PCAOB AS 2201 recommends “A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.”
This step in a SOX compliance audit should not result in a list of compliance procedures, but should instead help the auditor identify potential risks and sources, how it might impact the business, and whether the internal controls qualify as SOX controls — i.e. whether they will provide reasonable assurance that a material error will be avoided, prevented, or detected.
How: Financial statement items are considered “material” if they can influence the economic decisions of users. Auditors can typically determine what is material by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts.
How: Analyze the financials for all the locations where you do business. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX testing in the coming year.
How: Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.
How: Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.
During your materiality analysis, auditors will identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They will seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately. Often material accounts need multiple controls in place to prevent a material misstatement from occurring. However, audit teams are cautioned from applying a brute-force approach and simply creating a new SOX control whenever a new risk is identified. Inadvertently, each new control is often classified as “key” without performing a true risk assessment, which then contributes to the ever-increasing count of controls. By understanding the differences between key and non-key controls, internal audit teams can effectively combat rising control counts.
To keep things simple, the quickest method to differentiate a non-key vs. key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can better prioritize and focus their efforts on key controls.
Lastly, to finalize and plan for an effective system of internal controls, your audit team must identify manual and automated SOX IT controls. For the automated controls identified, you should evaluate whether the underlying system is in-scope for ITGC testing, which will impact your overall testing strategy of the control. If you have ITGC comfort over the underlying system, you can substantially reduce the amount of SOX IT control testing needed to be performed.
Once you have defined your scope and identified your SOX controls using these best practices, you will be on track to developing a well-rounded SOX testing program. Learn more about how to build upon this foundation in How to Build a Well-Rounded SOX Testing Program.
Meeting SOX requirements does not need to be overly complicated. Implementing SOX compliance software such as AuditBoard’s SOXHUB can help you eliminate version control issues in your SOX documentation process, centralize SOX control testing, facilitate SOX reporting, as well as streamline your SOX program from end to end. Request a personalized demo by filling out the form below.