How to Use HALEY to Generate a SOX Control Narrative
Step 1: Define the Control You Want to Document
Start with a specific control, process, and system::
“Write a SOX control narrative for a user access termination control in Oracle Cloud ERP.”
HALEY will prompt for details like:
“Write a SOX control narrative for a user access termination control in Oracle Cloud ERP.”
HALEY will prompt for details like:
- Is it manual or automated?
- What roles or teams perform it?
- What system or GRC tool is involved?
Step 2: Request a Narrative Format with Key Attributes
Use this structured prompt:
“Generate a control narrative for ITGC – Quarterly User Access Review – using COSO and AS 2201 guidance. Include objective, frequency, evidence, and control owner.”
HALEY will return:
“Generate a control narrative for ITGC – Quarterly User Access Review – using COSO and AS 2201 guidance. Include objective, frequency, evidence, and control owner.”
HALEY will return:
- A paragraph-form narrative
- Optional RACM-aligned tabular format
- Clearly referenced frameworks (e.g., COSO Principle 10, AS 1105 for evidence)
Step 3: Add Specific GRC Tool or ERP Context
Examples:
“Write the narrative assuming the control is executed using Oracle Risk Management Cloud.”
“Include how SafePaaS automates the evidence collection step.”
This ensures:
“Write the narrative assuming the control is executed using Oracle Risk Management Cloud.”
“Include how SafePaaS automates the evidence collection step.”
This ensures:
- Tool configuration is reflected in control design
- Control is realistic and testable in your environment
- uditors can map configuration to process
Step 4: Use HALEY to Validate the Narrative for PCAOB & COSO Alignment
Ask:
“Does this narrative align with COSO Principle 11 and AS 2201 testing requirements?”
“What’s missing to make this a high-precision SOX control?”
HALEY will:
“Does this narrative align with COSO Principle 11 and AS 2201 testing requirements?”
“What’s missing to make this a high-precision SOX control?”
HALEY will:
- Identify missing attributes (e.g., frequency, approver roles)
- Suggest stronger language for control precision
- Recommend automated vs. manual classification if unclear
Narrative Example: Quarterly User Access Review (ITGC)
Control Objective: Ensure users with access to financially significant applications maintain access appropriate to their job roles.
Narrative:
"On a quarterly basis, the IT Compliance team generates a system-based access listing from Oracle Risk Management Cloud. Business owners are assigned their respective user population and are required to review, validate, and sign off on each user’s access based on job responsibilities. Any exceptions (e.g., terminated or role-inappropriate users) are documented and remediated within 5 business days. Completion is tracked in SafePaaS, with audit trails and reviewer sign-off reports archived. This control aligns with COSO Principle 10 (Control Activities) and is tested under PCAOB AS 2201."
Narrative:
"On a quarterly basis, the IT Compliance team generates a system-based access listing from Oracle Risk Management Cloud. Business owners are assigned their respective user population and are required to review, validate, and sign off on each user’s access based on job responsibilities. Any exceptions (e.g., terminated or role-inappropriate users) are documented and remediated within 5 business days. Completion is tracked in SafePaaS, with audit trails and reviewer sign-off reports archived. This control aligns with COSO Principle 10 (Control Activities) and is tested under PCAOB AS 2201."
Common Narrative Mistakes to Avoid
Poor Practice:
- “We check user access.”
- Vague evidence references
- No COSO or PCAOB mapping
Better Practice
“The control owner executes a quarterly review using SafePaaS with documented sign-off.”
Specify: “PDF approval export, remediation ticket, and audit log from Oracle RMC.”
Include: “Aligned to COSO Principle 10 and tested per AS 2201 requirements.”
Specify: “PDF approval export, remediation ticket, and audit log from Oracle RMC.”
Include: “Aligned to COSO Principle 10 and tested per AS 2201 requirements.”
Pro Tip: Use Narrative Templates from RACM_TEMPLATE.xlsx
If you have the RACM structure already:
“Fill out the control narrative column in the RACM for the SAP Change Management process using AS 2201 and COSO.”
HALEY can automatically generate narratives aligned to control IDs and descriptions already documented.
“Fill out the control narrative column in the RACM for the SAP Change Management process using AS 2201 and COSO.”
HALEY can automatically generate narratives aligned to control IDs and descriptions already documented.
