There is not any official definition for a key control in SOX. Some guidance about this topic is taken from the PCAOB AS 5.11, but a clear distinction from “key controls” and “non-key controls” is not codified. It is entirely a matter of judgment and there is no commonly accepted definition of a key control. However, being able to distinguish both concepts can save time on documenting and testing controls that are not important. In this post, I described some common characteristics about these categories.
A Key Control has the following characteristics:
It is required to provide reasonable assurance that material errors will be prevented or timely detected
It is the only control that covers a risk of material misstatement (it is indispensable to cover its control objective)
If it fails, it is highly improbable that other control could detect the control absence.
It is a control that covers more than one risk or support a whole process execution
It is usually part of entity-level controls or high-level analytic controls
It need to be tested to provide assurance over financial assertions (as part of the SOX Compliance)
A Non-Key Control has the following characteristics:
It is also referred as sub-process, secondary, activity or operative control
It can fail without affecting a whole process
It is in place to monitor certain information
It have an indirect effect on the risk of material misstatement
Its importance should not be minimized (they are subject to monitoring)
It should not involve significant transactions
It is generally eliminated for testing purposes (as part of control rationalization or streamlining efforts)
Its testing can involve getting the walk-though documentation
It could be evaluated under a Control Self Assessment (CSA) program
Since there is not an official definition, the risk categorization depends on each company, and sometimes in practice, by each business owner. In addition, some people call non-key controls as non-SOX controls. What is your experience about this?