Risk Definition; Risk Ranking 1773

  • Hi there,
    I am new in SOX matters.
    I have question about risk ranking and fiscal iimpact of defined risks. Each of these elements has certain level (low-medium-high). How can I know that given risk is high level -risk ranking. I think that for someone what is high could be for others low.
    Could anyone tell me the clear definition of fiscal impact?
    thx ricker

  • Hi Ricker and welcome 🙂
    As you noted, SOX Risk Mgt is indeed a ‘guesstimate’, as it requires human judgement and experience in classifying potential financial risks. One good technique is to have a group of folks work together in ranking and classifying risks (using averages, consensus, or other techniques).
    In the search below, there might be some good articles related to this.
    Please add www and paste into browser
    google.com/search?hl=en-and-q=SOX Risk Management
    You might also use the search button above and enter ‘risk’ as a search term. Also try ‘operational’ as another search, as it’s important in SOX to classify items as financial or operational risks.

  • Hi,
    For SOX purposes, it is a good idea (and recommended by the PCAOB) to use a risk-based approach to assess the design efficiency and operating effectiveness of the internal controls over financial reporting (ICFR).
    Much has been written about performing risk assessments, ranking risks, and various risk management approaches. Typically, risk is measured along two dimensions–likelihood and impact (financial impact when considered within the context of Sarbanes-Oxley). You can easily search on risk assessment on the net and find a lot of useful resources.
    However, to succinctly address your question, I suggest that you simply review the account balance(s), and if individually or in the aggregate, the amounts are material to the FS, the underlying internal control(s) should be considered within scope of SOX and should be assessed and tested. This obviates the need to spend excessive time ranking risks and more importantly, increases the objectivity of your approach for selecting the internal controls, assessing their design effectiveness and testing the operating effectiveness of them.
    You can save the risk assessment discussions after you accomplish the real goal–comply with SOX.
    Happy auditing,

  • thanks HarryW and Milan for help.

Log in to reply