SOX

SOX ICFR Risk Assessment: A Practitioner's Guide

The short version

A SOX risk assessment scopes the program. Under Section 404 of the Sarbanes-Oxley Act, management assesses internal control over financial reporting, and a top-down, risk-based approach decides where to focus: identify the material accounts and disclosures, the relevant assertions, and the risks of material misstatement, then map controls to those risks. The SEC's management guidance, the COSO framework, and the PCAOB's standards all organize the work around this risk assessment rather than testing every control equally.

SOX compliance is expensive when it is scoped by habit and efficient when it is scoped by risk. The risk assessment is what separates the two. It decides which accounts, processes, and controls matter for financial reporting, so that effort concentrates where a material misstatement could actually occur. This guide covers the top-down, risk-based approach, what the assessment identifies, and how it drives the rest of the program.

What the SOX risk assessment is

Section 404 requires management to assess the effectiveness of internal control over financial reporting, and for many issuers the external auditor to attest to it. The work is organized as a top-down, risk-based approach: start at the financial statements, identify what is material and where misstatement risk lies, and scope controls to that. The SEC's interpretive guidance for management and the PCAOB's AS 2201 both describe this approach, and most issuers use the COSO Internal Control framework, in which risk assessment is one of the five components.

What it identifies

How to conduct it

Step 1: Determine materiality

Set financial-statement materiality and identify the material accounts and disclosures.

Step 2: Identify relevant assertions

For each material account, identify the assertions that could be materially misstated.

Step 3: Identify risks of material misstatement

For each relevant assertion, identify what could go wrong, including fraud risk, and rate it.

Step 4: Map controls to risks

Identify the controls that address each risk, including entity-level and information-technology general controls, and judge whether the coverage is sufficient.

Step 5: Scale testing to risk

Concentrate testing on higher-risk areas and key controls rather than testing every control equally.

Where it goes wrong

The SOX risk assessment is the lever that makes the program both effective and proportionate. For the wider regime, see the SOX compliance guide and the SOX glossary.

Primary sources

Common questions

What is a SOX risk assessment?
It is the top-down, risk-based analysis that scopes a SOX program: identifying the material accounts and disclosures, the relevant assertions, and the risks of material misstatement, then mapping controls to those risks. It concentrates testing where a material misstatement could occur rather than testing every control equally.
What is the top-down, risk-based approach?
An approach described in the SEC's management guidance and PCAOB AS 2201 that starts at the financial statements, identifies what is material and where misstatement risk lies, and scopes controls to that risk, rather than working bottom-up through every control.
How does COSO relate to the SOX risk assessment?
Most issuers evaluate internal control over financial reporting against the COSO Internal Control framework, in which risk assessment is one of the five components. The SOX risk assessment operationalizes that component for financial reporting.
What does the SOX risk assessment identify?
Material accounts and disclosures, the relevant assertions for each, the risks of material misstatement including fraud risk, and the controls that address those risks. The output scopes the controls that are documented and tested.
From the team behind this guide

A SOX scope driven by risk, not habit

Compliance Command Center applies the top-down, risk-based approach to scope ICFR work where a material misstatement could occur, mapping risks to controls with the reasoning documented. Practitioners build it, with a human reviewing every deliverable, so the scope holds up with the external auditor.

See Compliance Command Center Talk to a Practitioner