Key versus non-key controls 2501



  • hello all
    is there any guidance on how to identify a control is key or not?
    Would it by materiality, or would it by ascertaining if there’s direct (or indirect) impact on the financials?
    Please advise. Thank you.



  • The term ‘key control’ is not official and is not included in PCAOB Auditing Standard No. 5.
    Section 11 of PCAOB AS No. 5 states ‘11. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company’s internal control over financial reporting
    and the amount of audit attention that should be devoted to that area. In addition, the risk that a company’s internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. The auditor should focus more of his or her attention on the areas of highest risk. On the other hand, it is not necessary to test controls that, even if deficient,
    would not present a reasonable possibility of material misstatement to the financial statements.’
    The last sentence links it both to materiality (i.e. the impact on the financial statements) and on the likelihood of fraud or error. If the inherent risk of fraud and error is less than reasonably possible or if the potential impact is not material you do not need a ‘key control’ to reduce the likelihood. Judging materiality gets harder if we are talking about entity level controls or pervasive controls.



  • I would define key controls as being the combination of controls that cover off all of your control risks/objectives/assertions in a process.
    In most cases you will have choices on what combination of controls to use but generally one would try and select controls that

    • cover off multiple risks
    • are easier to test (e.g. monthly, automated controls)
      Where you only have one control that covers a risk that by default that control would become key.


  • Denis is right. To help me identify a key control I asked myself a couple of questions:

    1. Does it mitigate the risk of a material financial misstatement arising from this process?
    2. What if this control fails?
      So firstly I ensured that I had identified a ‘key’ risk by properly focusing on financials and materiality. If the control mitigates that risk it must by definition be key (and as Denis says a control can mitigate more than one risk).
      Secondly you explore whether that control is overarched by another control. In other words identify the hierarchy of controls because only those at the very top of the chain will be key. This is also useful to reduce the number of controls tested because you may identify a single control that overarches 2 or 3 controls - these remaining, however strong, are not key but can be held in reserve in case the key control fails.


  • Some dated dialogue about key controls, but relevant as the definition of a key control did not change as a result of AS5.
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1421-and-highlight=key control



  • i briefly gone through the PCAOB AS 5 and after digesting some of the postings in this SOX forum, i concluded on the following:

    • for all the control objectives, identify corresponding misstatement risks
    • for all identified misstatement risks, sieve out the material misstatement ones
    • for each material misstatement risk, identify corresponding control (s). These identified controls would be the so-called ‘Key Controls’ which should be subjected to design and operating effectiveness testing.
      In other words, ‘Key Controls’ would subsequently result from identification of material misstatement risks. So with that, the problem only lies in how to identify material misstatement risks…
      Is my understanding correct?
      thank you

Log in to reply