Risk Definition; Risk Ranking 1773
ricker last edited by
I am new in SOX matters.
I have question about risk ranking and fiscal iimpact of defined risks. Each of these elements has certain level (low-medium-high). How can I know that given risk is high level -risk ranking. I think that for someone what is high could be for others low.
Could anyone tell me the clear definition of fiscal impact?
harrywaldron last edited by
Hi Ricker and welcome
As you noted, SOX Risk Mgt is indeed a ‘guesstimate’, as it requires human judgement and experience in classifying potential financial risks. One good technique is to have a group of folks work together in ranking and classifying risks (using averages, consensus, or other techniques).
In the search below, there might be some good articles related to this.
Please add www and paste into browser
google.com/search?hl=en-and-q=SOX Risk Management
You might also use the search button above and enter ‘risk’ as a search term. Also try ‘operational’ as another search, as it’s important in SOX to classify items as financial or operational risks.
milan last edited by
For SOX purposes, it is a good idea (and recommended by the PCAOB) to use a risk-based approach to assess the design efficiency and operating effectiveness of the internal controls over financial reporting (ICFR).
Much has been written about performing risk assessments, ranking risks, and various risk management approaches. Typically, risk is measured along two dimensions–likelihood and impact (financial impact when considered within the context of Sarbanes-Oxley). You can easily search on risk assessment on the net and find a lot of useful resources.
However, to succinctly address your question, I suggest that you simply review the account balance(s), and if individually or in the aggregate, the amounts are material to the FS, the underlying internal control(s) should be considered within scope of SOX and should be assessed and tested. This obviates the need to spend excessive time ranking risks and more importantly, increases the objectivity of your approach for selecting the internal controls, assessing their design effectiveness and testing the operating effectiveness of them.
You can save the risk assessment discussions after you accomplish the real goal–comply with SOX.
ricker last edited by
thanks HarryW and Milan for help.