Control Gap or Documentation Gap 1864

  • Hi All
    We are having a debate in our SOX team about what a documentation gap means and what a control gap means.
    I think a documentation gap is where a control is in place but is not being documented in the way required for a SOX audit, eg a review is taking place but there is no sign off.
    I think a control gap is where a risk exists but there is no control to meet it.
    Anyone able to confirm or disagree?

  • Hi Reutlingen,
    I agree with what you wrote plus control gap (I think) could be where a control exists but doesn’t prevent/detect or eliminate the risk accurately - In other words … is not design well.

  • Thanks Ricker, I guess it is all semantics in the end as we all agree that something is deficient if it is not documented - Whether you call it a control gap or documentation gap.
    Cheers again

  • I think the terminology depends on the organisation.
    We use the term - documentation gap/ issue, where we have identified that the key control and documentation specified is not quite right. For example, where the key control specifies that the FC reviews the completed bank reconciliations, but in fact, it is the CFO who always performs the review.
    A Control gap/ issue/ deficency is where your control does not pas sthe test applied.
    A weakness is where there is a risk that has not been identified or covered off by key and non- key controls.
    I would have also used the same definitions with my team when I worked as an ext auditor with Big 4.
    There is no set of defined rules as to how these terms are used by an organisation, in the same way as credit memo and credit note mean the same thing.

  • Thanks EMM, I too used to be Big 4 auditor and what you said rings true with that now I think about it…
    I think this means I lose the argument in our local team…documentation gap means that the documentation is wrong, control gap means that control is not performed or not evidenced as being performed.
    righty-o best get rewording some of our issue logs…
    Thanks again peeps

  • Hi - I also agree and you might find more details in some of the links from the general search below.
    General Search - SOX Gap analysis
    please add www and paste in browser Gap analysis
    The following might provide some definitions, as I can see how this could be possibly confusing 😉
    Documentation Gaps = reflect shortcomings in any of the required SOX documentation activities (e.g., inadequately described workflows, policies, procedures, etc.)
    Control Gaps = reflect weaknesses in financial controls required for SOX (e.g., inadequately defined workflows, policies, procedures, etc).

  • Interesting to see that you can actually get a definition from google. I always thought that the terms used were based on joint interpretation within a group.

  • Indeed - There are a wealth of good online resources when you search on the keyword SOX. Although you have to sort through sales related sites to sometimes find it, and you may also encounter links for baseball teams found in Boston or Chicago 😉 Still, I’ve found some fantastic powerpoint, Excel, PDF, and other types of documents along the way 🙂
    The 2 definitions I shared in the prior posts were one’s that I created, so there are most likely better ones out there

  • thanks again everyone, thats a big help.

Log in to reply