Annually, we risk rate each one of our SOX controls individually (i.e., low, medium, high). Although not the only factor, the risk rating influences the rigor of testing for the control. For lower-risk controls, there are circumstances where we distribute "year-end inquiries" to all control owners to confirm that the control is still operating and if there are any changes. More specifically, we contact the control owner, provide them with the latest copy of the control narrative, and ask them the following four questions:
- (1) Have there been any changes to the people performing the control?
- (2) Have there been any changes to policies impact the control?
- (3) Have there been any changes to the process?
- (4) Have there been any changes to technology?
We found there are multiple ways to complete this process in Wdesk. However, we found pros and cons between using the Request or Certification method. Our goal is to manage as much of this process in Wdesk as possible without resorting to e-mails outside of Wdesk.
I am interested to learn from other users if they are performing a similar process and Wdesk and if you could share your experience and lessons learned. Thank you in advance for any feedback!
Please sign in to leave a comment.