Blackbelt 404.: What makes a key control?

What makes a key control?

September 01, 2006

The IIA defines a Key Control here:

"A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be detected on a timely basis." (page 29)

They also provide signs that are "highly persuasive" that a control is key:

Operating management considers it key
Common sense indicates it is a key control
The control addresses an assertion or risk that is not addressed by other
controls
It directly addresses a section in the Sarbanes-Oxley legislation
etc.
It describes a key role in monitoring the effectiveness of controls across
the entity
The external auditor considers the control as key

They say, should a control that has one or more of those signs still not cause more than a remote likelihood of a financial misstatement if it fails, "management should consult with the external auditor to reach agreement that they are not key".

I have only respect for the IIA but I don't know what this is about. If a Key Control is a control without which there is an reasonable risk of financial misstatement, then a control that is not needed to prevent financial misstatement is not key. What exactly is there to discuss?

One of my external auditors must read this IIA literature when nobody's looking. Cuz I have these "discussions" with him all the time. They usually go something like this:

External Auditor: You missed a key control.
Me: But it doesn't affect our financials. Even without your so-called "key" control, we have other controls that would prevent or detect all reasonably possible financial statement risks associated with the process in question.
External Auditor: So what? But it's key!
Me: Um, no it's not. How can it be key if it doesn't meet the definition of Key, which is that it is needed to protect the financials from misstatement?
External Auditor: But operating management considers it key!
Me: Operating management didn't read AS-2. Had they, they'd know the definition of a Key Control. As it is, they're just talking out of their hats.
External Auditor: But common sense indicates it's key!
Me: Um, Common sense indicates that if a control doesn't fit the definition of Key it isn't Key.
(The conversation usually goes downhill from there)

404 is about one thing only: Misstatement of financial statements.

Not safeguarding of assets.

Not efficiency and effectiveness of operations.

If the financial statements are reasonably protected from misstatement, nothing else matters -- your Key Controls are effective and you've passed 404. And the combination of controls that accomplished that - they are your Key Controls. Even if management, your external auditors, and common sense all consider other controls "key".

404 is about preventing financial misstatements; not about the opinion of management, external auditors, nor even - sigh - common sense.

posted timely by shapi, 6:45 AM

3 Comments:

The problem is the IIA has the same flaw as the PCAOB - no enforcement ability. The external auditors do what they want and nobody has the authority to change that. At least the PCAOB officially sets standards.The IIA is nothing. Nobody pays any attention to them at all. They should get lives.

commented by Anonymous, 10:46 PM

Based on what you are saying, if there are redundant controls, which one is key? Both or none?

commented by Tacnic, 6:01 AM

Either one - it's your choice. If you have 2 controls that effectively mitigate a risk, then it is which one to make "key" is your discretion. You can make your choice based on efficiency, effectiveness, expense, or flip a coin. Doesnt matter. As long as you have tested a set of controls which collectively mitigate all the financial statement risks, you've fulfilled 404.

commented by Shapi, 11:16 AM

Add a comment