Skip to content

Insights

Typical Pitfalls of Drafting Controls

SOC 2 Carve-out vs. Inclusive Subservice OrganizationsAre you looking to improve your internal audit function? Maybe your financial or IT auditors are asking to review the controls in place at your organization for a SOC engagement. In either case, you may have wondered about how to properly document your organization’s controls. Oftentimes controls may already be in place at an organization, but they may not be documented, or they may just need to be refined. In this article, we will cover some of the typical pitfalls of drafting controls for your organization.

Pitfall #1: Drafted controls are more informative and not actual controls.

When drafting controls, creating a “narrative” for a control should be avoided. In the case of internal and IT controls, the control should be worded such that it can be tested. For example, a narrative version could be “Management creates drafted financial statements.” A better control activity wording for this could be that “Management creates drafted financial statements that are reviewed monthly by the Controller and are presented to the board of directors.” Three aspects of this control can be tested 1) Monthly financial statements exist 2) the monthly financials are reviewed monthly by the Controller and 3) monthly financials are presented to the board of directors.

Pitfall #2: Drafted controls don’t identify titles, individuals, or systems.

When drafting controls, it is best to include any titles, individuals, and systems in the control activity. For example, a version excluding these could be “Company systems are reviewed.” A better control activity wording for this could be that “Firewall activity, IDS, IPS, and System Logs are reviewed by the Information Security Manager on a weekly basis.” Three aspects of this control can be tested 1) A firewall, IDS/IPS, and System Log exist 2) these systems are reviewed by the Information Security Manager and 3) these systems are reviewed weekly.

Pitfall #3: Drafted controls don’t include specific actions such as approved, reviewed, etc.

When drafting controls, it is best to include specific wording such as approved/reviewed/etc. in the control activity. For example, a version excluding these could be “Bank reconciliations are performed.” A better control activity wording for this could be “Bank reconciliations are performed monthly and are reviewed and approved prior the 15th day of the following month by the Controller.” Three aspects of this control can be tested 1) Bank reconciliations are performed monthly 2) the bank reconciliations are reviewed/approved by the Controller and 3) this review/approval occurs prior to the 15th day of the following month.

Pitfall #4: Drafted controls don’t include a frequency.

When drafting controls, it is best to include a frequency in the control activity. Frequencies such as “periodic” and “regular” should be avoided as this type of frequency cannot be easily tested. Frequencies such as “daily”, “weekly”, “bi-weekly”, “monthly”, “quarterly”, and “yearly” are better examples of control frequencies. For instance, a version excluding this could be “Penetration testing is performed regularly.” A better control activity wording for this could be “Penetration testing is performed annually, and the test results are reviewed with the IT team.” Three aspects of this control can be tested 1) Penetration test was performed 2) the penetration test was performed annually and 3) the test results were reviewed with the IT team.

Depending on whether the controls will be used for an internal audit function or an IT Assessment, evidence will often be requested for each of the portions tested to support the control activity. For example, if a control says a meeting takes place annually, an auditor may request an agenda or minutes of the meeting. And likewise, if a control says a bank reconciliation is reviewed and approved, the auditor may request evidence of the review and approval.

Drafting controls can be a meticulous process and controls may not be clearly identified when a company is beginning to document them. Some processes, procedures, or other documents may need to be created in order to show a clear documentation of the control activity. Once controls are documented and are in place, management should also determine a frequency at which to review the controls and make any adjustments as needed.

McKonly & Asbury can assist your company with Internal Audit consulting and SOC 2 readiness assessments to identify whether effective processes and controls are in place as well as provide you with recommendations. For more information on these services and more, be sure to visit our SOC and Internal Audit services pages and don’t hesitate to reach out to contact us with any questions.


About the Author

Chris Fieger

Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more

Related Services

Subscribe to Our Newsletter