Drop a key control identified through 1st year documentation 1487

  • Hello Everyone,
    We would like to drop one of the unremediated deficiencies noted through our F’06 testing (1st year) as the key control at the time is no longer a key control in F’07. It has been replaced by another control that fulfill the same control objective. Hence, my question is whether we can drop this control from our o/s unremediated controls for F’07? If yes, should we obtain our external auditor’s approval, in this case, it’s KPMG?

  • If it is no longer a key control, then there is no SOX reason that you would need to remediate and retest it. As long as you can show your auditor that you do have a control to take the deficient control’s place, then they will not have any issues with it. In fact, there can be many reasons to not remediate a deficient control - cost/benefit, low risk, overlapping control that is effective, etc.

  • Hi SoxMan100
    As long as the risks have remained unchanged you have to make sure that any new control that is designed to replace the old control should work at the same precisions level to ensure that control objectives are met. Therefore, you are not required to test the old control.
    Doing so there is no point to get the approval from auditors because its the management responsibility to document the controls and test them as key control. However, going forward its important that you may have to satisfy any of auditors question for rationalising the new control.

  • Remember, it’s not the auditors that decide which key controls you have.
    It is you that have to demonstrate that you have control. The auditors can only give their statement based on what you demonstrate. If you can argue well enough that the given issue no longer exist, then the auditors should accept that, and if you can’t, then maybe it still exist after all?

  • I’ve seen this situation before where new controls are established replacing old controls (remediated or not). When the same attest firm (KPMG in this case) is coming back, questions about deficiencies from the previous year will almost surely arise. My suggestion is to maintain a Schedule of Control Deficiencies spreadsheet that includes control objective and risks from year one and add a column titled ‘Action Taken.’ In this column, you can reference the new control which superceded the need for the old, which the attest auditors can easily see from a well prepared schedule. Hope this helps you.

Log in to reply