Risks have controls, which are methods by which you ensure the process is working, or that the risk is being avoided. For example, a control might be that you only pay employees for hours authorized by the timesheet software. Or you manually compare authorized hours to paid hours each pay period. Or you install a security camera at the badge reader.
Controls have tests. For example, a test would be to compare your timesheet software reports to bank records. Tests have results, which are the stored records of those comparisons. A test for buddy punching prevention is to look at the video tapes from your security camera, the result of which might be a log book describing what you saw. Tests can be performed on a weekly, monthly or quarterly basis or as part of scheduled testing (by payroll professionals), or as often as needed by internal auditors.
All of these processes, objectives, risks, controls, tests, and results can be put into a SOX control matrix. Here is a sample of what one of these would look like:
| Sub-Process | Objective | Risk | Control | Test | Result |
| Payroll Calculation | Accurate | Buddy Punch | Hand scanner used by all hourly employees | Compare paychecks to scanner records manually | Records of use compared to payroll records |
| Payroll Calculation | Accurate | Unauthorized work | Timesheet software | Compare authorized hours to paid hours | Records of report comparisons |
| Payroll Calculation | Accurate | Wrong salary used | Separation of duties for salary entry vs. time data entry | Examine signatures on certain forms | Records of examination |
This can go on and on. I’ve given some payroll-oriented examples but many SOX concerns may have nothing to do with payroll. In your company, the terminology may be different. For example, some consultancies refer to process/sub-process and others to cycle/sub-cycle. An objective may be termed a control objective.
