Control Gap Question 2297

  • I’m currently working in the internal audit dept of a company that was previously SOX compliant, but due to some shady dealings by previous management they were delisted in 2005. They went public again in Aug and are required to be compliant for 2007. Our external auditors will review our work but are not issuing an opinion on it this year. My question is, what are the disclosure requirements or documentation necessary when it comes to control gaps? With employee turnover there have been several controls that have fallen through the cracks since 2005 and are no longer being performed, a couple are pretty significant. I’m having a hard time finding guidance on what needs to be done about them and would really appreciate it if someone could point me in the right direction.
    I was an external auditor for 3 years, 2 of those spent with the Big 4, but all of my previous SOX work was much ‘cleaner’ than what I’m dealing with now, and I had more resources at my disposal to research any questions I had. I’m at a loss.

  • Material weaknesses are required to be reported externally. Significant deficiencies are required to be reported to the Audit Committee. Other deficiencies should be reported to senior management. We report all noted deficiencies to our Audit Committee.

  • I understand, but I don’t know what to do about areas where there are no controls…should I be going through each of these gaps as if there was a deficient control to determine the level of severity? Or do you just notify the various process owners and management that a gap exists and that going forward they need to do things differently? What if one of these gaps on its own, or especially when aggregated with known deficiencies, would rise to the level of a material weakness? Whether there is a control gap, or deficient control, isn’t your exposure the same?

  • Whether there is a control gap, or deficient control, isn’t your exposure the same?
    Yes. The definitions would apply equally to deficiencies whether they are due to control gaps or operating effectiveness.

Log in to reply