Everything needs to be documented? 2236

  • Hi,
    I’m a newbie to this place.
    As sox requires extenisve documentation on controls, does that mean everything needs to be documented (ie, leave evidence of existence)? I’m talking about non-key controls vs. key controls. It’s understandable that every key control has to be documented for testing purpose, but what are the documentation requirement for those non-key controls? Their number is generally a lot more than key controls which would add significant workload to management if all being documented.

  • You do not need to document controls that you do not test.

  • But for management’s point of view, do they need to leave evidence of performance for those non-key controls? Even they will not be tested.

  • If it is a review control and there are several levels of review, but you only care about the top level, I would think that you would want to evidence each review with a signature or initials of the reviewer. This just lets the next level up know that it has been reviewed previously.
    If your main control over certain expenses is a review of budget to actual or PY to actual, but you require approval of the expenses before they are paid, you would want to evidence the approval with a signature. This shows that policy is being followed.
    While the above items provide evidence of secondary (non-key) controls, best practice would have you ensure that they were evidenced, but that is not necessarily required for SOX.

  • thanks a lot for you input, kymike.

Log in to reply