Subject: File No. S7-11-06
From: Jeffrey Shapiro
Affiliation: Senior Internal Auditor

September 18, 2006

We need more guidance regarding the definitions the following terms:

1) "Key" control -- It is clearly stated that a key control is one which is vital for the protection of the financial statements, yet a gray area exists in a case where a control is understood by management as fundamental to a process, yet less fundamental, compensating controls also suffice to prevent financial misstatement. Is there any reason to consider the more fundamental control "key"? Is there any reason to prefer a preventive control over a detective one?

2) "Effectiveness" of controls -- External auditors have been citing instances where, even though the controls are effective, they "would like to see" additional or "different" controls, because they are "even more effective" than the ones in place. This is not correct. It may therefore be reasonable for management, under various circumstances, to forgo having the "best" controls, in favor of less expensive, but acceptable ones. But in any case, as long as a combination of controls reduces the risk of financial statement to below the required level, 404 has been fulfilled. Having the "most effective" controls is not only not a requirement, it is not even recognized. This should to be recognized in the Standard.

3) Re question #18, ITCG -- The treatment of ITC as a realm apart from financial controls is a wasteful distraction from 404 objectives, and a misapplied byproduct of financial statement audit theory. For 404, any set of controls that mitigate the financial statement risks - i.e. that safeguard the assertions - is sufficient. The classifying of certain controls as IT and others as financial and the resultant differential treatment they receive is counterproductive and highly inefficient. While I recognize that certain ITGC cannot be compensated for by financial controls (such as program change controls), there is no reason to treat these critical IT controls any differently than critical financial controls. The wall between ITC and FC should fall, and both types of controls should be directed toward the objective of mitigating risks to the financial assertions. If there is any reason to classify ITGC separately from FC, it is in the same sense that we classify preventive controls separately from detective controls, or automated controls form manual controls. A good combination of both is desired - and perhaps even needed - but the testing guidelines and identification of key controls should be one exercise that includes both categories. Just as preventive and detective controls are consolidated to form a single set of controls that are designated by management to mitigate the financial risks, so too should ITGC and FC be integrated as well.