As businesses begin their SOX planning, adopting a risk-first approach to SOX can help teams drive efficiency throughout their testing year. One of the best places to begin implementing this is during the SOX risk assessment. However, before launching this foundational step of the SOX planning and scoping process, it is important to first conduct a post-mortem of the recently wrapped SOX year (unless you are SOX testing for the first time this year).
Devote time in the first few weeks of the new year to a thorough debrief session of last year with your SOX and/or internal audit team. Be sure to invite your control and process owners to this meeting; not only does this build a mentality of being on the same team, but it can also help lay the groundwork for best practices this year. Once you have documented your lessons learned and best practices for moving forward, you are ready to begin the risk assessment process.
3 Keys to a Successful SOX Risk Assessment
The SOX risk assessment is the foundation for the entire SOX program. An auditor’s goals when performing the SOX risk assessment are:
- Determine the materiality and the risks of material misstatement in the organization’s financial reporting processes.
- Refresh risk and control mappings to reflect the current control environment.
- Design test procedures to effectively test controls, based on a deep understanding of management’s expectations and risk tolerance levels.
In addition to following the guidance outlined in Auditing Standard 2110 and other relevant resources, the following are three keys to a successful SOX risk assessment.
1. Gain a baseline understanding of management’s risk tolerance and expectations.
Auditors will sometimes roll forward their SOX controls from year to year without a proper review of management’s estimates and expectations. When performing an in-depth analysis of financial and operational data, seek to understand management’s level of risk tolerance by asking questions such as:
- What will cause you to investigate a certain result or trend in company performance measures?
- What kinds of issues have you encountered, and what red flags have you looked for?
- What do you see as a risk to meeting your initiatives and goals?
Doing so will reveal the level of precision at which tasks or controls are being executed. You can then use this information to drive the basis of your risk assessment to understand what a control will (or should) identify.
Audit Leader Tip: Use your best judgment and don’t be afraid to push back and ask follow up questions.
2. Understand the company’s objectives and strategies for the year.
Seek to understand management’s main concerns and strategic initiatives for the year through interviews with executive stakeholders and other assurance providers. Doing so will help create a more holistic picture of the objectives and strategies of the organization that drive material line items. Review the results from other risk assessment procedures (enterprise risk assessment, fraud risk assessment, IT risk assessment) to further enhance and inform your understanding of business risks that could result in risks of material misstatement. Although the SOX risk assessment is separate from the enterprise risk assessment, there can be — and often are — related risk areas.
Audit Leader Tip: Approach SOX through a risk-first lens. Step back and ask yourself if something should be in scope because it is at a higher risk, even if the financials would indicate it is not in scope for the year or high on the priority list.
3. Coordinate with other assurance functions to aggregate relevant information from ALL assurance activities.
In the spirit of efficiency, collaboration, and agility, it is important to take stock of relevant work that has already been performed in your organization. Are you coordinating with related functions — e.g. internal audit, risk management, information security, compliance — to determine whether emerging risks are being considered as part of your SOX scoping efforts? Make an effort to meet regularly with other assurance team leads, as doing so can reveal insights relevant for your SOX program that may create efficiencies. For example, if your organization has a risk management function, syncing with them may help you determine whether a certain process is low risk or requires additional testing.
Audit Leader Tip: Expedite the interview and meeting process by using surveys to reconfirm risk assessment results with other assurance functions.
For SOX and audit practitioners seeking other practical ways to streamline their SOX program, download The SOX Management Playbook for a carefully curated guide of resources and best practices for each stage of the SOX lifecycle.
