Findings Framework - process to aggregate deficiencies 2357
jt_clark last edited by
I work in the Corporate Finance / SOX Compliance group for a public company in Silicon Valley.
We are refining our internal Findings Ranking Framework. We have built it upon the old (but last published edition) Big9 2004 framework, SEC / AS5 guidance, and IIA GAIT guidance.
As SOX audit test result findings come up we rank each individually (with no consideration to mitigating controls) as deficiency, minor finding, or process improvement. We then do a quarterly aggregation on deficiencies to rank as Defic, Sig Defic, or MW and we also consider at this point the mitigating controls and collective deficiencies by account class (revenue, cogs, etc).
Section 404 states that determination should be made that controls are operating effectively ‘as of year-end’. So my question is, if deficiencies were identified during the course of the year but since remediated and retested with a ‘pass’ then should we no longer include these in the periodic aggregations (since they are operating effectively as of ‘year-end’? IE, aggregations should technically only be done on ‘open’ deficiencies?
Thanks for your opinions on this…
Igor13 last edited by
Yes, if I understand this scenario correctly, once an issue has been remediated it no longer needs to be evaluated and ranked.
Denis last edited by