In financial auditing of public companies in the United States, SOX 404 top-down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). The term is used by the U.S. Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC). The TDRA is used to determine the scope and required evidence to support management's testing of its internal controls under SOX404. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

Detailed guidance about performing the TDRA is included with PCAOB Auditing Standard No. 5 (Release 2007-005 "An audit of internal control over financial reporting that is integrated with an audit of financial statements") and the SEC's interpretive guidance (Release 33-8810/34-55929) "Management's Report on Internal Control Over Financial Reporting"). This guidance is applicable for 2007 assessments for companies with 12/31 fiscal year-ends. The PCAOB release superseded the existing PCAOB Auditing Standard No. 2, while the SEC guidance is the first detailed guidance for management specifically.

The language used by the SEC Chairman in announcing the new guidance was very direct: "Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” Based on this statement and the new guidance, it appears the SEC and PCAOB expect a significant reduction in costs associated with SOX 404 compliance, by focusing efforts on higher-risk areas and reducing efforts in lower-risk areas.

TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:

1. identifying significant financial reporting elements (accounts or disclosures)
2. identifying material financial statement risks within these accounts or disclosures
3. determining which entity-level controls would address these risks with sufficient precision
4. determining which transaction-level controls would address these risks in the absence of precise entity-level controls
5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls

Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor's) TDRA. As such, TDRA has significant compliance cost implications for SOX404.

Method

The guidance is principles-based, providing significant flexibility in the TDRA approach. There are two major steps: 1) Determining the scope of controls to include in testing; and 2) Determining the nature, timing and extent of testing procedures to perform.

Determining scope

The key SEC principle related to establishing the scope of controls for testing may be stated as follows: "Focus on controls that adequately address the risk of material misstatement." This involves the following steps:

Determine significance and misstatement risk for financial reporting elements (accounts and disclosures)

Under the PCAOB AS 5 guidance, the auditor is required to determine whether an account is "significant" or not (i.e., yes or no), based on a series of risk factors related to the likelihood of financial statement error and magnitude (dollar value) of the account. Significant accounts and disclosures are in-scope for assessment, so management typically includes this information in its documentation and generally performs this analysis for review by the auditor. This documentation may be referred to in practice as the "significant account analysis." Accounts with large balances are generally presumed to be significant (i.e., in-scope) and require some type of testing.

New under the SEC guidance is the concept of also rating each significant account for "misstatement risk" (low, medium, or high), based on similar factors used to determine significance. The misstatement risk ranking is a key factor used to determine the nature, timing, and extent of evidence to be obtained. As risk increases, the expected sufficiency of testing evidence accumulated for controls related to significant accounts increases (see section below regarding testing & evidence decisions).

Both significance and misstatement risk are inherent risk concepts, meaning that the conclusions are determined excluding the effectiveness of controls. Control effectiveness theoretically applies to testing and evidence decisions, not account scope decisions.

Identify financial reporting objectives

Objectives help set the context and boundaries in which risk assessment occurs. The COSO Internal Control-Integrated Framework, a standard of internal control widely-used for SOX compliance, states: "A precondition to risk assessment is the establishment of objectives..." and "Risk assessment is the identification and analysis of relevant risks to achievement of the objectives." The SOX guidance states several hierarchical levels at which risk assessment may occur, such as entity, account, assertion, process, and transaction class. Objectives, risks, and controls may be analyzed at each of these levels. The concept of a top-down risk assessment means considering the higher-levels of the framework first, to filter from consideration as much of the lower-level assessment activity as possible.

Management first develops listings of entity-wide control objectives. An example is: "Employees are aware of the Company's Code of Conduct." The COSO 1992/1994 Framework defines each of the five components of internal control (i.e., Control Environment, Risk Assessment, Information & Communication, Monitoring, and Control Activities). Evaluation suggestions are included at the end of key chapters and in the "Evaluation Tools" volume; these can be modified into objective statements.

Next, management develops listings of assertion-level control objectives related to the in-scope (significant) accounts. An example of an assertion-level objective is "Revenue is recognized only upon the delivery of products and services." Lists of assertion-level control objectives are available in most financial auditing textbooks and require tailoring to the organization. Excellent examples are also available in AICPA Statement on Auditing Standards No. 110 (SAS 110) for the inventory process. SAS 106 includes the latest guidance on financial statement assertions.

Identify material risks to the achievement of the objectives

Those risks that inherently have a "reasonably possible" likelihood of causing a material error in the account balance or disclosure are the material misstatement risks ("MMR"). Note that this is a slight amendment to the "more than remote" likelihood language of PCAOB AS2, intended to limit the scope to fewer, more critical material risks and related controls.

Management develops a listing of MMR, linked to the specific accounts and control objectives developed above. MMR may be identified by asking the question: "What can go wrong related to the account, assertion or objective?" MMR may arise within the accounting function (e.g., regarding estimates, judgments, and policy decisions) or the internal and external environment (e.g., corporate departments that feed the accounting department information, economic and stock market variables, etc.) Communication interfaces, changes (people, process or systems), fraud vulnerability, management override of controls, incentive structure, complex transactions, and degree of judgment or human intervention involved in processing are other high-risk topics.

In general, management considers questions such as: What is really difficult to get right? What accounting problems have we had in the past? What has changed? Who might be capable or motivated to commit fraud or fraudulent financial reporting? As a high percentage of financial frauds historically have involved the overstatement of revenue, such accounts typically merit additional attention. AICPA Statement on Auditing Standards No. 109 (SAS 109) also provides helpful guidance regarding financial risk assessment.

Under the 2007 guidance, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in the fraud risk assessment.

In practice, many companies combine the objective and risk statements when describing MMR. These MMR statements serve as a target, focusing efforts to identify mitigating controls.

Identify controls that address the material misstatement risks (MMR)

For each MMR, management determines which controls address the risk sufficiently and precisely enough to mitigate it. The word "mitigate" in this context means the control (or controls) reduces the likelihood of material error presented by the MMR to a "remote" probability. Even though multiple controls may bear on the risk, only those that address it as defined above are included in the assessment. In practice, these are called the "in-scope" or "key" controls.

Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing. PCAOB AS5 introduces a three-level framework describing entity-level controls at varying levels of precision (direct, monitoring, and indirect.) As a practical matter, control precision by type of control, in order of most precise to least, may be interpreted as:

1. Transaction-specific (non-entity level) - Review (or preventive system controls) related to specific, individual transactions;
2. Transaction summary (non-entity level) - Review of reports listing individual transactions;
3. Period-End Reporting - Journal entry review, account reconciliations or detailed account analysis;
4. Direct Monitoring - Thorough review of summarized financial and operational information, or checklists verifying more detailed control procedures were completed (i.e., controls that monitor execution of other controls); and
5. Indirect - Entity-level controls that are not linked to specific transactions, such as the control environment.

It is increasingly difficult to argue that reliance upon controls is reasonable in achieving assertion-level objectives as one travels along this continuum from most precise to least, and as risk increases. A combination of type 3 & 4 controls above (direct entity-level) may help reduce the number of type 1 & 2 controls (transactional) that require assessment for particular risks, especially in lower-risk, transaction-intensive processes.

Under the new guidance, it appears acceptable to place significantly more reliance on the period-end controls (i.e., review of journal entries and account reconciliations) than in the past, effectively addressing many of the material misstatement risks and enabling either: a) the elimination of a significant number of transactional controls from the prior-year's scope of testing; or b) reducing related evidence obtained. The number of transaction-level controls may be reduced significantly, particularly for lower-risk accounts.

Considerations in testing and evidence decisions

The key SEC principle regarding evidence decisions can be summarized as follows: "Align the nature, timing and extent of evaluation procedures on those areas that pose the greatest risks to reliable financial reporting." The SEC has indicated that the sufficiency of evidence required to support the assessment of specific MMR should be based on two factors: a) Financial Element Misstatement Risk ("Misstatement Risk") and b) Control Failure Risk. These two concepts together (the account- or disclosure-related risks and control-related risks) are called "Internal Control over Financial Reporting Risk" or "ICFR" risk. A table was included in the guidance to illustrate this concept; it is the only such table, which indicates the emphasis placed on it by the SEC. ICFR risk should be associated with the in-scope controls identified above and may be part of that analysis. This involves the following steps:

Link each key control to the "Misstatement Risk" of the related account or disclosure

Management identified the misstatement risk for each significant account and disclosure as part of the scoping assessment above. The low, medium, or high ranking assessed should be associated with the controls related to the account. One way of accomplishing this would be to include the ranking within the control inventory or control matrix documents of the company.

Rate each key control for "Control Failure Risk (CFR)" and "ICFR Risk"

CFR is applied at the individual control level, based on factors in the guidance related to complexity of processing, manual vs. automated nature of the control, judgment involved, etc. Management fundamentally asks the question: "How difficult is it to execute this control properly each and every time?"

With account misstatement risk and CFR defined, management can then conclude on ICFR risk (low, medium, or high) for the control. ICFR is the key risk concept used in evidence decisions.

Consider the impact of risk on the timing, nature, and extent of testing

The guidance provides flexibility in the timing, nature and extent of evidence based on the interaction of Misstatement Risk and Control Failure Risk (together, ICFR Risk). These two factors should be used to update the "Sampling and Evidence Guide" used by most companies. As these two risk factors increase, the sufficiency of evidence required to address each MMR increases.

Management has significant flexibility regarding the following testing and evidence considerations, in the context of the ICFR risk related to a given control:

• Extent (Sample size): The sample size increases proportional to ICFR risk.
• Nature of evidence: Inquiry, observation, inspection and re-performance are the four evidence types, listed in order of sufficiency. Evidence beyond inquiry, typically inspection of documents, is required for tests of control operating effectiveness. Re-performance evidence would be expected for the highest risk controls, such as in the period-end reporting process.
• Nature of the control (manual vs. automated): For fully automated controls, either a sample size of one or a "benchmarking" test strategy may be used. If IT general controls related to change management are effective and the fully automated control has been tested in the past, annual testing is not required. The benchmark must be periodically established.
• Scope of roll-forward testing required: As risk increases, roll-forward testing is increasingly likely to be necessary to extend the effect of interim testing to year-end. Lower-risk controls presumably do not require roll-forward testing.

Pervasive factors that also affect the evidence considerations above include:

• Overall strength of entity-level controls, particularly the control environment: Strong entity-level controls act as a pervasive "counter-weight" to risk across the board, reducing the sufficiency of evidence required in lower-risk areas and supporting the spirit of the new guidance in terms of reducing overall effort.
• Cumulative knowledge from prior assessments regarding particular controls: If particular processes and controls have a history of working effectively, the extent of evidence required in lower-risk areas can be reduced.

Consider risk, objectivity, and competence in testing decisions

Management has significant discretion in who performs its testing. The SEC guidance indicates that the objectivity of the person testing a given control should increase proportionally to the ICFR risk related to that control. Therefore, techniques such as self-assessment are appropriate for lower-risk areas, while internal auditors (or the equivalent) generally should test higher-risk areas. An intermediate technique in practice is "quality assurance," where Manager A tests Manager B's work, and vice-versa.

The external auditors ability to rely on management's testing follows similar logic. Reliance is proportional to the competence and objectivity of the management person that completed the testing, also in the context of risk. For the highest risk areas, such as the control environment and period-end reporting process, internal auditors or compliance teams are likely the best choices to perform testing, if a significant degree of reliance is expected from the external auditor. The ability of the external auditor to rely on management's assessment is a major cost factor in compliance.

Strategies for efficient SOX 404 assessment

There are a variety of specific opportunities to make the SOX 404 assessment as efficient as possible. Some are more long-term in nature (such as centralization and automation of processing) while others can be readily implemented. Frequent interaction between management and the external auditor is essential to determining which efficiency strategies will be effective in each company's particular circumstances and the extent to which control scope reduction is appropriate.

Centralization and automation

Centralize: Using a shared service model in key risk areas enables multiple locations to be treated as one for testing purposes. Shared service models are typically used for payroll and accounts payable processes, but can be applied to many types of transaction processing. According to a recent survey by Finance Executives International, decentralized companies had dramatically higher SOX compliance costs than centralized companies.

Automate and Benchmark: Key fully automated IT application controls have minimal sample size requirements (usually one, as opposed to as many as 30 for manual controls) and may not have to be tested directly at all under the benchmarking concept. Benchmarking (see Appendix B of the PCAOB guidance) allows fully-automated IT application controls to be excluded from testing if certain IT change management controls are effective. For example, many companies rely heavily on manual interfaces between systems, with spreadsheets created for downloading and uploading manual journal entries. Some companies process thousands of such entries each month. By automating manual journal entries, both labor and SOX assessment costs may be dramatically reduced. In addition, the reliability of financial statements is improved.

Overall assessment approach

Review Testing Approach and Documentation: Many companies or external audit firms mistakenly attempted to impose generic frameworks over unique transaction-level processes or across locations. For instance, most of the COSO Framework elements represent indirect entity-level controls, which should be tested separately from transactional processes. In addition, IT security controls (a subset of ITGC) and shared service controls can be placed in separate process documentation, enabling more efficient assignment of test responsibility and removing redundancy across locations. Testing the key journal entries and account reconciliations as separate efforts enables additional efficiency and focus to be brought to these critical controls.

Rely on Direct Entity-Level Controls: The guidance emphasizes identifying which direct entity-level controls, particularly the period-end process and certain monitoring controls, are sufficiently precise to remove assertion-level (transactional) controls from scope. The key is to determine which combination of entity-level and assertion-level controls address particular MMR.

Minimize Roll-forward Testing: Management has more flexibility under the new guidance to extend the effective date of testing performed during mid-year ("interim") periods to the year-end date. Only the higher risk controls will likely require roll-forward testing under the new guidance. PCAOB AS5 indicates that inquiry procedures, regarding whether changes in the control process occurred between the interim and year-end period, may be sufficient in many cases to limit roll-forward testing.

Revisit Scope of Locations or Business Units Assessed: This is a complex area requiring substantial judgment and analysis. The new guidance focuses on specific MMR, rather than dollar magnitude in determining the scope and sufficiency of evidence to be obtained at decentralized units. The interpretation (common under the previous guidance) that a unit or group of units is material and therefore a large number of controls across multiple processes require testing, has been superseded. Where account balances from single units or groups of similar units are a material portion of the consolidated account balance, management should carefully consider whether MMR may exist relative to these accounts only. Testing focused on just the controls related to the MMR should then be performed. Monitoring controls, such as detailed performance review meetings with robust reporting packages, should also be considered to limit transaction-specific testing.

IT assessment approach

Focus IT general control (ITGC) testing: ITGC are not included in the definition of entity-level controls under the SEC or PCAOB guidance. Therefore, ITGC testing should be performed to the extent it addresses specific MMR. By nature, ITGC enables management to place reliance on fully automated application controls (i.e., those that operate without human intervention) and IT-dependent controls (i.e., those that involve the review of automatically-generated reports). Focused ITGC testing is merited to support the control objectives or assertions that fully-automated controls have not been changed without authorization and that control reporting generated is both accurate and complete. Key ITGC focus areas therefore likely to be critical include: change management procedures applied to specific financial system implementations during the period; change management procedures sufficient to support a benchmarking strategy; and periodic monitoring of application security, including separation of duties.

Focus IT application control testing: There has never been a requirement to perform comprehensive IT application control testing (i.e., input-processing-output controls) for financial systems. Only the fully-automated application controls identified as key to addressing specific MMR require testing; these may be benchmarked as discussed above. An example is an automated vendor master file control that ensures only valid vendor name and address combinations can be input during accounts payable invoice processing. As such controls are identified as key, they should be tested or benchmarked. There are typically several such key controls in each transactional process.

References