Detailed guidance about performing the TDRA is included with PCAOB Auditing Standard No. 5 (Release 2007-005 "An audit of internal control over financial reporting that is integrated with an audit of financial statements") and the SEC's interpretive guidance (Release 33-8810/34-55929) "Management's Report on Internal Control Over Financial Reporting"). This guidance is applicable for 2007 assessments for companies with 12/31 fiscal year-ends. The PCAOB release superseded the existing PCAOB Auditing Standard No. 2, while the SEC guidance is the first detailed guidance for management specifically.
The language used by the SEC Chairman in announcing the new guidance was very direct: "Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” Based on this statement and the new guidance, it appears the SEC and PCAOB expect a significant reduction in costs associated with SOX 404 compliance, by focusing efforts on higher-risk areas and reducing efforts in lower-risk areas.
TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:
Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor's) TDRA. As such, TDRA has significant compliance cost implications for SOX404.
The guidance is principles-based, providing significant flexibility in the TDRA approach. There are two major steps: 1) Determining the scope of controls to include in testing; and 2) Determining the nature, timing and extent of testing procedures to perform.
Under the PCAOB AS 5 guidance, the auditor is required to determine whether an account is "significant" or not (i.e., yes or no), based on a series of risk factors related to the likelihood of financial statement error and magnitude (dollar value) of the account. Significant accounts and disclosures are in-scope for assessment, so management typically includes this information in its documentation and generally performs this analysis for review by the auditor. This documentation may be referred to in practice as the "significant account analysis." Accounts with large balances are generally presumed to be significant (i.e., in-scope) and require some type of testing.
New under the SEC guidance is the concept of also rating each significant account for "misstatement risk" (low, medium, or high), based on similar factors used to determine significance. The misstatement risk ranking is a key factor used to determine the nature, timing, and extent of evidence to be obtained. As risk increases, the expected sufficiency of testing evidence accumulated for controls related to significant accounts increases (see section below regarding testing & evidence decisions).
Both significance and misstatement risk are inherent risk concepts, meaning that the conclusions are determined excluding the effectiveness of controls. Control effectiveness theoretically applies to testing and evidence decisions, not account scope decisions.
Management first develops listings of entity-wide control objectives. An example is: "Employees are aware of the Company's Code of Conduct." The COSO 1992/1994 Framework defines each of the five components of internal control (i.e., Control Environment, Risk Assessment, Information & Communication, Monitoring, and Control Activities). Evaluation suggestions are included at the end of key chapters and in the "Evaluation Tools" volume; these can be modified into objective statements.
Next, management develops listings of assertion-level control objectives related to the in-scope (significant) accounts. An example of an assertion-level objective is "Revenue is recognized only upon the delivery of products and services." Lists of assertion-level control objectives are available in most financial auditing textbooks and require tailoring to the organization. Excellent examples are also available in AICPA Statement on Auditing Standards No. 110 (SAS 110) for the inventory process. SAS 106 includes the latest guidance on financial statement assertions.
Management develops a listing of MMR, linked to the specific accounts and control objectives developed above. MMR may be identified by asking the question: "What can go wrong related to the account, assertion or objective?" MMR may arise within the accounting function (e.g., regarding estimates, judgments, and policy decisions) or the internal and external environment (e.g., corporate departments that feed the accounting department information, economic and stock market variables, etc.) Communication interfaces, changes (people, process or systems), fraud vulnerability, management override of controls, incentive structure, complex transactions, and degree of judgment or human intervention involved in processing are other high-risk topics.
In general, management considers questions such as: What is really difficult to get right? What accounting problems have we had in the past? What has changed? Who might be capable or motivated to commit fraud or fraudulent financial reporting? As a high percentage of financial frauds historically have involved the overstatement of revenue, such accounts typically merit additional attention. AICPA Statement on Auditing Standards No. 109 (SAS 109) also provides helpful guidance regarding financial risk assessment.
Under the 2007 guidance, companies are required to perform a fraud risk assessment and assess related controls. This typically involves identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk to an acceptable level. The risk that senior management might override important financial controls to manipulate financial reporting is also a key area of focus in the fraud risk assessment.
In practice, many companies combine the objective and risk statements when describing MMR. These MMR statements serve as a target, focusing efforts to identify mitigating controls.
Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing. PCAOB AS5 introduces a three-level framework describing entity-level controls at varying levels of precision (direct, monitoring, and indirect.) As a practical matter, control precision by type of control, in order of most precise to least, may be interpreted as:
It is increasingly difficult to argue that reliance upon controls is reasonable in achieving assertion-level objectives as one travels along this continuum from most precise to least, and as risk increases. A combination of type 3 & 4 controls above (direct entity-level) may help reduce the number of type 1 & 2 controls (transactional) that require assessment for particular risks, especially in lower-risk, transaction-intensive processes.
Under the new guidance, it appears acceptable to place significantly more reliance on the period-end controls (i.e., review of journal entries and account reconciliations) than in the past, effectively addressing many of the material misstatement risks and enabling either: a) the elimination of a significant number of transactional controls from the prior-year's scope of testing; or b) reducing related evidence obtained. The number of transaction-level controls may be reduced significantly, particularly for lower-risk accounts.
With account misstatement risk and CFR defined, management can then conclude on ICFR risk (low, medium, or high) for the control. ICFR is the key risk concept used in evidence decisions.
Management has significant flexibility regarding the following testing and evidence considerations, in the context of the ICFR risk related to a given control:
Pervasive factors that also affect the evidence considerations above include:
The external auditors ability to rely on management's testing follows similar logic. Reliance is proportional to the competence and objectivity of the management person that completed the testing, also in the context of risk. For the highest risk areas, such as the control environment and period-end reporting process, internal auditors or compliance teams are likely the best choices to perform testing, if a significant degree of reliance is expected from the external auditor. The ability of the external auditor to rely on management's assessment is a major cost factor in compliance.
There are a variety of specific opportunities to make the SOX 404 assessment as efficient as possible. Some are more long-term in nature (such as centralization and automation of processing) while others can be readily implemented. Frequent interaction between management and the external auditor is essential to determining which efficiency strategies will be effective in each company's particular circumstances and the extent to which control scope reduction is appropriate.
Centralize: Using a shared service model in key risk areas enables multiple locations to be treated as one for testing purposes. Shared service models are typically used for payroll and accounts payable processes, but can be applied to many types of transaction processing. According to a recent survey by Finance Executives International, decentralized companies had dramatically higher SOX compliance costs than centralized companies.
Automate and Benchmark: Key fully automated IT application controls have minimal sample size requirements (usually one, as opposed to as many as 30 for manual controls) and may not have to be tested directly at all under the benchmarking concept. Benchmarking (see Appendix B of the PCAOB guidance) allows fully-automated IT application controls to be excluded from testing if certain IT change management controls are effective. For example, many companies rely heavily on manual interfaces between systems, with spreadsheets created for downloading and uploading manual journal entries. Some companies process thousands of such entries each month. By automating manual journal entries, both labor and SOX assessment costs may be dramatically reduced. In addition, the reliability of financial statements is improved.
Review Testing Approach and Documentation: Many companies or external audit firms mistakenly attempted to impose generic frameworks over unique transaction-level processes or across locations. For instance, most of the COSO Framework elements represent indirect entity-level controls, which should be tested separately from transactional processes. In addition, IT security controls (a subset of ITGC) and shared service controls can be placed in separate process documentation, enabling more efficient assignment of test responsibility and removing redundancy across locations. Testing the key journal entries and account reconciliations as separate efforts enables additional efficiency and focus to be brought to these critical controls.
Rely on Direct Entity-Level Controls: The guidance emphasizes identifying which direct entity-level controls, particularly the period-end process and certain monitoring controls, are sufficiently precise to remove assertion-level (transactional) controls from scope. The key is to determine which combination of entity-level and assertion-level controls address particular MMR.
Minimize Roll-forward Testing: Management has more flexibility under the new guidance to extend the effective date of testing performed during mid-year ("interim") periods to the year-end date. Only the higher risk controls will likely require roll-forward testing under the new guidance. PCAOB AS5 indicates that inquiry procedures, regarding whether changes in the control process occurred between the interim and year-end period, may be sufficient in many cases to limit roll-forward testing.
Revisit Scope of Locations or Business Units Assessed: This is a complex area requiring substantial judgment and analysis. The new guidance focuses on specific MMR, rather than dollar magnitude in determining the scope and sufficiency of evidence to be obtained at decentralized units. The interpretation (common under the previous guidance) that a unit or group of units is material and therefore a large number of controls across multiple processes require testing, has been superseded. Where account balances from single units or groups of similar units are a material portion of the consolidated account balance, management should carefully consider whether MMR may exist relative to these accounts only. Testing focused on just the controls related to the MMR should then be performed. Monitoring controls, such as detailed performance review meetings with robust reporting packages, should also be considered to limit transaction-specific testing.
Focus IT general control (ITGC) testing: ITGC are not included in the definition of entity-level controls under the SEC or PCAOB guidance. Therefore, ITGC testing should be performed to the extent it addresses specific MMR. By nature, ITGC enables management to place reliance on fully automated application controls (i.e., those that operate without human intervention) and IT-dependent controls (i.e., those that involve the review of automatically-generated reports). Focused ITGC testing is merited to support the control objectives or assertions that fully-automated controls have not been changed without authorization and that control reporting generated is both accurate and complete. Key ITGC focus areas therefore likely to be critical include: change management procedures applied to specific financial system implementations during the period; change management procedures sufficient to support a benchmarking strategy; and periodic monitoring of application security, including separation of duties.
Focus IT application control testing: There has never been a requirement to perform comprehensive IT application control testing (i.e., input-processing-output controls) for financial systems. Only the fully-automated application controls identified as key to addressing specific MMR require testing; these may be benchmarked as discussed above. An example is an automated vendor master file control that ensures only valid vendor name and address combinations can be input during accounts payable invoice processing. As such controls are identified as key, they should be tested or benchmarked. There are typically several such key controls in each transactional process.