How to perform SOX process scoping? 2471



  • I am joining a company (subsidiary of a company listed in SEC) to primarily do SOX implementation.
    I have this approach in mind:
    1)Obtain materiality level guidance from HQ in US (for both P_and_L and Bal Sheet)
    2) Review the trial balance accounts and sieve out those that fall within materiality level
    3) Map operations process and sub-processes e.g., Finance, Sales, IT to each identified trial balance account
    4) Use Completeness, Accuracy, Validity and Restricted Access concept to chart out Control Objectives for each process and sub-process
    5) Identify and remediate control gaps
    6) Quantify control weakness and determine materiality impact
    Are the above steps correct?
    thank you very much in advance



  • I do not see the infamous top-down risk based approach in your list.
    Basically, you need to assess the risk of a material misstatement of the consolidated financial statements. The fact that an item is quantitatively large and thus material does not make it in scope unless the risk that it is misstated is at least reasonably possible. Only the controls that mititgate risks with an at least reasonable possible likelihood of occurrence and a material impact on the consolidated financial statements are key controls and need to be tested.
    Also all your steps seems to be on the process level and seem to focus on process level controls only. What about the entity-level controls (i.e. the control environment with the hiring and termation practices, the competence of the people, compensation, etc. and the monitoring of the effectiveness of internal control through internal audit or other personnel)? If you find a control weakness in the entity-level controls, it usually has a pervasive impact on several process-level controls. For example an incompetent or lazy managager may make numerous mistakes because he does not have the technical accounting knowledge or it too lazy to research it or too lazy to review the work of his staff.
    I recommend to check out the SEC’s interpretative release for assessing the effectiveness of internal control over financial reporting and to check out PCAOB Auditing Standard No. 5 in order to determine an approach.



  • You have raised some excellent pointe there gmerkl and I agree with you 100%. I do find this entity level control theme somewhat interesting though. %0AI can understand where there is a direct entity level control that this strengthens the control environemnt. An analytical review of a predictive expense item such as payroll would be a good example where material errors would be picked up and investigated without having to drill down and test the grass root controls. %0AThese indirect entity level controls are however less clear to me. The original guidance used to emphasise tone at the top heavily although it doesn’t seem as strong a theme coming from our auditors with the revised guidance. Your example would have been picked up in the testing of the processes because controls would have not happened or would have operated incorectly. %0ASo for these indirect controls such as code of conduct, etc. do you test them in detail (I have seen some spend a good 3 months reviewing their indirect entity level controls)? Alternatively because these controls impact the likelighood of an error do you establish what is in place at the top level and adjust the risk assessment (and its associated impact on testing, sample sizes, etc) instead?



  • Hi,%0ARecently, the SEC Advisory Committee on Improvements to Financial Reporting published a draft document that does not directly address SOX requirements, but indirectly does so by proposing changes with respect to certain financial reporting considerations, namely to better define and establish the concept of materiality for financial reporting and disclosure purposes.%0AI suggest that you take the time before scheduling further work on your current SOX compliance project to fully understand the materiality guidance that you receive from your HQ US Office when planning and making scope decisions regarding SOX compliance.%0AThe compliance approach in your post seems to be mechanical, reliant upon quantitative FS balances, and the conclusions reached about control weakness and their materiality impact could lead to an incorrect assessment of your SOX compliance status. English - you might wrongly conclude that you are not SOX compliant based on mechanical tests and following a ‘cook book’ approach to controls design and assessment of operating effectiveness.%0AI believe that this additional suggestion along with the other insightful comments and feedback to your question will encourage you to complete a thorough review of the company level controls (CLCs) so that you cna focus on the real risks versus perceived (possibly non relevant risks) that may be identified by simply applying the standard 5% materiality threshold to your planning efforts.%0AGood luck and happy auditing.%0AMilan%0Ahttp://wwwDOTsecDOTgov/about/offices/oca/acifr/acifr-dfr-071108.pdf



  • My view is also influenced by the fact that I have only been an internal auditor at the beginning of my career and then moved into accounting including management roles at various companies in various industries and have experienced good and bad superiors, direct reports and clerks.
    My guess is that external auditors do not do much entity-level testing because there are less straight-forward tests, it is more pyschological and less numbers oriented and any opinons are more judgemental.
    How yould you test somebody’s technical competence? You could ask generic questions about more comlex accounting issues in his field and based on his evasive or non-evasive answers and the correctness of his answers determine whether he knows his salt. You can also ask him how he ensures that he stays up-to-date with the latest developments in standards, interpretations and industry practice and which accounting standards or changes recently came into force or will come into force that impact his area. You could also interview his direct reports in private about their opinion of their boss’s technical competence if they have a technical question and how they get continous training or train themselves.
    Less efficient, but addtional tests could be if and which reference persons were interviewed before hiring the person and which standard questions were asked. It’s amazing that incompetent guys can get hired and that even people who committed impropriate actions (i.e. criminal actions for which they were not charged in court do to fear of breaching banking secrecy and a loss of reputation for banks) get hired at new companies due to a lack of reference checks or an over-emphasis on data protection and personal secrecy by the former employer.
    The technical competency of people is one of the main pervasive controls for technically more complex or new/changed accounting issues. The direct reports opinion about adequate information and communciation and the clear assignment of responsibilities, adequate identification of errors in one’s work by the boss’ review (if you find you own mistakes and the boss did’nt), etc. is also a good input for the risk assessment.
    In the end quality in financial reporting boils down to technical competence and good people management skills.



  • I am joining a company (subsidiary of a company listed in SEC) to primarily do SOX implementation.
    I have this approach in mind:
    1)Obtain materiality level guidance from HQ in US (for both P-and-L and Bal Sheet)
    2) Review the trial balance accounts and sieve out those that fall within materiality level
    3) Map operations process and sub-processes e.g., Finance, Sales, IT to each identified trial balance account
    4) Use Completeness, Accuracy, Validity and Restricted Access concept to chart out Control Objectives for each process and sub-process
    5) Identify and remediate control gaps
    6) Quantify control weakness and determine materiality impact
    Are the above steps correct?
    thank you very much in advance
    Hi Foofam,
    I like your approach. However to ensure that you don’t leave out anything important, you may want to check out this site[/url] which I came across. They deal with Identity Access Management and related tools for integrating general regulatory compliance into the company’s overall operations. You may want to try it.
    Erica Rowlet


Log in to reply