Financial controls vs operational controls 1346

  • Hi there,
    Does Sarbanes-Oxley require both Financial and Operational controls to be tested? If only
    financial, why would a company decide to test Operational controls too?
    Many thanks in advance,

  • Hi Joanne,
    This question is specifically answered in a guidance document that may be found at
    Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition
    Updated to reflect PCAOB Auditing Standard No. 2
    See Question #
    ‘Since the COSO Framework includes controls over operations, to what extent do these controls need to be evaluated to support the internal control report?’
    Section 404 does not require management to evaluate internal controls over operations, except to the extent that such controls may overlap with financial controls. An illustration is provided that contains a Venn Diagram and shows the relationship between control processes that address multiple objectives and 1. financial reporting, 2. regulatory compliance, and 3. operations.
    See Page #37 of the document for a detailed discussion to the question.
    At the bottom of page #66 in the same document, a table is given that delineates Operational Process Controls from Compliance Process Controls. A review of this table and its components might be helpful.
    Question #110 from the document: How does management decide which controls to test? A discussion of the answer to this question may be found at the bottom of page #83.
    Hope this helps,

Log in to reply