Risk Rating Key Controls 1904

  • We have been using the ‘top-down’ risk-based approach for identifying significant accounts and processes, but sample sizes for key controls are basically the same based on frequency and whether they are manual or automated controls. We are looking into applying a risk factor to each control, with different sample size matrices for low, moderate or high risk controls. Our external auditors are already doing this. Is anyone risk rating their controls? If so, what criteria did you use to determine risk for each control? We are not anticipating a huge decrease in total samples tested across the company, but we are hoping this may skew the testing toward the controls with higher risk.

  • Hi,
    An approach for your consideration:
    Determine the materiality threshold used by your auditor and integrate it into the following risk rating model:
    MINOR (Rating=1)
    -and-lt;USD#### impact on an individual account balance
    There is a negligible or indirect impact on the financial reports if any. The amount should be considered in conjunction with other controls and related amounts in the aggregate with this risk rating to determine the total monetary impact.
    MODERATE (Rating=2)
    USD#### to USD#### impact on an individual account balance
    The control failure may require an accounting adjustment and/or disclosure to the financial reports.
    MAJOR (Rating=3)
    USD#### to USD#### impact on an individual account balance
    The control failure will result in a material adjustment to the financial reports.
    CATASTROPHIC (Rating=4)
    -and-gt;USD#### impact on an individual account balance
    The control failure will result in unreliable financial reports.
    I’ve seen risk models that make use of risk ranking with consideration of gross risk and residual risk. However, these are often difficult to interpret, subjective, and do not address the concept of materiality. The model above integrates materiality and may be more reliable by the auditor, especially if the materiality threshold is consistent with their assessment.
    Hope this helps,

  • We also apply a risk-based approach. I assume it is by a materiality level. However, this is determined by corporate and I am a SOX Co-ordinator for one of the subs.
    Each major financial cycle (Revenue, Expenditure, Inventory, Fixed Assets, Accrued Expenses, Payroll, Taxes, Treasury Related, Period End Reporting, Other, General Computing Controls) has been assigned a risk rating of A, B, C. Each reporting sub may be different as it applies to the company as a whole. The A, B, C rating will determine the number of times manual controls are validated over a reporting period. For example, if a given multiple times a day key control is part of a high risk business cycle, it will be validated 60 times per annum, medium risk 45 times per annum and low risk 25 times per annum.

Log in to reply