SOX 404 states that adequate documentation of
significant controls should include the following:
It is critical that the controls identified within
the ‘Corporate Standard Templates’ are cross-referenced to the process
flow documentation to ensure that those significant steps are adequately
controlled. Controls should also be identified and documented within the
process flow documentation for those significant steps for which there is
not a corresponding control documented on the ‘Corporate Standard
Template’.
An internal control is designed to fully mitigate a
stated risk or, conversely, to achieve a stated control objective.
For an internal control to be properly designed, it
needs to have an appropriate answer to each of the following qualitative
questions:
·
“What” is the control being performed
(control type)
·
“Who” performs the control (control
owner)
·
“When” is the control performed (control
frequency)
·
“Where” is the control evidenced (control
evidence)
·
“How” is the control performed (control
procedures)
The standards suggest that the template covers items
in the following list. Note that this is not entirely consistent to the
items shown above. It is therefore likely that the template used for the
process designs will be some combination of the two.
·
Control Reference – links local control
to control catalogue
·
Process Step (Name) – captures the short
name of the local control (pre-populated)
·
Process Step (Control Description) –
captures the details of the local control (who, what, when, where & how)
·
Nature (of control) – COSO Component
related to the local control (pre-populated)
·
Control Purposes – Preventative or
detective (pre-populated)
·
Automation – whether the control is
manual or automated
·
Frequency – how often the control occurs
·
Control Type – Identification of type to
develop testing method (pre-populated)
·
FS Account Groups X – Link of local
control to the AIM financial lines and related assertions (pre-populated)
Finally, a further final
aspect that SOX requires is evidence that the control has taken place as
designed (further details can be found in the control execution job
document). The control evidence categories are shown below:
·
Manual authorisation
·
System authorisation
·
System configuration reports utilized to help execute
internal controls
·
Interface/conversion controls (manual & system based)
management review
·
Automated reconciliation
·
Manual reconciliation
·
Segregation of duties
·
System access
·
Recording
·
End user computing (spreadsheets/personal databases)
