SOX Risk Assessment: How to Prepare, Tips & Challenges

Sarbanes-Oxley Act and SOX compliance policy on table.

The 10-K has been filed! You are enjoying a welcome break from auditors and their never-ending questions.

Now, the SOX risk assessment appears on the task list — but there is nobody to delegate it to.

You vaguely remember preparing it last year… or was it the year before?

If you’re wondering what a SOX risk assessment is, why you have to do it, and how to do it correctly and efficiently, we have the answers you’re looking for.

What is a SOX Risk Assessment?

The SOX risk assessment focuses on Internal Control over Financial Reporting (ICFR). Essentially, it analyzes financial information alongside potential risks that may arise.

The outcome determines the scope and priorities of the SOX or ICFR effectiveness evaluation activities over the next fiscal year.

Why are SOX Risk Assessments important?

A SOX Risk Assessment is important because it helps management determine if certain processes, accounts or systems can be excluded from SOX monitoring activities.

SOX risk assessments are also important in that it allows you to identify and prioritize high-risk areas. These high-risk areas can be tested first to allow ample time for remediation efforts if issues are identified.

5 Steps for a Successful SOX Risk Assessment:

1. Calculate materiality

First, decide what metric to use. This is typically a financial statement line item (FSLI) that is important to management in measuring the performance of the company. Apply a percentage. Document why you chose that metric and percentage to support your materiality conclusion. This will also refresh your memory when you update the risk assessment next year.

Materiality in SOX risk assessments has two uses:

  • Scoping: Determining what processes and accounts are in or out of scope for the year (sometimes referred to as “planning materiality”)
  • Deficiency analysis: Determining whether control deficiencies rise to a level of significant deficiency or material weakness (sometimes referred to as “overall materiality)

2. Location or company scoping

Depending on your organization structure, use materiality to determine if some locations or companies can be excluded from SOX monitoring activities.

3. Map accounts to business processes

In this step, you link general ledger accounts with the business processes impacting the accounts. Instead of accounts, you can map FSLIs to business processes.

A process is also referred to as a “transaction cycle” or “significant class of transactions.”

4. Conduct quantitative and qualitative analysis

Summarize the financial impact per process or FSLI and risk rate certain factors for each process to determine the overall risk per process.

Qualitative risk factors to consider for SOX risk assessment analysis:

  • Use of judgment and estimates results in a higher rating.
  • Non-routine or homogenous transactions. There is a higher risk of misstatements or errors in less frequent transactions or calculations.
  • Risk of fraud and history of fraud, errors, or deficiencies. Certain processes or accounts have a higher inherent risk of fraud. Also, consider the history of errors or control deficiencies.
  • The complexity of the process, calculations, or accounting guidance. For example, federal tax calculations are typically more complex than cash activity.
  • Lack of automation and extent of spreadsheets. Manual activity is more prone to errors.
  • Changes in process, systems, or management. These ratings will likely change from year to year due to process enhancements, system implementations, and people changes.

If you used last year’s trial balance as the base, consider planned projects and initiatives for the year and whether new processes should be incorporated into the assessment.

Again, document your rationale for assigning risk ratings to support your conclusion and refresh your memory when you update the risk assessment next year.

5. IT application scoping

Identify IT applications and databases used in each process.

Depending on the extent the system is used in the process, what data or reports from that system is used for financial reporting purposes, and the precision of existing manual controls, determine what applications are in scope for IT General Controls evaluation. 

As part of the IT application scoping, also identify whether systems are hosted and managed internally, or whether they are cloud-based SaaS systems. 

Control requirements will vary depending on the type of system.

For more on IT General Controls, read about  IT SOX compliance requirements.

SOX Risk Assessments: Final Thoughts

It is easy to get lost in the details, so it is important to determine if the outcome reflects management’s perspective of risk related to ICFR.

Compare the overall risk ratings to the prior year’s assessment and determine if changes seem reasonable. Consider revising the assessment during the year to reflect significant changes in the organization, business or industry.

This assessment may seem daunting at first. If the risk is not assigned appropriately, significant items and systems may be excluded from the SOX monitoring scope.

Last-minute surprises may not leave enough time to implement appropriately documented controls or to remediate deficiencies. Or in contrast, you may be including more areas than required and waste time by not taking a risk-based approach.

The best way to gain efficiency and eliminate complexity in the risk assessment process is by outsourcing the initial setup, analysis and monitoring.

Bridgepoint Consulting is here to help.

Need SOX Risk Assessment Support?

Our team has a deep understanding of the complexity and expectations of planning and delivering SOX readiness and compliance services, and have proven experience meeting the rigorous demands of the regulatory environment. Collaboration between client teams, audit committees and external auditors is integral to our strategy swe can adapt to your specific requirements and level of support.