SOX 404 top-down risk assessment
Encyclopedia
In financial audit
ing of public companies
in the United States
, SOX 404 top-down risk assessment (TDRA) is a financial risk assessment
performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). The term is used by the U.S. Public Company Accounting Oversight Board
(PCAOB) and the Securities and Exchange Commission (SEC). The TDRA is used to determine the scope and required evidence to support management's testing of its internal control
s under SOX404. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
Detailed guidance about performing the TDRA is included with PCAOB Auditing Standard No. 5 (Release 2007-005 "An audit of internal control over financial reporting that is integrated with an audit of financial statements") and the SEC's interpretive guidance (Release 33-8810/34-55929) "Management's Report on Internal Control Over Financial Reporting"). This guidance is applicable for 2007 assessments for companies with 12/31 fiscal year-ends. The PCAOB release superseded the existing PCAOB Auditing Standard No. 2, while the SEC guidance is the first detailed guidance for management specifically.
The language used by the SEC Chairman in announcing the new guidance was very direct: "Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder
resources.” Based on this statement and the new guidance, it appears the SEC and PCAOB expect a significant reduction in costs associated with SOX 404 compliance, by focusing efforts on higher-risk areas and reducing efforts in lower-risk areas.
TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:
Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor's) TDRA. As such, TDRA has significant compliance cost
implications for SOX404.
New under the SEC guidance is the concept of also rating each significant account for "misstatement risk" (low, medium, or high), based on similar factors used to determine significance. The misstatement risk ranking is a key factor used to determine the nature, timing, and extent of evidence to be obtained. As risk increases, the expected sufficiency of testing evidence accumulated for controls related to significant accounts increases (see section below regarding testing & evidence decisions).
Both significance and misstatement risk are inherent risk concepts, meaning that the conclusions are determined excluding the effectiveness of controls. Control effectiveness theoretically applies to testing and evidence decisions, not account scope decisions.
Internal Control-Integrated Framework, a standard of internal control
widely used for SOX compliance, states: "A precondition to risk assessment is the establishment of objectives..." and "Risk assessment is the identification and analysis of relevant risks to achievement of the objectives." The SOX guidance states several hierarchical levels at which risk assessment may occur, such as entity, account, assertion, process, and transaction class. Objectives, risks, and controls may be analyzed at each of these levels. The concept of a top-down risk assessment means considering the higher-levels of the framework first, to filter from consideration as much of the lower-level assessment activity as possible.
Management first develops listings of entity-wide control objectives. An example is: "Employees are aware of the Company's Code of Conduct." The COSO 1992/1994 Framework defines each of the five components of internal control (i.e., Control Environment, Risk Assessment, Information & Communication, Monitoring, and Control Activities). Evaluation suggestions are included at the end of key chapters and in the "Evaluation Tools" volume; these can be modified into objective statements.
Next, management develops listings of assertion-level control objectives related to the in-scope (significant) accounts. An example of an assertion-level objective is "Revenue is recognized only upon the delivery of products and services." Lists of assertion-level control objectives are available in most financial auditing textbooks and require tailoring to the organization. Excellent examples are also available in AICPA Statement on Auditing Standards No. 110 (SAS 110) for the inventory process. SAS 106 includes the latest guidance on financial statement assertions.
Management develops a listing of MMR, linked to the specific accounts and control objectives developed above. MMR may be identified by asking the question: "What can go wrong related to the account, assertion or objective?" MMR may arise within the accounting function (e.g., regarding estimates, judgments, and policy decisions) or the internal and external environment (e.g., corporate departments that feed the accounting department information, economic and stock market variables, etc.) Communication interfaces, changes (people, process or systems), fraud vulnerability, management override of controls, incentive structure, complex transactions, and degree of judgment or human intervention involved in processing are other high-risk topics.
In general, management considers questions such as: What is really difficult to get right? What accounting problems have we had in the past? What has changed? Who might be capable or motivated to commit fraud or fraudulent financial reporting? As a high percentage of financial frauds historically have involved the overstatement of revenue, such accounts typically merit additional attention. AICPA Statement on Auditing Standards No. 109 (SAS 109) also provides helpful guidance regarding financial risk assessment.
Under the 2007 guidance, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in the fraud risk assessment.
In practice, many companies combine the objective and risk statements when describing MMR. These MMR statements serve as a target, focusing efforts to identify mitigating controls.
Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing. PCAOB AS5 introduces a three-level framework describing entity-level controls at varying levels of precision (direct, monitoring, and indirect.) As a practical matter, control precision by type of control, in order of most precise to least, may be interpreted as:
It is increasingly difficult to argue that reliance upon controls is reasonable in achieving assertion-level objectives as one travels along this continuum from most precise to least, and as risk increases. A combination of type 3 & 4 controls above (direct entity-level) may help reduce the number of type 1 & 2 controls (transactional) that require assessment for particular risks, especially in lower-risk, transaction-intensive processes.
Under the 2007 guidance, it appears acceptable to place significantly more reliance on the period-end controls (i.e., review of journal entries and account reconciliations) than in the past, effectively addressing many of the material misstatement risks and enabling either: a) the elimination of a significant number of transactional controls from the prior-year's scope of testing; or b) reducing related evidence obtained. The number of transaction-level controls may be reduced significantly, particularly for lower-risk accounts.
With account misstatement risk and CFR defined, management can then conclude on ICFR risk (low, medium, or high) for the control. ICFR is the key risk concept used in evidence decisions.
Management has significant flexibility regarding the following testing and evidence considerations, in the context of the ICFR risk related to a given control:
Pervasive factors that also affect the evidence considerations above include:
The external auditors ability to rely on management's testing follows similar logic. Reliance is proportional to the competence and objectivity of the management person that completed the testing, also in the context of risk. For the highest risk areas, such as the control environment and period-end reporting process, internal auditors or compliance teams are likely the best choices to perform testing, if a significant degree of reliance is expected from the external auditor. The ability of the external auditor to rely on management's assessment is a major cost factor in compliance.
Automate and Benchmark: Key fully automated IT application controls have minimal sample size requirements (usually one, as opposed to as many as 30 for manual controls) and may not have to be tested directly at all under the benchmarking concept. Benchmarking (see Appendix B of the PCAOB guidance) allows fully automated IT application controls to be excluded from testing if certain IT change management controls are effective. For example, many companies rely heavily on manual interfaces between systems, with spreadsheets created for downloading and uploading manual journal entries. Some companies process thousands of such entries each month. By automating manual journal entries, both labor and SOX assessment costs may be dramatically reduced. In addition, the reliability of financial statements is improved.
Rely on Direct Entity-Level Controls: The guidance emphasizes identifying which direct entity-level controls, particularly the period-end process and certain monitoring controls, are sufficiently precise to remove assertion-level (transactional) controls from scope. The key is to determine which combination of entity-level and assertion-level controls address particular MMR.
Minimize Roll-forward Testing: Management has more flexibility under the new guidance to extend the effective date of testing performed during mid-year ("interim") periods to the year-end date. Only the higher risk controls will likely require roll-forward testing under the new guidance. PCAOB AS5 indicates that inquiry procedures, regarding whether changes in the control process occurred between the interim and year-end period, may be sufficient in many cases to limit roll-forward testing.
Revisit Scope of Locations or Business Units Assessed: This is a complex area requiring substantial judgment and analysis. The new guidance focuses on specific MMR, rather than dollar magnitude in determining the scope and sufficiency of evidence to be obtained at decentralized units. The interpretation (common under the previous guidance) that a unit or group of units is material and therefore a large number of controls across multiple processes require testing, has been superseded. Where account balances from single units or groups of similar units are a material portion of the consolidated account balance, management should carefully consider whether MMR may exist relative to these accounts only. Testing focused on just the controls related to the MMR should then be performed. Monitoring controls, such as detailed performance review meetings with robust reporting packages, should also be considered to limit transaction-specific testing.
Focus IT application control testing: There has never been a requirement to perform comprehensive IT application control testing (i.e., input-processing-output controls) for financial systems. Only the fully automated application controls identified as key to addressing specific MMR require testing; these may be benchmarked as discussed above. An example is an automated vendor master file control that ensures only valid vendor name and address combinations can be input during accounts payable invoice processing. As such controls are identified as key, they should be tested or benchmarked. There are typically several such key controls in each transactional process.
Financial audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion...
ing of public companies
Public company
This is not the same as a Government-owned corporation.A public company or publicly traded company is a limited liability company that offers its securities for sale to the general public, typically through a stock exchange, or through market makers operating in over the counter markets...
in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, SOX 404 top-down risk assessment (TDRA) is a financial risk assessment
Risk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...
performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). The term is used by the U.S. Public Company Accounting Oversight Board
Public Company Accounting Oversight Board
The Public Company Accounting Oversight Board is a private-sector, non-profit corporation created by the Sarbanes–Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. Its stated purpose is to 'protect the interests of investors and further the public interest...
(PCAOB) and the Securities and Exchange Commission (SEC). The TDRA is used to determine the scope and required evidence to support management's testing of its internal control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
s under SOX404. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
Detailed guidance about performing the TDRA is included with PCAOB Auditing Standard No. 5 (Release 2007-005 "An audit of internal control over financial reporting that is integrated with an audit of financial statements") and the SEC's interpretive guidance (Release 33-8810/34-55929) "Management's Report on Internal Control Over Financial Reporting"). This guidance is applicable for 2007 assessments for companies with 12/31 fiscal year-ends. The PCAOB release superseded the existing PCAOB Auditing Standard No. 2, while the SEC guidance is the first detailed guidance for management specifically.
The language used by the SEC Chairman in announcing the new guidance was very direct: "Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder
Shareholder
A shareholder or stockholder is an individual or institution that legally owns one or more shares of stock in a public or private corporation. Shareholders own the stock, but not the corporation itself ....
resources.” Based on this statement and the new guidance, it appears the SEC and PCAOB expect a significant reduction in costs associated with SOX 404 compliance, by focusing efforts on higher-risk areas and reducing efforts in lower-risk areas.
TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:
- identifying significant financial reporting elements (accounts or disclosures)
- identifying material financial statementFinancial statementsA financial statement is a formal record of the financial activities of a business, person, or other entity. In British English—including United Kingdom company law—a financial statement is often referred to as an account, although the term financial statement is also used, particularly by...
risks within these accounts or disclosures - determining which entity-level controlsEntity-Level ControlsEntity-Level Controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization...
would address these risks with sufficient precision - determining which transactionFinancial transactionA financial transaction is an event or condition under the contract between a buyer and a seller to exchange an asset for payment. It involves a change in the status of the finances of two or more businesses or individuals.-History:...
-level controls would address these risks in the absence of precise entity-level controls - determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls
Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor's) TDRA. As such, TDRA has significant compliance cost
Compliance cost
A compliance cost is expenditure of time or money in conforming with government requirements such as legislation or regulation. For example, people or organizations registered for value added tax have the extra burden of having to keep detailed records of all input tax and output tax to facilitate...
implications for SOX404.
Method
The guidance is principles-based, providing significant flexibility in the TDRA approach. There are two major steps: 1) Determining the scope of controls to include in testing; and 2) Determining the nature, timing and extent of testing procedures to perform.Determining scope
The key SEC principle related to establishing the scope of controls for testing may be stated as follows: "Focus on controls that adequately address the risk of material misstatement." This involves the following steps:Determine significance and misstatement risk for financial reporting elements (accounts and disclosures)
Under the PCAOB AS 5 guidance, the auditor is required to determine whether an account is "significant" or not (i.e., yes or no), based on a series of risk factors related to the likelihood of financial statement error and magnitude (dollar value) of the account. Significant accounts and disclosures are in-scope for assessment, so management typically includes this information in its documentation and generally performs this analysis for review by the auditor. This documentation may be referred to in practice as the "significant account analysis." Accounts with large balances are generally presumed to be significant (i.e., in-scope) and require some type of testing.New under the SEC guidance is the concept of also rating each significant account for "misstatement risk" (low, medium, or high), based on similar factors used to determine significance. The misstatement risk ranking is a key factor used to determine the nature, timing, and extent of evidence to be obtained. As risk increases, the expected sufficiency of testing evidence accumulated for controls related to significant accounts increases (see section below regarding testing & evidence decisions).
Both significance and misstatement risk are inherent risk concepts, meaning that the conclusions are determined excluding the effectiveness of controls. Control effectiveness theoretically applies to testing and evidence decisions, not account scope decisions.
Identify financial reporting objectives
Objectives help set the context and boundaries in which risk assessment occurs. The COSOCommittee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
Internal Control-Integrated Framework, a standard of internal control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
widely used for SOX compliance, states: "A precondition to risk assessment is the establishment of objectives..." and "Risk assessment is the identification and analysis of relevant risks to achievement of the objectives." The SOX guidance states several hierarchical levels at which risk assessment may occur, such as entity, account, assertion, process, and transaction class. Objectives, risks, and controls may be analyzed at each of these levels. The concept of a top-down risk assessment means considering the higher-levels of the framework first, to filter from consideration as much of the lower-level assessment activity as possible.
Management first develops listings of entity-wide control objectives. An example is: "Employees are aware of the Company's Code of Conduct." The COSO 1992/1994 Framework defines each of the five components of internal control (i.e., Control Environment, Risk Assessment, Information & Communication, Monitoring, and Control Activities). Evaluation suggestions are included at the end of key chapters and in the "Evaluation Tools" volume; these can be modified into objective statements.
Next, management develops listings of assertion-level control objectives related to the in-scope (significant) accounts. An example of an assertion-level objective is "Revenue is recognized only upon the delivery of products and services." Lists of assertion-level control objectives are available in most financial auditing textbooks and require tailoring to the organization. Excellent examples are also available in AICPA Statement on Auditing Standards No. 110 (SAS 110) for the inventory process. SAS 106 includes the latest guidance on financial statement assertions.
Identify material risks to the achievement of the objectives
Those risks that inherently have a "reasonably possible" likelihood of causing a material error in the account balance or disclosure are the material misstatement risks ("MMR"). Note that this is a slight amendment to the "more than remote" likelihood language of PCAOB AS2, intended to limit the scope to fewer, more critical material risks and related controls.Management develops a listing of MMR, linked to the specific accounts and control objectives developed above. MMR may be identified by asking the question: "What can go wrong related to the account, assertion or objective?" MMR may arise within the accounting function (e.g., regarding estimates, judgments, and policy decisions) or the internal and external environment (e.g., corporate departments that feed the accounting department information, economic and stock market variables, etc.) Communication interfaces, changes (people, process or systems), fraud vulnerability, management override of controls, incentive structure, complex transactions, and degree of judgment or human intervention involved in processing are other high-risk topics.
In general, management considers questions such as: What is really difficult to get right? What accounting problems have we had in the past? What has changed? Who might be capable or motivated to commit fraud or fraudulent financial reporting? As a high percentage of financial frauds historically have involved the overstatement of revenue, such accounts typically merit additional attention. AICPA Statement on Auditing Standards No. 109 (SAS 109) also provides helpful guidance regarding financial risk assessment.
Under the 2007 guidance, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in the fraud risk assessment.
In practice, many companies combine the objective and risk statements when describing MMR. These MMR statements serve as a target, focusing efforts to identify mitigating controls.
Identify controls that address the material misstatement risks (MMR)
For each MMR, management determines which controls address the risk sufficiently and precisely enough to mitigate it. The word "mitigate" in this context means the control (or controls) reduces the likelihood of material error presented by the MMR to a "remote" probability. Even though multiple controls may bear on the risk, only those that address it as defined above are included in the assessment. In practice, these are called the "in-scope" or "key" controls.Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing. PCAOB AS5 introduces a three-level framework describing entity-level controls at varying levels of precision (direct, monitoring, and indirect.) As a practical matter, control precision by type of control, in order of most precise to least, may be interpreted as:
- Transaction-specific (non-entity level) - Review (or preventive system controls) related to specific, individual transactions;
- Transaction summary (non-entity level) - Review of reports listing individual transactions;
- Period-End Reporting - Journal entry review, account reconciliations or detailed account analysis;
- Direct Monitoring - Thorough review of summarized financial and operational information, or checklists verifying more detailed control procedures were completed (i.e., controls that monitor execution of other controls); and
- Indirect - Entity-level controlsEntity-Level ControlsEntity-Level Controls are internal controls that help ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization...
that are not linked to specific transactions, such as the control environment.
It is increasingly difficult to argue that reliance upon controls is reasonable in achieving assertion-level objectives as one travels along this continuum from most precise to least, and as risk increases. A combination of type 3 & 4 controls above (direct entity-level) may help reduce the number of type 1 & 2 controls (transactional) that require assessment for particular risks, especially in lower-risk, transaction-intensive processes.
Under the 2007 guidance, it appears acceptable to place significantly more reliance on the period-end controls (i.e., review of journal entries and account reconciliations) than in the past, effectively addressing many of the material misstatement risks and enabling either: a) the elimination of a significant number of transactional controls from the prior-year's scope of testing; or b) reducing related evidence obtained. The number of transaction-level controls may be reduced significantly, particularly for lower-risk accounts.
Considerations in testing and evidence decisions
The key SEC principle regarding evidence decisions can be summarized as follows: "Align the nature, timing and extent of evaluation procedures on those areas that pose the greatest risks to reliable financial reporting." The SEC has indicated that the sufficiency of evidence required to support the assessment of specific MMR should be based on two factors: a) Financial Element Misstatement Risk ("Misstatement Risk") and b) Control Failure Risk. These two concepts together (the account- or disclosure-related risks and control-related risks) are called "Internal Control over Financial Reporting Risk" or "ICFR" risk. A table was included in the guidance to illustrate this concept; it is the only such table, which indicates the emphasis placed on it by the SEC. ICFR risk should be associated with the in-scope controls identified above and may be part of that analysis. This involves the following steps:Link each key control to the "Misstatement Risk" of the related account or disclosure
Management identified the misstatement risk for each significant account and disclosure as part of the scoping assessment above. The low, medium, or high ranking assessed should be associated with the controls related to the account. One way of accomplishing this would be to include the ranking within the control inventory or control matrix documents of the company.Rate each key control for "Control Failure Risk (CFR)" and "ICFR Risk"
CFR is applied at the individual control level, based on factors in the guidance related to complexity of processing, manual vs. automated nature of the control, judgment involved, etc. Management fundamentally asks the question: "How difficult is it to execute this control properly each and every time?"With account misstatement risk and CFR defined, management can then conclude on ICFR risk (low, medium, or high) for the control. ICFR is the key risk concept used in evidence decisions.
Consider the impact of risk on the timing, nature, and extent of testing
The guidance provides flexibility in the timing, nature and extent of evidence based on the interaction of Misstatement Risk and Control Failure Risk (together, ICFR Risk). These two factors should be used to update the "Sampling and Evidence Guide" used by most companies. As these two risk factors increase, the sufficiency of evidence required to address each MMR increases.Management has significant flexibility regarding the following testing and evidence considerations, in the context of the ICFR risk related to a given control:
- Extent (Sample size): The sample size increases proportional to ICFR risk.
- Nature of evidence: Inquiry, observation, inspection and re-performance are the four evidence types, listed in order of sufficiency. Evidence beyond inquiry, typically inspection of documents, is required for tests of control operating effectiveness. Re-performance evidence would be expected for the highest risk controls, such as in the period-end reporting process.
- Nature of the control (manual vs. automated): For fully automated controls, either a sample size of one or a "benchmarking" test strategyTest strategyA test strategy is an outline that describes the testing portion of the software development cycle. It is created to inform project managers, testers, and developers about some key issues of the testing process...
may be used. If IT general controls related to change management are effective and the fully automated control has been tested in the past, annual testing is not required. The benchmark must be periodically established. - Scope of roll-forward testing required: As risk increases, roll-forward testing is increasingly likely to be necessary to extend the effect of interim testing to year-end. Lower-risk controls presumably do not require roll-forward testing.
Pervasive factors that also affect the evidence considerations above include:
- Overall strength of entity-level controls, particularly the control environment: Strong entity-level controls act as a pervasive "counter-weight" to risk across the board, reducing the sufficiency of evidence required in lower-risk areas and supporting the spirit of the new guidance in terms of reducing overall effort.
- Cumulative knowledge from prior assessments regarding particular controls: If particular processes and controls have a history of working effectively, the extent of evidence required in lower-risk areas can be reduced.
Consider risk, objectivity, and competence in testing decisions
Management has significant discretion in who performs its testing. The SEC guidance indicates that the objectivity of the person testing a given control should increase proportionally to the ICFR risk related to that control. Therefore, techniques such as self-assessment are appropriate for lower-risk areas, while internal auditors (or the equivalent) generally should test higher-risk areas. An intermediate technique in practice is "quality assurance," where Manager A tests Manager B's work, and vice-versa.The external auditors ability to rely on management's testing follows similar logic. Reliance is proportional to the competence and objectivity of the management person that completed the testing, also in the context of risk. For the highest risk areas, such as the control environment and period-end reporting process, internal auditors or compliance teams are likely the best choices to perform testing, if a significant degree of reliance is expected from the external auditor. The ability of the external auditor to rely on management's assessment is a major cost factor in compliance.
Strategies for efficient SOX 404 assessment
There are a variety of specific opportunities to make the SOX 404 assessment as efficient as possible. Some are more long-term in nature (such as centralization and automation of processing) while others can be readily implemented. Frequent interaction between management and the external auditor is essential to determining which efficiency strategies will be effective in each company's particular circumstances and the extent to which control scope reduction is appropriate.Centralization and automation
Centralize: Using a shared service model in key risk areas enables multiple locations to be treated as one for testing purposes. Shared service models are typically used for payroll and accounts payable processes, but can be applied to many types of transaction processing. According to a recent survey by Finance Executives International, decentralized companies had dramatically higher SOX compliance costs than centralized companies.Automate and Benchmark: Key fully automated IT application controls have minimal sample size requirements (usually one, as opposed to as many as 30 for manual controls) and may not have to be tested directly at all under the benchmarking concept. Benchmarking (see Appendix B of the PCAOB guidance) allows fully automated IT application controls to be excluded from testing if certain IT change management controls are effective. For example, many companies rely heavily on manual interfaces between systems, with spreadsheets created for downloading and uploading manual journal entries. Some companies process thousands of such entries each month. By automating manual journal entries, both labor and SOX assessment costs may be dramatically reduced. In addition, the reliability of financial statements is improved.
Overall assessment approach
Review Testing Approach and Documentation: Many companies or external audit firms mistakenly attempted to impose generic frameworks over unique transaction-level processes or across locations. For instance, most of the COSO Framework elements represent indirect entity-level controls, which should be tested separately from transactional processes. In addition, IT security controls (a subset of ITGC) and shared service controls can be placed in separate process documentation, enabling more efficient assignment of test responsibility and removing redundancy across locations. Testing the key journal entries and account reconciliations as separate efforts enables additional efficiency and focus to be brought to these critical controls.Rely on Direct Entity-Level Controls: The guidance emphasizes identifying which direct entity-level controls, particularly the period-end process and certain monitoring controls, are sufficiently precise to remove assertion-level (transactional) controls from scope. The key is to determine which combination of entity-level and assertion-level controls address particular MMR.
Minimize Roll-forward Testing: Management has more flexibility under the new guidance to extend the effective date of testing performed during mid-year ("interim") periods to the year-end date. Only the higher risk controls will likely require roll-forward testing under the new guidance. PCAOB AS5 indicates that inquiry procedures, regarding whether changes in the control process occurred between the interim and year-end period, may be sufficient in many cases to limit roll-forward testing.
Revisit Scope of Locations or Business Units Assessed: This is a complex area requiring substantial judgment and analysis. The new guidance focuses on specific MMR, rather than dollar magnitude in determining the scope and sufficiency of evidence to be obtained at decentralized units. The interpretation (common under the previous guidance) that a unit or group of units is material and therefore a large number of controls across multiple processes require testing, has been superseded. Where account balances from single units or groups of similar units are a material portion of the consolidated account balance, management should carefully consider whether MMR may exist relative to these accounts only. Testing focused on just the controls related to the MMR should then be performed. Monitoring controls, such as detailed performance review meetings with robust reporting packages, should also be considered to limit transaction-specific testing.
IT assessment approach
Focus IT general control (ITGC) testing: ITGC are not included in the definition of entity-level controls under the SEC or PCAOB guidance. Therefore, ITGC testing should be performed to the extent it addresses specific MMR. By nature, ITGC enables management to place reliance on fully automated application controls (i.e., those that operate without human intervention) and IT-dependent controls (i.e., those that involve the review of automatically generated reports). Focused ITGC testing is merited to support the control objectives or assertions that fully automated controls have not been changed without authorization and that control reporting generated is both accurate and complete. Key ITGC focus areas therefore likely to be critical include: change management procedures applied to specific financial system implementations during the period; change management procedures sufficient to support a benchmarking strategy; and periodic monitoring of application security, including separation of duties.Focus IT application control testing: There has never been a requirement to perform comprehensive IT application control testing (i.e., input-processing-output controls) for financial systems. Only the fully automated application controls identified as key to addressing specific MMR require testing; these may be benchmarked as discussed above. An example is an automated vendor master file control that ensures only valid vendor name and address combinations can be input during accounts payable invoice processing. As such controls are identified as key, they should be tested or benchmarked. There are typically several such key controls in each transactional process.