SOX 404 top–down risk assessment

5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

[4] The language used by the SEC chairman in announcing the new guidance was very direct: "Congress never intended that the 404 process should become inflexible, burdensome, and wasteful.

The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company's internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.

TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control.

At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required.

Key steps include: Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested.

In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor's) TDRA.

Significant accounts and disclosures are in-scope for assessment, so management typically includes this information in its documentation and generally performs this analysis for review by the auditor.

The misstatement risk ranking is a key factor used to determine the nature, timing, and extent of evidence to be obtained.

The SOX guidance states several hierarchical levels at which risk assessment may occur, such as entity, account, assertion, process, and transaction class.

Note that this is a slight amendment to the "more than remote" likelihood language of PCAOB AS2, intended to limit the scope to fewer, more critical material risks and related controls.

As a high percentage of financial frauds historically have involved the overstatement of revenue, such accounts typically merit additional attention.

This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level.

The SEC Guidance defines the probability terms as follows, per FAS5 Accounting for Contingent Liabilities: Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing.

PCAOB AS5 introduces a three-level framework describing entity-level controls at varying levels of precision (direct, monitoring, and indirect.)

The key SEC principle regarding evidence decisions can be summarized as follows: "Align the nature, timing and extent of evaluation procedures on those areas that pose the greatest risks to reliable financial reporting."

This involves the following steps: Management assigned a misstatement risk ranking (high, medium or low) for each significant account and disclosure as part of the scoping assessment above.

Many companies use databases for this purpose, creating data fields within their risk and control documentation to capture this information.

Frequent interaction between management and the external auditor is essential to determining which efficiency strategies will be effective in each company's particular circumstances and the extent to which control scope reduction is appropriate.

Centralize: Using a shared service model in key risk areas enables multiple locations to be treated as one for testing purposes.

Review testing approach and documentation: Many companies or external audit firms mistakenly attempted to impose generic frameworks over unique transaction-level processes or across locations.

For instance, most of the COSO Framework elements represent indirect entity-level controls, which should be tested separately from transactional processes.

Testing the key journal entries and account reconciliations as separate efforts enables additional efficiency and focus to be brought to these critical controls.

PCAOB AS5 indicates that inquiry procedures, regarding whether changes in the control process occurred between the interim and year-end period, may be sufficient in many cases to limit roll-forward testing.

Revisit scope of locations or business units assessed: This is a complex area requiring substantial judgment and analysis.

The 2007 guidance focused on specific MMR, rather than dollar magnitude in determining the scope and sufficiency of evidence to be obtained at decentralized units.

Monitoring controls, such as detailed performance review meetings with robust reporting packages, should also be considered to limit transaction-specific testing.

Key ITGC focus areas therefore likely to be critical include: change management procedures applied to specific financial system implementations during the period; change management procedures sufficient to support a benchmarking strategy; and periodic monitoring of application security, including separation of duties.

These included, among other topics: SAPA #11 may translate into more work for management teams, which may be required by auditors to retain evidence that these reports and queries were accurate and complete.

Further, management may be required to retain additional evidence of investigation where detective control report amounts contain transactions or trends outside of predefined tolerance ranges.