SOX Section 404 Compliance Costs Via a Top-Down, Risk-Based
AUGUST 2006 - Part
1 of this article (The CPA Journal, July 2006) discussed
the business and regulatory drivers that are encouraging companies
to revisit their best practices and methodology in the context
of compliance with section 404 of the Sarbanes-Oxley Act (SOX).
This second part describes the top-down, risk-based approach
for testing the effectiveness of internal controls, including
company-level controls, determination of material accounts,
risk-based selection of controls for testing, and account
a top-down approach, the auditor identifies the controls
to test in a sequential manner, starting with company-level
controls and then drilling down to significant accounts
at the financial-statement level, and then relevant individual
controls at the process, transaction, or application levels.
The top-down approach enables the auditor to focus early
in the process on matters that may have an effect on the
auditor’s later decisions about scope and testing
strategy, such as company-level controls.
Auditing Standard (AS) 2 was designed to encourage auditors
and issuers to take this top-down approach because it might
prevent them from spending unnecessary time and effort documenting
a process or testing a control that is unlikely to assist
in detecting a material misstatement in a company’s
top-down approach comprises the following sequence of actions:
Company-level controls. Identify,
understand, and evaluate the design effectiveness of company-level
Accounts. Identify significant
accounts, beginning at the financial-statement or disclosure
level. Identify the assertions relevant to each significant
Identify significant processes and major classes of transactions
that are related to these accounts and disclosures. Link
the accounts to the processes.
Identify the points in the process at which errors or
fraud could occur. This occurs during the identification
of the significant accounts, relevant assertions, and
related processes, and is confirmed by performing self-assessments.
Identify controls that are designed to prevent or detect
errors or fraud on a timely basis; clearly link individual
controls with the significant accounts and assertions
to which they relate.
top-down approach is both effective and efficient. The identification
of significant accounts at the financial-statement level
(“top”) is driving the audit process “down”
to the individual-control level. In this manner, an auditor
is more likely to identify the controls to be tested that
address relevant assertions for significant accounts. The
process prevents an auditor from spending unnecessary time
and effort understanding a process or control that ultimately
is not relevant to whether the financial statements could
be materially misstated.
implement the top-down approach, an auditor begins by identifying,
understanding, and evaluating the design of company-level
controls. Company-level controls include the following:
Controls within the control environment, such as tone
at the top, organizational structure, commitment to competence,
and human resource policies and procedures;
Management’s risk assessment process;
Centralized processing and controls, such as shared service
Controls to monitor other controls, including activities
of the internal audit function, the audit committee, and
self-assessment programs; and
The end-of-period financial reporting process.
controls have a pervasive effect on controls at the process,
transaction, or application level. In the top-down approach,
the auditor tests and evaluates the effectiveness of company-level
controls first, because the results affect the strategy
for testing other controls. If strong company-level controls
are in place, auditors should be able to decrease the level
of testing required for controls at the process, transaction,
and application levels.
recent PCAOB guidance on implementing AS 2 suggests that
auditors should focus on “significant” controls
over “material” account balances. Although it
is common to simply parcel risk in order of account value,
this is a simple-minded approach that is often incorrect.
assessment should be based on both qualitative and quantitative
factors relating to a number of criteria. The following
steps should be followed to complete an account materiality
Identify and document qualitative and quantitative criteria
for assessing account materiality;
Choose relevant financial statement account types based
on this criteria;
Pick thresholds for each account type, or an overall
For each account type, select locations (entities), beginning
with the largest balance for that account type and continuing
with the next-largest until the threshold is reached (sum
of the balances in the chosen locations); and
Adjust locations by applying the qualitative criteria.
of quantitative and qualitative criteria include the following:
Size and composition of the account
Volume of the transactions processed through the account.
Susceptibility of loss due to errors or fraud
Complexity and homogeneity of the transactions
Nature of the account (e.g., suspense accounts generally
warrant greater attention)
Accounting and reporting complexities
(or possibility) of significant contingent liabilities
arising from the activities represented by the account
Existence of related-party transactions
from the prior period in account characteristics (e.g.,
new complexities, subjectivity, or types of transactions).
ensure adequate coverage within an account type, companies
should strive to include an adequate percentage of each
account balance. The PCAOB has not established specific
percentages for coverage; however, between 60% and 80% is
presumed adequate. If an account type is deemed low risk,
60% coverage is probably adequate.
locations are first chosen based on quantitative criteria,
the selection of accounts should be adjusted based on qualitative
factors. For example, a recently acquired business might
be considered a higher risk because it is new and unfamiliar,
and, therefore, should be given closer scrutiny due to greater
possible risk factors, as opposed to the size of its accounts.
technology solution should be able to load account balance
data through integration with its financial consolidation
tool or general ledger system. The technology should be
able to select a scoping threshold and generate a report
that shows the accounts by location. One way to format the
report is to have all significant accounts listed as rows
in the report, and all locations listed as columns. The
report (see Exhibit
1) should show account balances on a per-location basis,
along with the materiality percentages used to determine
coverage levels. The account balances “in-scope”
should be identified. The ability to adjust which accounts
are “in-scope,” based on qualitative criteria,
is also recommended.
Selection of Controls
the first year of compliance with SOX section 404, most
auditors and issuers did not alter the nature, timing, and
extent of their testing based on the level of risk. Auditors
often appeared to take a uniform approach to their testing,
inadequately considering the unique risk factors within
each company. As a result, some auditors appear to have
expended more effort than was necessary in lower-risk areas.
This approach also compromised audit effectiveness because,
in some cases, a higher-risk area did not receive as much
audit attention as it should have.
remedy this shortcoming, the next phase of the top-down
approach uses risk-based analysis to determine which controls
should be considered high priority for testing purposes.
The steps include the following:
Identifying the important processes that generate or affect
risk ratings to determine the controls in scope; and
Streamlining testing frequency and sampling based on the
important processes that generate the significant accounts
should be identified during the documentation phase. For
example, key processes, such as procure-to-pay or order-to-cash,
are identified and documented within the business units
or locations where they are executed. They are then mapped
back to the significant accounts they generate.
each process in scope, the high-exposure risks should be
identified and the key controls should be tested. Each risk
is assigned an exposure rating based on either quantitative
or qualitative assessment of frequency (how likely it is
that the risk would materialize) and severity (how large
an impact the risk would have, if it occurred). Risk ratings
can be generated, as shown in Exhibit
2. For example, all risks that are rated less than or
equal to 3 could be used to identify controls that are candidates
risks should be put aside and the testing focus should be
on higher-risk areas. Applying risk measurement to each
of the identified risks enables management to turn the scores
and assumptions into a plan for external auditors.
are associated with the risks they mitigate. The control-testing
strategy should focus on high-exposure risks that are identified
through the risk-measurement process. The testing strategy
should also include the level of tested controls, the sample
sizes, and the timing based on qualitative factors. As the
risk associated with a control decreases, the extensiveness
of the auditor’s testing should decrease; as the risk
associated with a control increases, the extensiveness of
the auditor’s testing also should increase.
PCAOB’s AS 2 describes three primary factors that
an auditor should evaluate when determining the extent of
testing for a given control: the nature of the control,
the frequency of operation, and the importance of the control.
Evaluating the nature and importance of the control is directly
related to the auditor’s assessment of risk associated
with the control.
use of technology can aid in risk assessment and reports.
For example, a “Risk Heat Map” report, as shown
3, can be used to identify the high-risk controls that
should be considered for testing. The
vertical axis shows the accounts to which the controls are
related, grouped by the account’s materiality weighting
(based on the balance for that account type). The horizontal
axis shows the risk rating for the control; if the control
is associated with more than one risk, the highest risk
rating is shown. The numbers represent the set of controls
that fall into each quadrant. Controls that are in the lower
left corner of the map should be considered lower priority
for testing purposes.
final phase of the top-down, risk-based approach is to assess
the coverage of account assertions for material accounts
and “in-scope” controls. Individual controls
should be clearly linked with related significant accounts
and assertions. All assertions should be covered by relevant
controls, and these controls should be tested and checked
for both design and operating effectiveness. If a control
was not associated with a high risk but covers an assertion
for an “in-scope” account, it should still be
accounts and controls may contain enumerated fields that
capture the assertions that are at-risk and the assertions
that are covered, respectively. In addition, controls can
be directly associated to the accounts they affect in order
to easily assess assertion coverage. In the example shown
4, Account 1’s assertions are covered by Control
1 and Control 2, respectively. If Account 1 is in scope
and Process 1 is a key process, and assuming that Risk 1
is above the risk threshold, both Control 1 and Control
2 should be included in the testing process to ensure that
assertion coverage is met.
hoping to implement the PCAOB’s AS 2 in a manner that
captures the benefits of the process without unnecessary
and unsustainable costs should look at ways to reduce the
scope of the internal control audit and the amount of management
testing being performed. To accomplish this goal, companies
may do the following:
Apply a top-down, risk-based approach to establish scope
and testing strategies. This investment will improve the
focus and efficiency of the audit and, over time, can
significantly reduce required hours and costs.
Work with independent auditors to refine the criteria
and approach used by management to identify and test SOX
section 404 controls.
Identify and explore management testing approaches with
the independent auditor that can then be used to increase
reliance upon management’s work.
properly planning a SOX internal control assessment, and
utilizing a top-down, risk-based assessment approach, compliance
with SOX section 404 will be more efficiently and effectively
O’Brien, MBA, is OpenPages’ director
of product management and leads the product development process
for the company’s line of governance, risk, and compliance
management (GRCM) solutions (www.openpages.com).