The US Congress passed the Sarbanes-Oxley Act in 2002 to strengthen the auditing process for corporate financial statements and to impose requirements on management to assess and report on the effectiveness of internal controls over financial reporting (ICFR). SOX 404 applies to:
- Controls over the period-end financial reporting process, in particular, “The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements."
- Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties
- Controls over safeguarding of assets
All of this requires the business to document and present to the auditors extensive information about how significant transactions are initiated, authorized, recorded, processed, and reported. In addition, the business needs to systematically test these controls and evaluate the results.
SOX audits are resource intensive, costly processes and prone to disagreement between management and outside auditors as to scope and prioritization. In the early years of implementation the audit community expanded its SOX 404 focus from reviewing the financial accounting processes to assessing IT controls that impacted processes and applications far beyond the preparation of financial statements. This lead to questions from management as to how these processes and applications fell under the scope of SOX 404. The SEC issued a statement in 2007 that:
"For purposes of the evaluation of ICFR, management only needs to evaluate those IT general controls that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks. For example, management might consider whether certain aspects of IT general control areas, such as program development, program changes, computer operations, and access to programs and data, apply to its facts and circumstances. Specifically, it is unnecessary to evaluate IT general controls that primarily pertain to efficiency or effectiveness of a company’s operations, but which are not relevant to addressing financial reporting risks."
As a result, identifying material "financial reporting risks" is critical to implementing an efficient SOX 404 assessment. This is further emphasized by the Public Company Accounting Oversight Board (PCAOB), the body created by Congress to oversee the implementation of SOX:
"Risk assessment underlies the entire audit process described by this standard, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control." Auditing Standard 5
If a business lacks an effective method of assessing risk and prioritizing accounts, processes and controls, it will be at the mercy of the accountants, who will establish their own criteria and scope. In addition, if the auditors identify a "material weakness" that may need to be disclosed to the public the business will need to raise a convincing argument that the weakness does not raise to the level of "material" in order to avoid a significant hit to the company's reputation.
The accounting standards provide little guidance on the process that should be used to assess and prioritize risk. While such terms as "key", "material", "severity", and "magnitude" are frequently used by the SEC and PCAOB, no guidance is provided for how these terms should be objectively quantified. For example, in Audit Standard 5 the PCAOB defines "material weakness" as, "[A] deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis." Since the PCAOB provides no objective method for prioritizing risk and identifying what is "material", the definition is circular and subject to differing interpretation.
In this environment where risk is poorly defined and the audit consequences are significant, a business must be able to fill the void with a clear and objective risk assessment methodology. The Simple Risk Model can provide several benefits in this area:
- By establishing Impact on the basis of Confidentiality, Integrity and Availability, the Model will identify the significant Inherent Risks associated with SOX 404 processes. In addition, the Impact assessment provides a specific risk rating for the "Integrity" component and will assist in minimizing the possibility that audits will become side tracked by Confidentiality and Availability issues.
- Through the use of tools such as the Model spreadsheet, the business can prioritize its risks, processes and controls, which will lead to an objective, defensible identification of "entity-level controls", "material weaknesses", "significant accounts", etc.
- There is a temptation for financial control organizations to create independent risk assessment programs to address SOX 404 audits. The Simple Risk Model is founded on the principle that SOX 404, Basel II, information security, business continuity and related disciplines are part of Operational Risk and subject to the same risk methodology. The use of the Simple Risk Model approach minimizes the chance that competing, incompatible risk programs will be created within the organization.