Reducing SOX Section 404 Compliance Costs Via a Top-Down, Risk-Based Approach

By Patrick O’Brien

E-mail Story
Print Story
AUGUST 2006 - Part 1 of this article (The CPA Journal, July 2006) discussed the business and regulatory drivers that are encouraging companies to revisit their best practices and methodology in the context of compliance with section 404 of the Sarbanes-Oxley Act (SOX). This second part describes the top-down, risk-based approach for testing the effectiveness of internal controls, including company-level controls, determination of material accounts, risk-based selection of controls for testing, and account assertion coverage.

Top-Down Approach

In a top-down approach, the auditor identifies the controls to test in a sequential manner, starting with company-level controls and then drilling down to significant accounts at the financial-statement level, and then relevant individual controls at the process, transaction, or application levels. The top-down approach enables the auditor to focus early in the process on matters that may have an effect on the auditor’s later decisions about scope and testing strategy, such as company-level controls.

PCAOB Auditing Standard (AS) 2 was designed to encourage auditors and issuers to take this top-down approach because it might prevent them from spending unnecessary time and effort documenting a process or testing a control that is unlikely to assist in detecting a material misstatement in a company’s financial statements.

The top-down approach comprises the following sequence of actions:

  • Company-level controls. Identify, understand, and evaluate the design effectiveness of company-level controls.
  • Accounts. Identify significant accounts, beginning at the financial-statement or disclosure level. Identify the assertions relevant to each significant account.
  • Processes. Identify significant processes and major classes of transactions that are related to these accounts and disclosures. Link the accounts to the processes.
  • Risks. Identify the points in the process at which errors or fraud could occur. This occurs during the identification of the significant accounts, relevant assertions, and related processes, and is confirmed by performing self-assessments.
  • Controls. Identify controls that are designed to prevent or detect errors or fraud on a timely basis; clearly link individual controls with the significant accounts and assertions to which they relate.

This top-down approach is both effective and efficient. The identification of significant accounts at the financial-statement level (“top”) is driving the audit process “down” to the individual-control level. In this manner, an auditor is more likely to identify the controls to be tested that address relevant assertions for significant accounts. The process prevents an auditor from spending unnecessary time and effort understanding a process or control that ultimately is not relevant to whether the financial statements could be materially misstated.

Company-Level Controls

To implement the top-down approach, an auditor begins by identifying, understanding, and evaluating the design of company-level controls. Company-level controls include the following:

  • Controls within the control environment, such as tone at the top, organizational structure, commitment to competence, and human resource policies and procedures;
  • Management’s risk assessment process;
  • Centralized processing and controls, such as shared service environments;
  • Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; and
  • The end-of-period financial reporting process.

Company-level controls have a pervasive effect on controls at the process, transaction, or application level. In the top-down approach, the auditor tests and evaluates the effectiveness of company-level controls first, because the results affect the strategy for testing other controls. If strong company-level controls are in place, auditors should be able to decrease the level of testing required for controls at the process, transaction, and application levels.

Material Accounts

The recent PCAOB guidance on implementing AS 2 suggests that auditors should focus on “significant” controls over “material” account balances. Although it is common to simply parcel risk in order of account value, this is a simple-minded approach that is often incorrect. The assessment should be based on both qualitative and quantitative factors relating to a number of criteria. The following steps should be followed to complete an account materiality analysis:

  • Identify and document qualitative and quantitative criteria for assessing account materiality;
  • Choose relevant financial statement account types based on this criteria;
  • Pick thresholds for each account type, or an overall
  • For each account type, select locations (entities), beginning with the largest balance for that account type and continuing with the next-largest until the threshold is reached (sum of the balances in the chosen locations); and
  • Adjust locations by applying the qualitative criteria.

Examples of quantitative and qualitative criteria include the following:

  • Quantitative:
    • Size and composition of the account
    • Volume of the transactions processed through the account.
  • Qualitative:
    • Susceptibility of loss due to errors or fraud
    • Complexity and homogeneity of the transactions
    • Nature of the account (e.g., suspense accounts generally warrant greater attention)
    • Accounting and reporting complexities
    • Exposure to losses
    • Likelihood (or possibility) of significant contingent liabilities arising from the activities represented by the account
    • Existence of related-party transactions
    • Changes from the prior period in account characteristics (e.g., new complexities, subjectivity, or types of transactions).

To ensure adequate coverage within an account type, companies should strive to include an adequate percentage of each account balance. The PCAOB has not established specific percentages for coverage; however, between 60% and 80% is presumed adequate. If an account type is deemed low risk, 60% coverage is probably adequate.

Although locations are first chosen based on quantitative criteria, the selection of accounts should be adjusted based on qualitative factors. For example, a recently acquired business might be considered a higher risk because it is new and unfamiliar, and, therefore, should be given closer scrutiny due to greater possible risk factors, as opposed to the size of its accounts.

A company’s technology solution should be able to load account balance data through integration with its financial consolidation tool or general ledger system. The technology should be able to select a scoping threshold and generate a report that shows the accounts by location. One way to format the report is to have all significant accounts listed as rows in the report, and all locations listed as columns. The report (see Exhibit 1) should show account balances on a per-location basis, along with the materiality percentages used to determine coverage levels. The account balances “in-scope” should be identified. The ability to adjust which accounts are “in-scope,” based on qualitative criteria, is also recommended.

Risk-Based Selection of Controls

In the first year of compliance with SOX section 404, most auditors and issuers did not alter the nature, timing, and extent of their testing based on the level of risk. Auditors often appeared to take a uniform approach to their testing, inadequately considering the unique risk factors within each company. As a result, some auditors appear to have expended more effort than was necessary in lower-risk areas. This approach also compromised audit effectiveness because, in some cases, a higher-risk area did not receive as much audit attention as it should have.

To remedy this shortcoming, the next phase of the top-down approach uses risk-based analysis to determine which controls should be considered high priority for testing purposes. The steps include the following:

  • Identifying the important processes that generate or affect material accounts;
  • Using risk ratings to determine the controls in scope; and
  • Streamlining testing frequency and sampling based on the risk-based analysis.

The important processes that generate the significant accounts should be identified during the documentation phase. For example, key processes, such as procure-to-pay or order-to-cash, are identified and documented within the business units or locations where they are executed. They are then mapped back to the significant accounts they generate.

For each process in scope, the high-exposure risks should be identified and the key controls should be tested. Each risk is assigned an exposure rating based on either quantitative or qualitative assessment of frequency (how likely it is that the risk would materialize) and severity (how large an impact the risk would have, if it occurred). Risk ratings can be generated, as shown in Exhibit 2. For example, all risks that are rated less than or equal to 3 could be used to identify controls that are candidates for testing.

Low-exposure risks should be put aside and the testing focus should be on higher-risk areas. Applying risk measurement to each of the identified risks enables management to turn the scores and assumptions into a plan for external auditors.

Controls are associated with the risks they mitigate. The control-testing strategy should focus on high-exposure risks that are identified through the risk-measurement process. The testing strategy should also include the level of tested controls, the sample sizes, and the timing based on qualitative factors. As the risk associated with a control decreases, the extensiveness of the auditor’s testing should decrease; as the risk associated with a control increases, the extensiveness of the auditor’s testing also should increase.

The PCAOB’s AS 2 describes three primary factors that an auditor should evaluate when determining the extent of testing for a given control: the nature of the control, the frequency of operation, and the importance of the control. Evaluating the nature and importance of the control is directly related to the auditor’s assessment of risk associated with the control.

The use of technology can aid in risk assessment and reports. For example, a “Risk Heat Map” report, as shown in Exhibit 3, can be used to identify the high-risk controls that should be considered for testing. The vertical axis shows the accounts to which the controls are related, grouped by the account’s materiality weighting (based on the balance for that account type). The horizontal axis shows the risk rating for the control; if the control is associated with more than one risk, the highest risk rating is shown. The numbers represent the set of controls that fall into each quadrant. Controls that are in the lower left corner of the map should be considered lower priority for testing purposes.

Account Assertions

The final phase of the top-down, risk-based approach is to assess the coverage of account assertions for material accounts and “in-scope” controls. Individual controls should be clearly linked with related significant accounts and assertions. All assertions should be covered by relevant controls, and these controls should be tested and checked for both design and operating effectiveness. If a control was not associated with a high risk but covers an assertion for an “in-scope” account, it should still be tested.

Both accounts and controls may contain enumerated fields that capture the assertions that are at-risk and the assertions that are covered, respectively. In addition, controls can be directly associated to the accounts they affect in order to easily assess assertion coverage. In the example shown in Exhibit 4, Account 1’s assertions are covered by Control 1 and Control 2, respectively. If Account 1 is in scope and Process 1 is a key process, and assuming that Risk 1 is above the risk threshold, both Control 1 and Control 2 should be included in the testing process to ensure that assertion coverage is met.

Cost–Benefit Advantages

Companies hoping to implement the PCAOB’s AS 2 in a manner that captures the benefits of the process without unnecessary and unsustainable costs should look at ways to reduce the scope of the internal control audit and the amount of management testing being performed. To accomplish this goal, companies may do the following:

  • Apply a top-down, risk-based approach to establish scope and testing strategies. This investment will improve the focus and efficiency of the audit and, over time, can significantly reduce required hours and costs.
  • Work with independent auditors to refine the criteria and approach used by management to identify and test SOX section 404 controls.
  • Identify and explore management testing approaches with the independent auditor that can then be used to increase reliance upon management’s work.

By properly planning a SOX internal control assessment, and utilizing a top-down, risk-based assessment approach, compliance with SOX section 404 will be more efficiently and effectively achieved.

Patrick O’Brien, MBA, is OpenPages’ director of product management and leads the product development process for the company’s line of governance, risk, and compliance management (GRCM) solutions (




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices