Developing a Top-Down, Risk-Based Approach to SOX

PCAOB’s Auditing Standard No. 5 neatly defines the top-down, risk-based approach:

A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor’s attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company’s processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.

In a recent webinar entitled “How to develop a top-down, risk-based approach to SOX—truly”, internal audit, risk management, and governance expert Norman Marks clarified that top-down is about learning to live with acceptable risks.

“What is the risk? Where is the risk? You need to, at all times, ensure that your scope is focused on those two questions,” Marks said. “That prevents scope creep—and keeps you from getting distracted by things that would never have resulted in a material error or omission.”

Success, then, lies in concentrating on areas where there is some appreciable chance of a material error or omission—and using controls to provide assurance that other risks are less than reasonably possible.

Wondering where to begin? AS5 suggests starting, predictably, at the start:

The auditor must test those entity- level controls that are important to the auditor’s conclusion about whether the company has effective internal control over financial reporting.

William J Powers, PCAOB National Associate Director, Division of Registration and Inspections, agrees. Powers, in the same SOX webinar, advised beginning at the financial statement level—and focusing primarily on entity-level controls and relevant assertions.

Here’s what counts as an entity-level control according to AS5:

• Controls related to the control environment;
• Controls over management override;
• The company’s risk assessment process;
• Centralized processing and controls, including shared service environments;
• Controls to monitor results of operations;
• Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs;
• Controls over the period-end financial reporting process; and
• Policies that address significant business control and risk management practices.

The “mileage” you’ll achieve from entity-level controls can vary, naturally. Some controls are important but only contribute indirectly to your ability to detect or prevent a material misstatement. Some do, in fact, directly influence that ability, but without the level of precision that would allow you to cut back on testing other controls.

But others, however, will do a more than adequate job of helping you prevent or detect misstatements to one or more relevant assertions.

By appropriately allocating the energy you spend on these three types of controls, Powers says you’ll enjoy the efficiency advantages of a top-down risk-based approach.

Also speaking on the SOX webinar panel was Richard Arthurs, VP of Risk Management and Chief Audit Executive at Altalink, one of Canada’s largest power transmission companies.

Arthurs gave tips on how to implement a top- down, risk based approach.

• Reach out to key sponsors and partners — including the CFO, Controller, Audit Committee and control owners—to ensure success. The investment you make in relationships, Arthurs said, will always pay dividends over time.
• Set expectations with stakeholders that top-down, risk-based means a reduced number of controls. Don’t assume that leadership will find the value on their own; make it explicit and they’ll more readily embrace your efforts.
• Create a detailed project plan with clear accountabilities. SOX isn’t “one size fits all,” as Arthurs pointed out, so it will be important to make sure you’re doing the work that matters to your company.

Top-down, risk-based may seem daunting at first, but the benefits speak for themselves:

• An overall reduction in key controls. Arthurs has seen decreases of as much 30% or more in SOX projects with which he’s been involved.
• An increased reliance on entity-level controls and automated IT general controls, leading to a significant reduction in IA resource time.
• Significant efficiencies—especially if you plan on using governance, risk and compliance software to visualize and report on your efforts.

Where there is at least a reasonable possibility of a material error or omission, you have a financial reporting risk that must be addressed.

A top-down risk-based approach to that risk frees you to reduce your efforts where it’s less than reasonably likely that a material error or omission could occur, and lets you focus instead on high- impact issues of internal control.

If you’d like to learn more, you may be interested in “How to develop a top-down, risk-based approach to SOX—truly”, the webinar from which some of the material in this paper was drawn.

The webinar, sponsored by Resolver, is available for free viewing here.