Implementing a 'SOX Lite' IT Key Controls (or Risk and Controls Matrix) in your business
This post forms part of a series of posts. To review our post regarding Finance Key Controls, please click here.
Following the The Brydon Review in 2019, there is a real chance that UK listed companies could be required to implement a Sarbanes–Oxley (SOX) equivalent. As per the ICSA website, amongst the recommendations following the review, there was a clear stand out in regards to internal controls:
That the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.
Similar to finance controls, IT controls should be in place for any organisation, regardless if they are required by SOX or not; its simply best practice. These IT Key Controls (or IT Generla Controls / ITGC's), are there to ensure systems are operating correctly, there is a reduced cyber security risk, and as part of this, we can ensure that the numbers reported in the financial statements at year end are accurate.
To assist smaller organisations, we have complied a base 22 IT key controls which would be expected as a minimum.
You can view an example of the IT Key Controls Database (or Risk and Control Matrix), below:
You can view the free version of the database here.
Alternatively, you can purchase the database here.
Members with a paid subscription can download the template via the Members Area.
How was this list of controls built?
We considered basic level IT General Controls that are most likely already operating in some form or another within a business. As such, depending on the size, nature, and risks applicable to your business, some of these controls may need to be adapt to be more robust. Nevertheless, these controls are great starting point for any small or medium business.
How do we assess the risk of each control?
For each control, we need to assess the risk. Assessing the risk, in its simplest form, is considering the likelihood of the risk occurring, and the impact if the risk did eventuate. On top of this, we then need to consider the risk appetite of the business. For example, the risk of something occurring might be high, but the impact considered low, as it will only result in a financial loss of say $100 which would be below the company's loss threshold.
How do we know the controls are working?
Our database has been designed so that for each control, there is a supporting control worksheet. Within this control worksheet, the auditor (or member of the IT team or other relevant function), must document the nature of the control, and the process which the control is a part of. The frequency and nature of the control (i.e. Automatic or Manual) are captured in this detailed control worksheet, along with the control owner, control risk and accounts relevant to the control.
The audit team must then map the process and embed the process flow into the control worksheet. They must then perform both design and implementation testing, with all workings documented, and an assessment completed at the end which evaluates if the control has been designed and implemented appropriately.
The IT team will then perform testing on a monthly basis (or other frequency as already documented) to ensure the control is working as expected.
Internal Audit will then perform both interim and year end testing to also validate the operating effectiveness of the control.
The results from the testing performed by both IT and Audit are summarised into the overall control register, allowing IT to easily see their results which can support their annual attestation regarding controls over IT systems and applicaitons.
For audit, the results are also summarised into the overall control register, which can be used to provide independent assurance to both the Audit Committee and Board.
When should these controls be implemented?
If not already, they should be implemented now. Control implementation and effectiveness is also an evolving thing; meaning as the IT team begins to implement controls, they will likely need to be refined and engineered to make sure they are appropriate and robust for the business. By implementing these controls now and refining them over the next 6 to 12 months, both IT and Audit can work together to ensure good controls are in place and operating effectively before the UK SOX equivalent becomes a requirement.