From Protiviti’s Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements
This sample document can be used as a guide to assessing controls at the process or activity level. Example steps include selecting the priority elements, understanding the processes, sourcing the risks, documenting the key controls, assessing the control design, and validating the control operation and reporting.
The following key questions should be considered when executing these steps: What are the risks of a material misstatement? Where are those risks? What are the key controls? Who owns the key controls? How is the controls design rated? What are the risks of control failure? How are the controls performing? Does a material weakness exist?