1.3. RISK-BASED, TOP-DOWN EVALUATION APPROACH
In the years immediately following the effective dates of SOX 404, many companies adopted an evaluation approach that started by identifying all (or nearly all) of the company's controls and then documenting and testing each one to determine whether internal control as a whole was effective. As you can imagine, this approach was extremely time consuming and costly. Moreover, this bottoms-up approach was unnecessary to achieve the overall objective of management's evaluation.
In 2007, the SEC revised its rules to clarify its original intent and any ambiguity about management's evaluation approach that may have existed. Of primary importance was providing direction on how to properly scope the engagement or scale it to account for different circumstances between entities.
The resulting rules explicitly state that there is no requirement for management to include all controls in its evaluation. Instead, management should use a "risk-based, top-down" approach to plan and perform its evaluation of internal control.
In general, the key steps in this approach include:
Identification of misstatement risk. Management should use its knowledge of the business, external events, and circumstances and the application of generally accepted accounting principles (GAAP) to identify risks that the entity's financial statements could be misstated.
Assessment of misstatement risk. Management should assess the relative magnitude of the identified misstatement ...
Get How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
