Ensuring that there is a remediation plan in place to address control gaps and monitoring remediation progress are key factors in complying with Sarbanes-Oxley (SOX) Section 404. A control gap occurs when a control does not exist, does not effectively mitigate a risk or is not operating effectively. Control gaps can relate to the design effectiveness of operating effectiveness of the control.
This guide provides SOX project teams with the steps they need to take to identify control gaps and implement a remediation action plan. It outlines following steps: identify the control gap, identify compensation control, develop a remediation action plan, implement the remediation action plan, update the control documentation, and confirm the remediation implementation. Key success factors include:
- All control gaps are recorded in a remediation log or register.
- The potential impact of the control gap is understood.