A SOX risk assessment scopes the program. Under Section 404 of the Sarbanes-Oxley Act, management assesses internal control over financial reporting, and a top-down, risk-based approach decides where to focus: identify the material accounts and disclosures, the relevant assertions, and the risks of material misstatement, then map controls to those risks. The SEC's management guidance, the COSO framework, and the PCAOB's standards all organize the work around this risk assessment rather than testing every control equally.
SOX compliance is expensive when it is scoped by habit and efficient when it is scoped by risk. The risk assessment is what separates the two. It decides which accounts, processes, and controls matter for financial reporting, so that effort concentrates where a material misstatement could actually occur. This guide covers the top-down, risk-based approach, what the assessment identifies, and how it drives the rest of the program.
What the SOX risk assessment is
Section 404 requires management to assess the effectiveness of internal control over financial reporting, and for many issuers the external auditor to attest to it. The work is organized as a top-down, risk-based approach: start at the financial statements, identify what is material and where misstatement risk lies, and scope controls to that. The SEC's interpretive guidance for management and the PCAOB's AS 2201 both describe this approach, and most issuers use the COSO Internal Control framework, in which risk assessment is one of the five components.
What it identifies
- Material accounts and disclosures. The financial statement line items and disclosures that are material, by quantitative and qualitative measures.
- Relevant assertions. For each material account, the assertions, such as existence, completeness, valuation, and rights and obligations, that could be materially misstated.
- Risks of material misstatement. What could cause each relevant assertion to be wrong, including the effect of fraud risk.
- Controls that address the risks. The controls, including entity-level controls, that are designed to prevent or detect those misstatements.
How to conduct it
Step 1: Determine materiality
Set financial-statement materiality and identify the material accounts and disclosures.
Step 2: Identify relevant assertions
For each material account, identify the assertions that could be materially misstated.
Step 3: Identify risks of material misstatement
For each relevant assertion, identify what could go wrong, including fraud risk, and rate it.
Step 4: Map controls to risks
Identify the controls that address each risk, including entity-level and information-technology general controls, and judge whether the coverage is sufficient.
Step 5: Scale testing to risk
Concentrate testing on higher-risk areas and key controls rather than testing every control equally.
Where it goes wrong
- Scoped by rote. The same controls are tested every year regardless of where risk has actually moved.
- Assertions skipped. Controls are mapped to accounts without identifying the assertions at risk, so coverage gaps go unseen.
- Fraud risk ignored. The assessment never considers how fraud could cause a material misstatement.
The SOX risk assessment is the lever that makes the program both effective and proportionate. For the wider regime, see the SOX compliance guide and the SOX glossary.
Primary sources
- Sarbanes-Oxley Act Section 404 and SEC implementing rules: Management's assessment of internal control over financial reporting.
- PCAOB AS 2110 and the COSO Internal Control framework: Risk assessment in the financial-statement audit and the control framework most issuers use.