SOX 404 top–down risk assessment
From Wikipedia, the free encyclopedia
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
This article needs additional citations for verification. (May 2013) |
Detailed guidance about performing the TDRA is included with PCAOB Auditing Standard No. 5 (Release 2007-005 "An audit of internal control over financial reporting that is integrated with an audit of financial statements")[1] and the SEC's interpretive guidance (Release 33-8810/34-55929) "Management's Report on Internal Control Over Financial Reporting".[2][3] This guidance is applicable for 2007 assessments for companies with 12/31 fiscal year-ends. The PCAOB release superseded the existing PCAOB Auditing Standard No. 2, while the SEC guidance is the first detailed guidance for management specifically. PCAOB reorganized the auditing standards as of December 31, 2017, with the relevant SOX guidance now included under AS2201: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements.[4]
The language used by the SEC chairman in announcing the new guidance was very direct: "Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company's internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources."[5] Based on the 2007 guidance, SEC and PCAOB directed a significant reduction in costs associated with SOX 404 compliance, by focusing efforts on higher-risk areas and reducing efforts in lower-risk areas.
TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:
- identifying significant financial reporting elements (accounts or disclosures)
- identifying material financial statement risks within these accounts or disclosures
- determining which entity-level controls would address these risks with sufficient precision
- determining which transaction-level controls would address these risks in the absence of precise entity-level controls
- determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls
Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor's) TDRA. As such, TDRA has significant compliance cost implications for SOX404.