Internal controls 2943

  • Hello,
    I have two questions regarding internal controls in SOX. I am setting up the internal controm matrix for the documentation of controls in compliance with SOX.
    Could anybody provide me with the template for control matrix in line with SOX requirements?
    Second question, when documenting internal controls which do not directly relate to finance like ‘security control: provision of employees with electronic card to monitor their movement within the premises’, do the IPO’s and FS assertions also exist for this kind of control? Do I need to document them for this kind of control as well?
    Many thanks for your answer,

  • There are many formats you can use do document controls. An easy one to start with could be this (in a spreadsheet):
    Down the left column you would list your controls and number them. You could also group them by Principal Business Activity (PBA).
    Across the top, list your control objectives. You’ve now created a matrix. You can ‘X’ the box under the objective that each control satisfies. After listing all the objectives, you could then continue with columns for Primary v. Compensating, Preventative v. Detective, Automated v. Manual, and then your six financial statement assertions. Again, this would be a very basic control list, but a starting point for you. Lots of other formats could be just as appropriate.
    For your second question, I would argue that if none of the assertions apply, then it’s probably not a SOX control. So yes, they should be documented.

Log in to reply