April 14, 2022
How to Prepare SOX Risk Assessments
The 10-K has been filed! You are enjoying a welcome break from the auditors and their never-ending questions. Now the SOX risk assessment appears on the task list and there is nobody to delegate it to. You vaguely remember preparing it last year. Or was it the year before? You are wondering what it is, why you have to do it, and how. We have answers!
What and Why
The SOX risk assessment focuses on Internal Control over Financial Reporting (ICFR). It analyzes financial information and risks. The outcome determines the scope and priorities of the SOX or ICFR effectiveness evaluation activities for the next fiscal year. The assessment helps management determine if certain processes, accounts, or systems can be excluded from SOX monitoring activities. Another benefit of the SOX risk Assessment is that it allows you to identify and prioritize high-risk areas. These high-risk areas can be tested first, to allow ample time for remediation efforts if issues are identified.
Step 1: Calculate materiality
Decide what metric to use. This is typically a financial statement line item (FSLI) that is important to management in measuring the performance of the company. Apply a percentage. Document why you chose that metric and % to support your materiality conclusion. This will also refresh your memory when you update the risk assessment next year.
Materiality has two uses:
- Scoping – determining what processes and accounts are in or out of scope for the year.
- Deficiency Analysis – determining whether control deficiencies rise to a level of significant deficiency or material weakness.
The second is sometimes referred to as overall materiality, while the first is known as planning materiality and a somewhat reduced number to expand the scope.
Step 2: Location or company scoping
Depending on your organization structure, use materiality to determine if some locations or companies can be excluded from SOX monitoring activities.
Step 3: Map accounts to business processes
In this step, you link general ledger accounts with the business processes impacting the accounts. Instead of accounts, you can map FSLIs to business processes. A process is also referred to as a “transaction cycle” or “significant class of transactions.”
Step 4: Quantitative and Qualitative Analysis
Summarize the financial impact per process or FSLI and risk rate certain factors for each process to determine the overall risk per process. Qualitative risk factors to consider in this analysis include:
Use of judgment and estimates results in a higher rating.
Non-routine or homogenous transactions. There is a higher risk of misstatements or errors in less frequent transactions or calculations.
Risk of fraud and history of fraud, errors, or deficiencies. Certain processes or accounts have a higher inherent risk of fraud. Also, consider the history of errors or control deficiencies.
The complexity of the process, calculations, or accounting guidance. For example, federal tax calculations are typically more complex than cash activity.
Lack of automation and extent of spreadsheets. Manual activity is more prone to errors.
Changes in process, systems, or management. These ratings will likely change from year to year due to process enhancements, system implementations, and people changes.
If you used last year’s trial balance as the base, consider planned projects and initiatives for the year and whether new processes should be incorporated into the assessment.
Again, document your rationale for assigning risk ratings to support your conclusion and refresh your memory when you update the risk assessment next year.
Step 5: IT application scoping
Identify IT applications and databases used in each process. Depending on the extent the system is used in the process, what data or reports from that system is used for financial reporting purposes, and the precision of existing manual controls, determine what applications are in scope for IT General Controls evaluation. As part of the IT application scoping, also identify whether systems are hosted and managed internally, or whether they are cloud-based SaaS systems. Control requirements will vary depending on the type of system. For more on IT General Controls read about IT SOX compliance requirements.
It is easy to get lost in the details, so it is important to determine if the outcome reflects management’s perspective of risk related to ICFR. Compare the overall risk ratings to the prior year’s assessment and determine if changes seem reasonable. Consider revising the assessment during the year to reflect significant changes in the organization, business, or industry.
This assessment may seem daunting at first. If the risk is not assigned appropriately, significant items and systems may be excluded from the SOX monitoring scope. Last-minute surprises may not leave enough time to implement appropriately documented controls or to remediate deficiencies. Or in contrast, you may be including more areas than required and waste time by not taking a risk-based approach. You can gain efficiency and eliminate complexity in the risk assessment process by outsourcing the initial setup, analysis, and monitoring. Bridgepoint Consulting is here to help.
5 Tips to Meet IT SOX Compliance Requirements