Risk identification in Sox processes 1425

  • Hi Folks
    Drilling down from identification of significant accounts and mapping the business processes to them; the next step is the identification of financial reporting risks pertinent to assetions within these processes.
    My question is; are we required to include only those financial risks in RACMs’ which are significant or high and thus ignoring the one’s categorized as low and moderate.

    We have the debate in our deparment to consider the likelihood and consequence to assess the inherent risks. Which means that we than end up in mapping the controls for significant or high risks only?
    Is this the right approach :?:

  • The RACM may include all of the relevant control activities in connection with ICFR. However, it is only necessary to TEST the KEY CONTROLS only.
    The exercise of preparing the RACM and assessing risks will be helpful to isolate those that require testing and/or gap remediation. The development of the RACM might also be useful to establish priorities and allocate resources to remedy any sigificant control weaknesses identified.
    Try not to ‘reinvent the wheel’ by preparing a RACM from scratch. Regardless of the cycle that you are working on…Revenue and Receivables, Purchase-to-Pay, HR and Payroll, Financial Reporting and General Accounting, etc., example RACMs are currently available that have been linked to the FS Assertion, COSO Control Objective, etc. It will save you significant time and resources to simply obtain an example RACM and tailor it to suit your company and business model.
    Good Luck,

  • Before you eliminate any controls as low likelihood or low risk, you need to ensure that you have addressed each of the financial statement assertions where applicable-
    Valuation or allocation
    Rights and obligations
    Presentation and disclosure
    You can eliminate any controls that are redundant.

  • I’d recommend documenting everything – including low/moderate financial risks. As an IT person, I’ve worked with auditors for over a quarter of a century. Many times what I might percieve as low risk is viewed as a higher risk by audit 😉 🙂
    I’m sharing this with the utmost respect as sometimes the lack of controls can be offset by having highly ethical and compotent employees. Thus, as you assess financial controls, think process and not people.
    Certainly your focal points are going to be on controlling the highest risk areas initially. I would recommend including moderate risks, as a next step once the highest risk items are completed.
    If you exclude any low or moderate risks, document why and gain approval from audit . If there’s any chance of financial risk and you don’t have it covered – you would not want audit comments presented to executives or the board.
    I’ll throw in a cavet to say that I’m not versed in the letter of the law when it comes to SOX standards. I could be wrong on some of these ideas. Still, when there’s judgement involved, it’s always good to err on the side of caution and ensuring you’re adequately covered.
    Good luck on this 🙂

  • Like Harry said, the initial documentation should ideally cover all the control weaknesses, irrespective of their risk rating. A round of discussion with the auditors can be used to bring this concern of yours to their notice. Based on the discussion, they can be eliminated.
    Strictly speaking, we woul act upon rectifying only those weaknesses with high risk rating. Since SOX is all about documentation, its better to have 2 versions, one a complete RACM and the other on which you intend to act upon( i.e. the one derieved after discussion with auditors)

  • Thanks every budy specailly–Herry

  • kmaca-
    Year Two-- we divided each process by sub-processes and risk ranked each subprocess. We varied our testing levels and timing based on the risk rank. Example: for a high risk sub-process, for all of the risks/controls associated with a high risk sub-process, we did larger sample sizes and tested initially and at year-end. For medium risk sub-processes, we tested smaller sample sizes and did no year-end testing. This worked for us and downsized our testing requirements/time for the year.
    For Year Three–we were considering the same type process you are talking about. In a typical audit, you would identify the risks related to achieving your objectives, then rank the likelihood/impact for each risk. This would drive your level of documentation and testing for the controls associated with the risk. We are thinking about applying this same methodology to our RACM’s developed for SOX compliance (and scrapping our sub-process risk assessment). We would still vary our testing based on the assessment (likelihood/impact) of the risk, so that we are concentrating most of our time in high risk areas. Our question is what factors would you use to determine likelihood/impact and practically, how would you document this?

Log in to reply