Menu Close

Entity Level Controls sub-processes and required activities for SOX 404 readiness

Entity Level Controls sub-processes and required activities for SOX 404 readiness

Entity Level Controls - SOX 404 Readiness

What internal control or SOX 404 activities are required and recommended for the Entity Level Controls process of a company preparing for an IPO or public company readiness?

Sub-processes include:

  1. Audit Committee
  2. Authority matrix, organization structure
  3. Board of Directors composition
  4. Disclosure Committee
  5. Policies and procedures
  6. Tone at the top (culture of integrity)
  7. Whistleblower policies and procedures


Recommended Scope of Work for Each Process:
  • Assess control gaps (interviews)
  • Document process and controls (narrative or flowchart)
  • Create a Risk Control Matrix
  • Conduct a walk-through (test of design or TOD)
  • Perform testing (test of effectiveness – time permitting)


Notes:
  1. Most external auditors now require flowcharts instead of narratives to document processes and controls. Flowcharts with separate swim lanes allow you to easily see proper segregation of duties (or not).
  2. Concentrate your focus and resources on designing controls, training process owners, and doing a walk-through to make sure the controls are performed accurately and timely. If time allows, then perform testing.
  3. The walk-through is a hands-on way to assess the control gaps that might only be found through an actual example. The walk-through lets you refine your process and evaluate your actual risks as you tailor your controls to suit your needs.
Check out our video on YouTube for more information.