SOX Professionals Group

 View Only
  • 1.  Control Documentation

    Posted 02-28-2024 03:11 PM

    Back a couple of years ago, I went through a process to document each control across my company. For example, took a revenue control (cash receipts recorded to the GL are agreed to bank activity - just an example), and documented each step the control owner follows to execute the control. In my previous company, and when I was in the big 4, this was not a requirement or best practice really. In a nutshell, we documented the design of each control in detail. Our external auditors pretty much said this was required. Do you have the same in your companies for controls? Or do you just have risk and control matrices and that's what the ext auditors go by (we also have RCMs, but the design documentation is additional)?

    Raymond Rengifo
    Director - SOX Compliance
    Tredegar Corporation

  • 2.  RE: Control Documentation

    Posted 03-07-2024 11:20 AM

    I've seen that documentation exist as part of departmental procedure manuals and sometimes as part of process narratives, but that hasn't been work that was owned or performed by the SOX function.

    We use RCMs and have detailed attributes for each control as part of that documentation - but it isn't a detailed step-by-step approach.

    Stephen Bellard
    Senior Internal Controls Analyst