Companies around the world have experienced tremendous changes. For publicly traded companies, those changes can bring new considerations into the frame for your Sarbanes-Oxley risk assessment. Shifts in strategy plans and a new remote, paperless way of operations could require major updates in your SOX compliance program.

In this post we’ll discuss Sarbanes-Oxley in detail and outline a step-by-step method to perform the SOX risk assessment effectively.

What Is a SOX Assessment?

The Sarbanes-Oxley Act, more commonly known as SOX, requires businesses that trade on U.S. stock exchanges to complete a management evaluation of internal controls over financial reporting (ICFR) every year.

Under Section 404(a) of SOX, management is required to test its internal controls using a top-down risk assessment (TDRA) to determine the scope of such testing. An external auditor can also use the assessment to issue its own formal opinion on the company’s internal controls. (Large publicly traded companies must have an external audit of their ICFR every year; smaller or newly public companies don’t.)

How Do You Test for Sarbanes-Oxley?

Management performs SOX testing as a self-assessment, but you can also have a dedicated SOX team do it. If needed, you can also have independent auditors (separate from your regular external audit firm) conduct an assessment.

When the testing is done by management, management is testing its own processes. When the test is facilitated by an internal audit team, the internal auditors provide a self-assessment to managers, who then respond with the necessary documentation for the internal auditors to validate.

The whole process comprises an initial assessment, followed by interim testing throughout the year, and year-end testing. The final step in the SOX testing process is performed by an outside party or external auditors.

What Is a Sarbanes-Oxley Audit?

The Sarbanes-Oxley Act requires all financial reports to include an internal controls report that confirms a company’s financial data accuracy (within 5 percent variance) and that the company has adequate controls in place to protect sensitive financial information. Year-end financial disclosure reports are also needed.

Companies hire an independent external SOX auditor to review controls, policies, and procedures for a Section 404 audit. During the audit, the auditor can interview staff to confirm whether their duties match the job description and if staff have the required training to handle financial data safely.

Steps to Performing SOX Risk Assessment

For many companies, SOX risk assessment can be a new endeavor. Below, we’ve listed six critical steps any internal auditor or controls expert can follow to perform SOX risk assessment.

Step 1: Find Out What Is Considered Material to the Profit and Loss (P&L) and Balance Sheets

Calculate a specific percentage of key financial statement accounts. For instance, this can be 5 percent of local assets, 3 to 5 percent of operating income, or analysis of the various critical P&L and balance sheet accounts. (You can confer with your CFO and external auditor to know their opinions.)

Step 2: Pinpoint All Business Locations With Material Account Balances

Conduct a thorough analysis of the financials for all your business locations. If any of the financial statement account balances exceed what was determined as material in Step 1, that specific location will be considered material and in-scope for SOX in the upcoming year.

Step 3: Identify Transactions That Are a Part of Material Account Balances

Set up a meeting with your controller and the specific business process owners to identify transactions that caused the financial statement account to increase or decrease. This can include both debit and credit transactions.

Then document how these transactions took place and how they were recorded. Use a narrative description, a flowchart, or both.

Step 4: Determine Potential Financial Reporting Risks for All Material Accounts

Think of situations or risks that could prevent the transaction from being recorded correctly. Document how the risk event would have contributed towards the account balance being recorded incorrectly or the breakdown of the financial statement assertion.

Step 5: Identify Preventative or Detective Controls That Assure All Material Transactions Are Recorded Correctly

Look for checks and balances in the financial reporting process that help record transactions correctly, and confirm that all account balances are accurate.

A few common examples of related controls are:

  • Account reconciliations;
  • Segregation of duties (having different people post and approve invoices); and
  • Reviewing individual or multiple transactions recorded in the same time period.

Step 6: Determine Key Controls

After identifying all preventative and detective controls in Step 5, find out which controls can assure all transactions comprising the material account balance are recorded correctly.

Generally, material accounts need multiple controls in place to prevent a material misstatement from taking place. You must analyze all controls to determine which ones are most suitable to provide reasonable assurance for recording accuracy based on your personnel, process, and available technology.

You can also refer to the PCAOB’s Auditing Standard #2201 to perform your SOX risk assessment.

What Are the Two Types of SOX Risks?

The Securities and Exchange Commission (SEC) has found the evidence required to support the assessment of specific material misstatement risks (MMR) should be based on two types of risk:

  1. Financial Element Misstatement Risk (Misstatement Risk)
  2. Control Failure Risk (CFR)

Both concepts together are called Internal Control Over Financial Reporting (ICFR) risk. Your company’s management will assign a misstatement risk ranking (high, medium, low) to each related account or disclosure link. This is followed by rating each key control for CFR and ICFR risk.

Once the ICFR rating is captured for each control statement, management then considers the impact of risk on the timing, nature, and extent of risk testing to associate ICFR risk with the in-scope controls identified during SOX risk assessment.

What Is Sarbanes-Oxley’s End Goal?

The purpose of SOX was to give investors more confidence in the reliability of corporate financial statements, by imposing new demands for accuracy in those statements and holding senior executives and corporate boards accountable for achieving those goals.

In the early 2000s the United States saw a prolonged period of corporate scandals, and the ensuing market meltdown ruined millions of investors. This left the people apprehensive about investing in the financial markets. SOX, enacted in August 2002, was in response to that public anxiety and dismay.

The law was also intended to bring more order (and fewer conflicts of interest) to the auditing of U.S. public companies, and to improve data retention and security to prevent fraudulent accounting and financial practices.

SOX compliance reduces the risk of fraudulent or otherwise faulty financial statements, which protects the company from litigation or regulatory enforcement. SOX compliance also indicates strong financial reporting, which helps enhance public confidence in the company.

Reciprocity’s ZenGRC can help companies struggling with SOX compliance efforts by providing them with expert help. The software streamlines and organizes the entire compliance process and automates repetitive aspects to save time and resources.

If you want to simplify SOX compliance, head over to our SOX product page to learn how ZenGRC can help and schedule a demo right away.