Reasons include:
- Controls are added at the insistence of the external auditor, even though management does not agree that there is at least a reasonable likelihood of a material error or omission (ICFR risk).
- Controls are included because management believes they are “important controls”.
- The scope has not been “rationalized” and all unnecessary controls removed from scope.
- Fear of taking out of scope a control that has always been considered important by management or the external auditor.
- Controls added (such as over cyber) to address the “risk of the day”.
Odd to say this, but these are indications that controls over the SOX scope need to be improved:
- Controls over additions to the scope, ensuring that they meet the definition of a key control (discussed in a moment).
- Controls over the maintenance of the scope, ensuring that the scope remains correct as the business changes. For example, making appropriate changes as materiality increases, business products and services are added or diminished, technology is changed, and business locations grow or shrink.
- Controls over the identification of the best controls to include in scope when there are options.
The scope for SOX needs to include the key controls necessary to provide reasonable assurance that there are no material weaknesses: i.e.,…
