Developing a Top-Down, Risk-Based Approach to SOX

At its simplest, a “top-down, risk-based” approach to financial reporting is about exposure to risk related to a single objective — filing statements that are free of material error or omission.

And while they’re not a rampant problem, errors and omissions are still a troubling issue. PCAOB findings suggest deficiencies in audits of internal control in as much as 15 percent of audit engagements it inspects, and—in addition— relatively minor errors in an equal amount.

Deficiencies noted include failures to:

• Identify and test controls intended to address the risks of material misstatement.
• Test the design and effectiveness of management review controls.
• Obtain evidence needed to update test results on controls in the roll-forward period.
• Test controls on data and reports that themselves support other important controls.
• Sufficiently evaluate control deficiencies.

A top-down, risk-based approach—properly implemented—can mitigate the risk of these failures and more.

What is Top-Down, Risk-Based… Exactly?

PCAOB’s Auditing Standard No. 5 neatly defines the top-down, risk-based approach:

A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor’s attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company’s processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.

In a recent webinar entitled “How to develop a top-down, risk-based approach to SOX—truly”, internal audit, risk management, and governance expert Norman Marks clarified that top-down is about learning to live with acceptable risks.

“What is the risk? Where is the risk? You need to, at all times, ensure that your scope is focused on those two questions,” Marks said. “That prevents scope creep—and keeps you from getting distracted by things that would never have resulted in a material error or omission.”

Success, then, lies in concentrating on areas where there is some appreciable chance of a material error or omission—and using controls to provide assurance that other risks are less than reasonably possible.

Getting Started with Top-Down, Risk-Based

Wondering where to begin? AS5 suggests starting, predictably, at the start:

The auditor must test those entity- level controls that are important to the auditor’s conclusion about whether the company has effective internal control over financial reporting.

William J Powers, PCAOB National Associate Director, Division of Registration and Inspections, agrees. Powers, in the same SOX webinar, advised beginning at the financial statement level—and focusing primarily on entity-level controls and relevant assertions.

Here’s what counts as an entity-level control according to AS5:

• Controls related to the control environment;
• Controls over management override;
• The company’s risk assessment process;
• Centralized processing and controls, including shared service environments;
• Controls to monitor results of operations;
• Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs;
• Controls over the period-end financial reporting process; and
• Policies that address significant business control and risk management practices.

The “mileage” you’ll achieve from entity-level controls can vary, naturally. Some controls are important but only contribute indirectly to your ability to detect or prevent a material misstatement. Some do, in fact, directly influence that ability, but without the level of precision that would allow you to cut back on testing other controls.

But others, however, will do a more than adequate job of helping you prevent or detect misstatements to one or more relevant assertions.

By appropriately allocating the energy you spend on these three types of controls, Powers says you’ll enjoy the efficiency advantages of a top-down risk-based approach.

Putting Top-Down, Risk-Based into Action

Also speaking on the SOX webinar panel was Richard Arthurs, VP of Risk Management and Chief Audit Executive at Altalink, one of Canada’s largest power transmission companies.

Arthurs gave tips on how to implement a top- down, risk based approach.

• Reach out to key sponsors and partners — including the CFO, Controller, Audit Committee and control owners—to ensure success. The investment you make in relationships, Arthurs said, will always pay dividends over time.
• Set expectations with stakeholders that top-down, risk-based means a reduced number of controls. Don’t assume that leadership will find the value on their own; make it explicit and they’ll more readily embrace your efforts.
• Create a detailed project plan with clear accountabilities. SOX isn’t “one size fits all,” as Arthurs pointed out, so it will be important to make sure you’re doing the work that matters to your company.

Top-down, risk-based may seem daunting at first, but the benefits speak for themselves:

• An overall reduction in key controls. Arthurs has seen decreases of as much 30% or more in SOX projects with which he’s been involved.
• An increased reliance on entity-level controls and automated IT general controls, leading to a significant reduction in IA resource time.
• Significant efficiencies—especially if you plan on using governance, risk and compliance software to visualize and report on your efforts.