Prior to starting your SOX compliance efforts, you should perform a detailed risk assessment to focus management’s evaluation and assessment efforts on those areas that could result in a material misstatement in the financial statements.
We suggest that the risk assessment process should include:
(1) Establish Materiality: Establishing materiality to conclude whether deficiencies identified in an audit of internal control over financial reporting constitute a material weakness.
(2) Risk Rate Accounts: Risk rate significant accounts and disclosures based on materiality. The assessment should be both qualitative (e.g., susceptibility of loss due to errors or fraud) and quantitative in nature and should be performed by management with the assistance of outside consultants, if needed, to:
a. Identify locations that are in scope based on evaluation of materiality. Factors to consider include key financial measures, risk factors, key measures that investors might be interested in; and any other key measures of importance.
b. Identify relevant processes based on materiality and specific financial statement assertions.
c. Link risks to financial statement assertions.
d. Link significant accounts to significant processes and major classes of transactions. Confirm that relevant financial reporting risks (including fraud and general computer controls (“GCCs”)) are identified, and risk-rate control objectives.
(3) Leverage IT GCCs: Approach should identify relevant IT applications and platforms; identify GCC areas and confirm relevance and risk-rating of GCC control objectives; determine relevance to financial reporting objectives and risk-rating of associated significant transactions; and finally, remove non-relevant IT applications and platforms, control objectives and unnecessary controls.
(4) Assess Risks: Assess potential magnitude and likelihood of risks and rationalize the controls to be tested
a. Reduced the population of controls to be tested without compromising appropriate coverage of all relevant assertions
b. Determine the extent of testing at the significant account level based on the rationalized controls.
See more about SOX-Expert TaskMap Edition here
Dan Anderton is a partner at SOX Experts LLC and our guest blogger today.
For more information contact Dan at 203-894-1992 or at danderton@sox-expert.com