Control Gap Remediation Methodology
Training Presentation
Remediation Methodology
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Design and Implement Solutions for Control Gaps
Remediation Methodology
A control gap occurs when a control does not exist, a control does not effectively mitigate a risk, or the control is not operating effectively.
Control gaps can relate to the design effectiveness or the operating effectiveness of the control.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key Success Factors:
Record all control gaps in a Remediation Log or Register.
Understand the potential impact of the control gap.
Control Gap Examples
Control:
“Management Control Manager issues a monthly report from System X that shows profitability per contract per customer for the month. A monthly meeting is held with the Supply Manager and Traders where activity and profitability is carefully analyzed. Any variances over $X per deal are investigated.”
Control Gap:
The defined tolerance limit of $X is too high.
Control:
NA
Control Gap:
There is no control documented to mitigate the risk of duplicate invoices.
Remediation Methodology
When a control gap is identified, management should consider whether a compensating control exists.
Compensating controls are alternative controls that partly or fully mitigate the risk associated with the identified control gap.
Management needs to determine whether to rely on the original or the compensating control for SOX compliance purposes.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key success factors:
Ensure that compensating controls are designed and operating effectively if they are to be relied on for SOX compliance.
Update SOX documentation to ensure the compensating controls are documented.
Understand the extent to which the compensating control covers identified the control gap.
Compensating Control Example
Control:
“Access to create deals in System X is restricted to Traders.”
Control Gap:
Access rights in System X do not restrict access to deal creation to Traders only.
Compensating Control:
“The Back Office Manager runs X & Y transactions within SAP, at the beginning of each month to verify the person negotiating each deal in SAP is authorized. The negotiator of each deal is checked against the list of authorized personnel. Any deals negotiated by unauthorized personnel, are brought to the attention of the Trading Manager and the Director, for review and approval.”
Remediation Methodology
Define the action required to close the control gap.
Assign responsibility.
Assign timing.
Assign a priority.
Ensure the remediation addresses the control gap and not an individual exception.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key success factors:
Process/control owner agreement and commitment to remediation plans.
Realistic and timely remediation plans.
Ensure remediation is complete to enable a sufficient population for testing.
Document action plans in a remediation register/log.
Remediation Action Plan Example
Control Gap:
Untimely asset capitalization.
Remediation Action Plan:
Monitor all open capital projects on a quarterly basis (create a report).
Ensure active follow-up with Project Managers of projects that have not incurred expenditure for three months.
Capitalize projects that are identified as complete.
Timing:
Action Plan to be implemented by (date).
Responsibility:
Fixed Asset Accountant.
Remediation Methodology
Implement the documented and agreed action plans.
Implement the control or modifications to the control to ensure the control is effective.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key success factors:
Commitment to agreed timing.
Support from Senior Management (guidance, resources).
Communication and escalation of difficulties in implementing action plans.
Real-time monitoring of remediation status.
Remediation Methodology
Revise control narratives/flow charts.
Revise control descriptions to accurately document the remediated control.
Update test plans.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key success factors:
Clearly document the Control Effective Date.
Version control of documentation.
Remediation Methodology
Independent review of the control to ensure that the remediation action plan was successfully implemented.
Determine whether the remediation action taken has completely addressed the identified control gap.
Identify and document any further remediation required.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key success factors:
Timely review after the agreed remediation completion date.
Update remediation register/log.
Remediation Methodology
Monitoring is essential to the remediation process.
Generating and reviewing reports on remediation status.
Reporting provided to all relevant management.
Identification and follow up of overdue remediation activities.
Identify Control Gap
Identify Compensating Control
Develop Remediation Action Plan
Implement Remediation Action Plan
Monitor Remediation Status
Confirm Remediation Implementation
Update Control Documentation
Key success factors:
Effective and timely reporting and communication.
Transparent process – visibility from Senior Management.
Senior Management and Process Owner commitment.
Proactive approach.
Escalation of concerns to Senior Management.
