What does a healthy SOx Framework look like? 2426
Incontrol last edited by
Hi All %0Amy first post…%0AI am in IA responsible for SOx audits at a Operating Level concern (not at head office or Group level). We are the 3rd year of our SOx implemention -> having reached compliance in yr1. At our level not all cycles are in scope for sox, fortunately.%0AThe objective of this year is to improve the efficiency of the framework - ideally reducing the number of controls required. %0AI appreciate it will depend on industry, business type, and various other factors but what GENERALLY do some of your SOx frameworks look like ??%0Afor example, regarding:%0Aa. The total number of Process Level Controls ? (we have 113)%0Ab. The total number of Entity Level Controls? (we have 32)%0Ac. The % of automated versus manual controls? (28 vs 72%)%0Ad. The % of preventative versus detective controls (70 vs 30%)%0Ae. The % of IT General COntrols verus total Process level controls (including ITGC’s) ? (37%.)%0Af. The ratio of key vs secondary controls ? (62 vs 38%)%0AI just want to get a feel for what an average and then ‘healthy’ framework looks like… so really appreciate your answers. %0Ag. Also - in general - how many key controls do you have addressing each risk? %0Amany thanks
Denis last edited by
Some of this is a bit ‘how long is a piece of string’ as no two companies are alike.
That said a couple of things I would comment:
point g. one if it covers the risk fully - although one key control can cover more than one risk.
point c. more automated controls would tend you towards a more efficient approach.