as many common questions have been asked (multiple times) and thoroughly discussed.
    I am certain that you will find the world of SOX to be quite interesting.



  • Hello, kymike. Thank you so much for the detailed explaination. I start liking this forum already.



  • Once you have this understanding, you should be able to identify risks within the process that would prevent you from having complete, accurate, information that is properly valued and presented correctly in your financial statements and that you have rights to all of your assets or that your liabilities represent true obligations of the company.
    interesting.
    great sentence Mike. Helps IT folks like me to understand the CAVRD jargon.



  • ^ I also agree with excellent advice offered 🙂
    One other idea might be to work with the external SOX auditor contact, once you’ve designed your controls framework. They would hopefully have a lot of experience in this area and from other companies needing to comply.


Log in to reply