sox-control-operating-effectivenessTesting Exception Remediation

The process of preparing for the second round of Effectiveness Testing is known as Remediation.  Similar to the Remediation of Design Gaps, the purpose here is to “fix” what is not working in the controls.  The reasons for testing exceptions are discussed with the Process Owner so that they fully understand what is not operating effectively.  If a change in procedures is required, it should be implemented as soon as practical.  More often, however, failures are the result of a mistake or an oversight in performing or documenting a Key Control.  Remediation may consist of simply reemphasizing the importance of completing and documenting all Key Control steps.  The Process Owner commits to a remediation date, from which the control failures are fixed and the control will consistently operate as designed.  When the second round of testing is performed, the auditors will use that date as the beginning of the population period.  Since many controls operate monthly or quarterly, it is important to build in plenty of time to allow for remediation of controls.  If the first round of testing occurs too late in the year to remediate failures, the controls will be deemed ineffective.

The Precipio Group can help you develop and implement a strategy for remediating any control exceptions identified during Effectiveness Testing.