Tip of the Week
Downloads Contact Us Feedback Links Resources Sitemap FAQs
Compliance Process Flow

Compliance Process Flow

SOX Expert software assumes that the GRC Compliance Project will follow the following information flow.


Or if not using the Process Risk Analysis

Simply put, for those changes that affect controls identified in the business process, the user would update the Risk Control Matrix.  Once all the Risk Control Matrixes are updated, the user instructs SOX Expert software to update the Process Risk Analyses, if using them. After analyzing business process risks in the Process Risk Analyses, the user would then instruct SOX Expert software to update the  update the Risk Control Matrix for any changes made in the Process Risk Analyses. Once done with updating the Risk Control Matrices, the user instructs SOX Expert software to create the Test Plan, and GRC compliance testing for the year can begin.

Typical GRC Compliance Cycle utilizing SOX Expert software is shown below:

Year 1, Implementation

  1. Document your business processes usually in a Business Process Narrative identifying controls surrounding each process.
  2. Complete a Risk Control Matrix (RCM) for each business process.
  3. Run the Create Test Plan macro on each RCM when testing is ready to begin.
  4. Complete process testing.
  5. Report testing compliance results.
  6. Run the Recreate RCM macro on each Test Plan after completion of testing to recreate the RCMs and update the RCMs for any changes that you may have made to control activity information during GRC testing.

Year 2, using the Process Risk Analysis (PRA) for the first time

  1. Run the Update Prior Year Control Level macro to populate the Prior Year Control Level field in your RCMs.
  2. Run the Create PRA macro to create the PRAs from the RCMs.
  3. Complete the PRA identifying the risks and determining how well the existing controls mitigate the risks. Add controls where necessary.
  4. Run the Add Risk # to PRAs macro.
  5. Run the Update RCM from Data Items in PRA macro to update the RCM for changes you have made in the PRA.
  6. Update the RCM for any other changes to the business process that may have occurred since the previous year.
  7. Continue with Year 1 - Step 3 above.

Year 3, assuming PRA was in use in the prior year

  1. Run the Update Prior Year Control Level macro to populate the Prior Year Control Level field in your RCMs.
  2. Run the Update PRA from Data Items in RCM macro to update the PRAs from the RCM for changes that may have been made to data fields during SOX testing in the prior year.
  3. Run the Change Year in PRA Data macro to change the years in the Control Level column headings and to transfer Current Year Risk Ratings to Prior Year Risk Ratings.
  4. Run the Update CY Control Level Field macro to copy the Current Year Control Level to the Prior Year Control Level. You will have the option to retain the Current Year Control Level or delete it and evaluate it in the current year.
  5. Update the PRA evaluating risks and determining how updates to existing controls have effected risk mitigation. Add risks and controls where necessary.
  6. Continue with Year 2 - Step 5 above.

If the PRA is not utilized, then simply omit the Steps that involve the PRA above.

Learn More





1. Your CFO says your SOX Compliance costs are too high.
2. You use more than one software solution to manage your GRC compliance program.
3.You already use Microsoft Excel for your Risk Control Matrix and/or Control Testing.

see more...

4.Your Risk Control Matrix and Test Plans are separate documents that do not dynamically update each other for changes you make.
5.You spend more than 15 minutes each day or 1 hour per week generating management reports to monitor and summarize your controls testing.
6.Your current software is too hard to use or does not automatically produce the management reports you need.
7.You cannot easily explain to your external auditor how your controls have changed year over year.
8.Your software does not alert you to missing information or improper values.
9.Your software does not provide visual highlights for required and/or incomplete testing.
10.Your software does not provide you with an adequate top down control profile of your organization.




Tip Of The Week