In a previous post, I demonstrated a method I use to determine if a control is ICFR or not. In this post, I would like to elaborate further in hopes of helping anyone out there who may benefit from this approach.
In my professional judgment controls with three or more DoRS that separate them from the risk of material misstatement are non-ICFR controls. Here are two examples to illustrate the process of determining how many DoRS there are to material misstatement.
Control #1: Programmer access to production is prohibited.
1st degree: Programmer gains access to the production environment and makes a change to a G/L balance.
2nd degree: The change is not caught during the reconciliation process, and causes a material misstatement of the financials.
Conclusion: The control is ICFR
1st degree: Lack of raised floor causes increase in temperature.
2nd degree: All customer hard drives of a server hosting financially relevant application crash.
3rd degree: There are no redundant or replicated production servers or they are all hosted at the same datacenter and crashed as well.
4th degree: Backups do not exist for the data on the crashed hard drives.
5th degree: The data on the crashed hard drives cannot be re-created from source documents.
6th degree: The lost data causes the company to materially misstate their financials.
Conclusion: The control is not ICFR
Please use the form below to upload your list of controls. I do not need the entire SAS 70 or SSAE 16 report, just the list of controls. It would also be great if the company names were already sanitized to save me some time and keep things confidential. If you include your email address in the comments section, I will know how to send back your analyzed document.
Thanks for your help! Together we are going to revolutionize the risk assurance industry.