SOX and Controls
Home Business Change Analysis & Design Agile Testing Templates About us

Key Steps

SOX and Controls

SOX 404 states that adequate documentation of significant controls should include the following:

bulletA link between the control objective and the local control
bulletA description of the local control which clearly describes how the local control prevents the associated key risk from occurring or detecting it if it does (i.e. achieving the control objective)
bulletA description of how the local control is to be applied, who is responsible for performing the control, how frequently the control is performed, and where it is evidenced

It is critical that the controls identified within the ‘Corporate Standard Templates’ are cross-referenced to the process flow documentation to ensure that those significant steps are adequately controlled.  Controls should also be identified and documented within the process flow documentation for those significant steps for which there is not a corresponding control documented on the ‘Corporate Standard Template’.

An internal control is designed to fully mitigate a stated risk or, conversely, to achieve a stated control objective.

For an internal control to be properly designed, it needs to have an appropriate answer to each of the following qualitative questions:

·                     “What” is the control being performed (control type)

·                     “Who” performs the control (control owner)

·                     “When” is the control performed (control frequency)

·                     “Where” is the control evidenced (control evidence)

·                     “How” is the control performed (control procedures)

The standards suggest that the template covers items in the following list. Note that this is not entirely consistent to the items shown above. It is therefore likely that the template used for the process designs will be some combination of the two.

·                     Control Reference – links local control to control catalogue

·                     Process Step (Name) – captures the short name of the local control (pre-populated)

·                     Process Step (Control Description) – captures the details of the local control (who, what, when, where & how)

·                     Nature (of control) – COSO Component related to the local control (pre-populated)

·                     Control Purposes – Preventative or detective (pre-populated)

·                     Automation – whether the control is manual or automated

·                     Frequency – how often the control occurs

·                     Control Type – Identification of type to develop testing method (pre-populated)

·                     FS Account Groups X – Link of local control to the AIM financial lines and related assertions (pre-populated)

Finally, a further final aspect that SOX requires is evidence that the control has taken place as designed (further details can be found in the control execution job document). The control evidence categories are shown below:

·                     Manual authorisation

·                     System authorisation

·                     System configuration reports utilized to help execute internal controls

·                     Interface/conversion controls (manual & system based) management review

·                     Automated reconciliation

·                     Manual reconciliation

·                     Segregation of duties

·                     System access

·                     Recording

·                     End user computing (spreadsheets/personal databases)


SOX Impact on Process and Owner Deliverable

These considerations have no impact to this deliverable as controls will only need to be identified not designed at this stage.

Many (but not all) aspects will however need to be covered in the Process Design deliverables.


SOX Impact on Process Design Deliverable

These considerations are directly relevant to this deliverable.

As well as controls identified in the process owner document, many steps in the procedure will be in effect a type of control – either pre-emptive or in mitigation. Rather than keeping these implicit in the document, where a step is acting as a controlled it must me named, and further characteristics described within the document



Back Next

© 2002-2007 Codel Services Ltd

This paper has been prepared by Codel Services Ltd to illustrate how structured business modelling can help your organisation. Codel Services Ltd is an IT Consultancy specialising in business modelling. If you would like further information, please contact us at: Deryck Brailsford, Codel Services Ltd, Dale Hill Cottage, Kirby-Le-Soken, Essex CO13 0EN,United Kingdom. Telephone: +44 (0)1255 862354/Mobile: + 44 (0)7710 435227/e-mail: