Documente Academic
Documente Profesional
Documente Cultură
Process documentation............................................................................................................................... 76
Narrative ............................................................................................................................................... 76
Use of service organizations ................................................................................................................ 76
Critical spreadsheets and other end-user computing (EUC) tools ....................................................... 87
1
Scope and financial reporting risk assessment
Scoping involves determining the documentation necessary and the nature, timing and
extent of testing of controls to be performed for each significant account, disclosure and
business process. The company must identify the significant accounts and components
that will be subject to SOX. A risk assessment is completed to assist in the determination
of significant accounts. The financial reporting risk assessment is a tool used by
management to identify and analyze risks relevant to the preparation of financial
statements. The resulting classification rates the risk of material misstatement in the
significant accounts and related assertions of the financial statements.
Objective
This classification is utilized during planning and scoping and throughout the year to
determine the nature and extent of documentation and testing that is to be performed by
management. An effective risk analysis results in an assessment by management that
focuses resources on those areas of highest risk to ensure that a direct relationship is in
place between the risk that a material weakness could exist in a particular area of the
company’s controls and the amount of attention during management’s documentation
and testing of the related controls. Additionally, the risk assessment offers an opportunity
to reconcile management’s perception of risk with that of the external auditors.
The risk assessment is an integral part of a top-down approach that focuses first on
company-level controls, significant accounts, significant processes and then on
individual controls at the process, transaction or application level. The overall risk related
Approach to each significant account is assessed to determine the nature, timing and extent of
testing of the controls related to that specific account, and eliminates, from further
consideration, accounts that have only a remote likelihood of containing a material
misstatement, and devotes less audit attention to the areas of low risk.
For listed entities or entities in regulated industries that are profitable, it is presumed that users of financial
statements focus on operating results and, in particular, income. These users often consider misstatements
greater than 5% of pretax income to be material. As such, PM is typically 5% of pretax income when pretax
income is the appropriate measurement base.
PM may be increased when evidence suggests that users, including regulators, would have a higher
threshold for materiality (up to 6%-8% of pretax income). PM may also be increased when an entity is not
listed in an unregulated industry and for statutory audits of subsidiaries (10% of pretax income).
2
In certain circumstances, a measurement basis other than pretax income may be more appropriate. When
choosing an alternative measurement basis, consideration should include what measurement basis is most
meaningful to financial statement users. The following ranges may be considered when setting PM:
The low end of the range should be considered for listed entities and entities in regulated industries. The
high end of the range should be a starting point for non-listed entities in an unregulated industry and
statutory audits of subsidiaries.1
SOX Methodology standards are set to obtain reasonable assurance of detecting material misstatements.
TE is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds PM. At the individual account or balance level, TE should be
considered.
For listed entities and entities in regulated industries 50% of PM is an appropriate starting point.
For non-listed entities in an unregulated industry and statutory audits of subsidiaries, 75% of PM is an
appropriate starting point.
Expectations of misstatements
Designation in the client and engagement acceptance and continuance process
Collective understanding of the entity and industry
Past history with the entity
Assessment of risks associated with the entity
Results of our observations of the entity’s control environment and the effect on internal controls over
the financial statements.2
The concept of materiality is considered to determine which accounts are significant. Overall materiality is
based on discussion with Management, the external audit firm and planning materiality guidance. This
amount is based on the measurement basis from continuing operations adjusted for any items deemed
appropriate by Management and external audit firm such as one-time balance sheet restructuring entries.
Tolerable error is based on 50 or 75% of the overall materiality. This allows for the aggregation of
misstatements across accounts as well as for increases in account significance throughout the year.
The account balance is considered the primary quantitative risk factor for purposes of the risk assessment.
On a quarterly basis, the balance sheet and income statement accounts will be reviewed.
1 Source: EY Global Audit Methodology and Supplemental Audit Guidance – “P07_2 Determine Planning Materiality.”
2Source: EY Global Audit Methodology and Supplemental Audit Guidance – “P07_3 Determine Tolerable Error.”
3
Any changes in materiality will be discussed with Management, external audit firm and the SOX Steering
Committee (or equivalent).
4
A classification of high, medium or low will be assigned to both the quantitative and qualitative factors.
The quantitative If quantitatively greater If quantitatively less than If quantitatively less than
classification is than planning materiality planning materiality but still planning materiality and not
assessed as: consequential to the consequential to the
financial statements financial statements
The qualitative If there are factors that If there are factors that If there are factors that
classification is represent a high inherent indicate an average indicate a minimal inherent
assessed as: risk of material inherent risk of material risk of material misstatement
misstatement misstatement
The following evaluation must be conducted to identify significant line items from the financial statements
and determine the significant accounts.
1. Request the year-end trial balance, statement of condition and statement of operations from Financial
Reporting, the version of which includes zero balance accounts and is grouped into financial statement
line items.
2. Verify that the trial balance agrees with the year-end financial statements. Ensure that line-item
descriptions agree with those used on the financial statements. Make changes where necessary.
A. Evaluate the significance of each line item by considering line item materiality as follows. Consider
average balances when necessary.
B. Evaluate the significance of each line item by considering qualitative factors such as:
Priority Score
Low 1
Medium 2
High 3
5
Scores are averaged to provide an overall conclusion as to the level of criticality of the financial
statement line as follows:
Scoring exception
Line items with one or more of the following characteristics rated high are automatically rated high
overall:
Also note that the rating for statutory requirements is not included in the average score as this
characteristic is either high or not applicable.
3. Determine the significance of the account to the overall line item. Using the trial balance mapping to the
financial statement line items, prioritize the accounts considering the following:
Volume of activity, complexity and homogeneity of the individual transactions processed through
the line item’s accounts
Susceptibility to material error or fraud (consider impact of line item on executive compensation)
Changes from the prior period in account characteristics (new complexities, new transaction types)
Accounting complexities associated with the account (e.g., estimates, valuations)
Nature of account (suspense accounts generally warrant greater attention)
Exposure to losses represented by the account or likelihood of significant contingent liabilities
arising from the activities involved
Existence of related-party transactions in the account
3
Line items ranked low are eliminated from further evaluation because there is a remote likelihood that the line item contains a
misstatement that could cause the financial statements to be materially misstated.
6
Overall account scoring
Accounts with one or more of the following characteristics rated high are rated high overall:
Susceptibility to material error or fraud (consider impact of line item on executive compensation)
Accounting complexities associated with the account (e.g., estimates, valuations)
Otherwise, scores are averaged to provide an overall conclusion as to the level of criticality of the account.
Refer to the Average score/line item significance table in Step 2.C. for scores.
Processes and activities related to those accounts rated medium or high will be addressed in the SOX 404
documentation and testing.4 Note that accounts with less than US$500k at 12/31 or US$500k in average
balance are not included in the scoping, as the likelihood of material misstatement is low. An exception to this
is suspense accounts.
Process documentation
Narrative
Process documentation will include a detailed narrative. Process documentation is created and updated
based on interviews with business unit personnel. These interviews will be focused on identifying the points
within the flow of transactions where data is initiated, authorized, recorded, processed and reported.
Additionally, the interviews will focus on points within the process at which a misstatement, including a
misstatement due to fraud, could occur, as these are the points where controls are necessary. Processes
over non-routine and estimation transactions often have higher risk because they are more likely to be
influenced by business risks and management decisions.
The objectives of the documentation of processes related to significant accounts and disclosures are to:
Enable management to understand the processes underlying the significant accounts from beginning
to end
Cover the initiation, authorization, recording, processing and reporting of individual transactions
Process owners will be provided with the documentation prior to finalization to ensure accuracy and
completeness as well as for approval of final documentation.
The narrative documenting the processes will include the following elements:
Although outside service organizations may be used to process financial data, management is ultimately
responsible for the internal control over this financial information and may need to assess the design and
operating effectiveness of the service organization’s internal control.
4
Accounts rated “low” are eliminated from further evaluation as there is a remote likelihood that the account contains misstatements
that could cause the financial statements to be materially misstated.
7
For outsourced activities, processes and functions that are considered significant to the company’s internal
control over financial reporting, the SOX Steering Committee will determine if a Statement on Standards
for Attestation Engagements (SSAE) 16 exists. If the SSAE 16 exists, the Steering Committee will:
Identify controls in place to review and evaluate the SSAE 16. The scope of this review should evaluate
the scope, period of time covered, opinion and testing exceptions within the SSAE 16.
Map the SSAE 16 user control considerations to the control identified as part of the process
documentation.
As appropriate, map the SSAE 16 control objectives evaluated by the service organization’s external
auditor to the controls identified as part of the process documentation.
If a SSAE 16 does not exist, alternate procedures may be performed. These procedures may include:
Identifying controls at the service organization and coordinating the test of identified controls with the
outsourced provider’s Internal Audit department.
Requesting the service organization auditor to perform agreed-upon procedures.
Spreadsheets and other EUC tools may be utilized for financial reporting. In addition to Excel spreadsheets,
EUC tools include Microsoft Access, Query Reports from ACCPAC, etc. As such, the control environment
and specific control activities should be considered for evaluation as part of the 404 process.
Control requirements may differ as spreadsheets/EUC tools typically have a wide range of complexity and
usage. Therefore, the uses and complexity of spreadsheets/EUC tools should be evaluated using the
following process:
1. Inventory all spreadsheets/EUC tools that are used to support significant financial processes and
utilized in the performance of a control.
2. Evaluate the use and complexity of the identified spreadsheets/EUC tools. The uses and complexity of
information contained in the spreadsheets/EUC tools should be grouped into the following categories:
Medium
High (financial) (analytical/management Low (operational)
information)
Purpose/use Used to directly determine Used to support analytical Used to facilitate tracking
financial statement review and management and monitoring of workflow to
transaction amounts or decision-making. These support operational
balances that are may be used to evaluate the processes, such as listing of
populated into the general reasonableness of financial open claims, unpaid invoices
ledger and/or financial amounts. and other information that
statements. previously would have been
retained in manual, paper file
folders. These may be used
to monitor and control that
financial transactions are
captured accurately and
completely.
8
High Medium Low
3. Determine the necessary level of controls for the identified spreadsheet/EUC tool based on the overall
rating of the spreadsheet/EUC tool. The importance of the integrity and reliability of the information
generated by the spreadsheet/EUC tool increases as the complexity progresses from low to high and
as usage increases. This assessment should dictate the strength of the control environment
surrounding each spreadsheet/EUC tool. This overall rating is classified utilizing the below method.
HL HM HH
High High High
ML MM MH
Use
LL LM LH
Low Medium Medium
Complexity
9
4. Determine the required controls that should be in place and assess existing controls. The required
controls are:
Tool rating
Required control Description
(Low, medium, high)
Input control Ensuring that reconciliations occur to make sure that data is
input completely and accurately Low, medium and high
Logic inspection An individual other than the developer inspecting the logic in
critical spreadsheets High
Standard manual controls and processes, as described above, are used to help mitigate the risk associated
with spreadsheets/EUC tools. However, as the importance of the information generated by a
spreadsheet/EUC tool increases, reliance on manual controls and process may not be sufficient. For more
significant amounts and/or spreadsheets/EUC tools with higher complexity, it may be very difficult to
achieve an adequate level of control without migrating these functions to an application system with a more
formalized information technology controls environment.
10
Control inventory
Overview
A control inventory or control matrix is created to list the controls identified during the process
documentation phase. Process owners will be provided with the control inventory prior to finalization to
ensure accuracy and completeness.
Once the process documentation has been completed and risks and controls identified, the following
information is to be included in the control inventory for each process control inventory:
Key process Based on the mapping of accounts performed during scoping, determine the major classes
description of transactions and related processes, including information technology processes, which
influence the identified significant accounts. These processes will be listed on the control
inventory.
SOX key control Controls that support the financial statement assertions should be identified as “key”
indicator controls and will be noted as such on the control library.
Anti-fraud control The SOX controls identified as anti-fraud controls during the fraud risk assessment will be
indicator noted as such on the control inventory.
Anti-fraud key The SOX controls identified as anti-fraud controls that must be tested per the methodology
control indicator established for the fraud risk assessment are considered key anti-fraud controls and will be
noted as such on the control inventory.
Control owner The design and operating effectiveness of controls are the responsibility of management. To
facilitate ownership of the controls by the business unit, the primary person responsible for
performing the control will be documented.
Control The description of the control will include how the control is performed, who performs the
description control, what data reports, files or other materials are used in performing the control and what
physical evidence, if any, is produced as a result of performing the control.
Control nature Controls that management relies on to prevent or detect and correct errors, or to prevent or
detect fraud, may exist in any of the five COSO components. Relevant controls in each of
the five components should be identified and documented.
The two major types of controls are preventative and detective controls. Preventative controls
can be either manual or automated and are designed to prevent an error or fraud. Detective
controls can be either manual or automated and are designed to monitor the achievement of
the relevant process objectives, including identifying errors or fraud. The purpose of detective
controls is to detect errors that may have occurred.
11
Information type Description
Control Not all controls provide the same level of assurance. The degree of assurance over internal
automation control varies depending upon several factors, including the level of automation. Automated
controls can provide consistent application of a control.
Existence: this assertion addresses whether assets or liabilities of the entity exist at a
given date and whether recorded transactions have occurred during a given period.
Completeness: this assertion addresses whether all transactions and accounts that
should be presented in the financial statements are so included.
Valuation: this assertion addresses whether asset, liability, equity, revenue and expense
components have been included in the financial statements at appropriate amounts.
Rights and obligations: this assertion addresses whether assets are the rights of the
entity and liabilities are the obligations of the entity at a given date.
Presentation and disclosure: this assertion addresses whether particular components of
the financial statements are properly classified, described and disclosed.
Information Controls should be designed and implemented to provide assurance that transactions and
processing balances are complete, accurate and valid, and that there is restricted access to assets and
objective records to prevent unauthorized changes to data or misappropriation of assets.
Although the financial statement assertions appear to be similar to the information processing
objectives, a one-for-one relationship does not exist, and they are used for different purposes.
Information-processing objectives are used to evaluate the design effectiveness of controls,
particularly application controls, within a business process. The following four information-
processing objectives are a standard to assess the integrity of the data that flows through a
process. The four objectives that will be identified in the documentation include:
1. Completeness
All recorded transactions are accepted by the system (only once).
Duplicate postings are rejected by the system.
Any transactions that are rejected are addressed and fixed.
2. Accuracy
Key data elements for transactions (including standing data) that are recorded
and input to the computer are correct.
Changes in standing data are accurately input.
3. Validity
Transactions, including the alteration of standing data, are authorized.
Transactions, including standing data files, are not fictitious and they relate to
the business.
4. Restricted access
Unauthorized amendments of data are barred from the system.
The confidentiality of data is ensured.
Company assets are physically protected from theft and misuse.
The segregation of duties is ensured.
12
Information type Description
COSO internal As part of management’s assessments, the SOX Steering Committee (or equivalent) will
control document the five components of internal control. Controls will be listed on the control library.
component
1. Control environment
The control environment establishes the overall tone for the organization and is
the foundation for all other components of internal control. COSO includes six
sub-components of the control environment:
o Integrity and ethical values
o Commitment to competence and development of people
o Management’s philosophy and operating style
o Organizational structure
o Assignment of authority and responsibility
o Human resources policies and procedures
Participation by those charged with governance (Board of Directors, Audit
Committee, etc.)
2. Risk assessment
As part of its risk assessment process, management should determine and
consider the implications of relevant risks that could hinder the achievement of
its objectives and provide a basis for managing the risks. Management should
identify the risks of material misstatement in the significant accounts and
disclosures and related assertions of the financial statements.
3. Control activities
Control activities are the policies and procedures that help to ensure that
management’s directives are implemented. Control activities occur throughout
the organization, at all levels and in all functions. Control activities include, but
are not limited to:
o Approvals
o Authorizations
o Reconciliations
o Reviews of operating performance
o Security of assets
o Management reviews
o Performance indicators
o Segregation of duties
4. Information and communication
The information and communication component includes the systems that
support the identification, capture and exchange of information in a form and
time frame that enable personnel to carry out their responsibilities, and financial
reports to be generated accurately.
5. Monitoring
Monitoring is the continuous process that management uses to assess the
quality of internal control performance over time. There are three primary
components of monitoring:
o Ongoing monitoring occurs in the ordinary course of business and
includes regular management and supervisory activities.
o Periodic monitoring involves less frequent activities by senior
management.
o Reporting deficiencies involves reporting deficiencies to the appropriate
level of management and board of directors and remediation efforts.
13
Sample size guidance
The sample size is the number of records/transactions/occurrences that will be examined during the control
test. The selection of specific items to be tested from the population is called the sample.
The sample size will be determined using the chart below, as well as based on management’s direction. If
the control involves a single transaction for a given period (e.g., review of a bank reconciliation which occurs
only once during a month), the frequency of the control should be determined and the corresponding
samples size should be used (i.e., monthly control, three samples). If the control involves more than one
transaction for a given period (e.g., approval of purchase orders which occurs two to five times a day), the
population for a one-year period should be determined using the “population size” column and the
corresponding sample size should be used (daily – multiple times per day, 25 samples).
Manual Annually 1 1
Manual Quarterly 2 (*) 2 (*)
Manual Monthly 3 3
Manual Biweekly 4 6
Manual Weekly 5 8
Manual Daily 20 25
Daily – multiple times
Manual 25 40
per day
IT-dependent See table below
Automated Test of one
Sample size selection for discretionary frequency controls, depending on the number of transactions which
occurred during the period considered, normally the current year:
If the population is Use the following frequency Use the following frequency
(low/medium risk): (high risk):
1 to 12 items Monthly frequency – 3 items Monthly frequency – 3 items
Management’s opinion on internal controls is as of the end of a fiscal year. Therefore, evidence is needed
that the controls are operating near year-end. To achieve this objective, controls should be explicitly
validated near year-end through refreshed testing.
14
If the control has been enforced for the entire year, the sampling will be as follows:
Low/medium risk
High risk
15
If the control is a new control in the current year (e.g., remediated after January 1, 2012):
Low/medium risk
High risk
Note: If the control failed at the interim and is remediated during the year, the full population after
remediation must be tested at year-end.
In order to reduce management testing efforts, samples may be split between multiple locations. For
example, if facilities at Location A, Location B and Location C all have a similar daily multiple control that,
in substance, is the same, split daily multiple sample sizes across the three locations.
Use the following steps to determine sample sizes to be used when splitting across multiple locations:
16
Protocols on splitting sample sizes across multiple locations for similar controls:
When determining a sample for tests of controls, a technique should be selected that provides sufficient
appropriate audit evidence on which to conclude. The appropriate way of selecting items from the
population for testing is important to prevent us from including unintentional bias in our selection.
Defining the population from which a sample is selected is the same whether we are performing tests of
controls or tests of details, or statistically or judgmentally determining the sample size. The population is
the entire set of data on which we wish to draw a conclusion. The population shall include all transactions
during the period of coverage.
Random sampling
Judgmental sampling
In applying a random sample selection method, we may use EY/Random or a random number generation
functionality (e.g., in Microsoft Excel) to generate the sample items. EY/Random is a firm-developed
program that assists us in determining which items in the population to select. Random numbers provide a
basis for selecting samples from printed listings or manual records. Before using EY/Random, we establish
a unique identification number for every sampling unit in the population. In the absence of sequentially
numbered documents, it may be difficult to establish correspondence between the random numbers and
the items in the population.5
Judgmental sampling is appropriate when professional judgment and prior information are utilized to select
higher risk samples and is best suited when sample size populations are small or when it is not possible to
gather a complete listing of population items. Judgmental sampling should be selected sparingly and must
have suitable justification.
5Source: EY Global Audit Methodology and Supplemental Audit Guidance – “SM_2 Audit sampling techniques and
sample selection methods.”
17
Testing process
Design
The test plan should include the approach, scope, sample size and documentation requirements to support
the conclusion on effectiveness.
There are four types of testing techniques performed to obtain evidence about the operating effectiveness
of controls. Those types are (listed in order of highest to lowest level of assurance obtained): re-
performance, inspection/examination, observation and inquiry.
Gives the greatest assurance that a control is operating effectively. The testing
team will perform validation procedures for selected controls by re-performing the
control activity.
Re-performance
An example of when this would be used is in testing a physical inventory control
when you would observe a count and perform an independent test of quantities.
This should be used when a high degree of confidence in the control is necessary.
Most frequently used techniques. This includes reviewing documents that are
used in the application of the control or results from the operation of the control.
Inspection/examination
Examples include reviewing evidence that controls are being performed,
reconciliations are prepared and signed off by supervisors, and exception reports
are reviewed and marked with checkmarks or written explanations. These testing
techniques are used when there is evidence of a manual control being performed.
Used when no documentation exists and is often used in combination with inquiry.
Observation Observation is used frequently with system controls where an error message or
validation check cannot be easily evidenced via a paper trail, however, can be
seen on the operator’s screen.
These techniques are used when conducting a Test of Design (TOD) and/or a Test of Effectiveness (TOE).
The TOD is the initial test conducted to evaluate the adequacy of controls in place to mitigate risks. Once
this test is successfully completed, the TOE is performed to determine the effectiveness of the controls in
place to mitigate risks.
Execution
Procedures to evaluate the operating effectiveness of controls must be sufficient to determine if controls
are operating effectively.
Internal controls over financial reporting residing within business processes rated low risk will not be tested.
The rating of business processes will be re-evaluated quarterly.
18
Documentation
Documentation should include descriptions of the nature, timing and extent of the procedures used and
should include a list of exceptions, if any, their cause and implications on management’s assertion. All
documentation, including electronic reports and supporting data that is or may be used to test controls,
should be retained to allow others, including the external auditors, to re-perform the test.
Evaluation/interpretation
Management must determine whether each testing exception indicates a deficiency in the design or
operating effectiveness of a control, or both. This includes identifying the underlying or “root” cause of the
error to determine appropriate next steps. The identification of control exceptions may result in:
Conclusion
1. The Control Operator will conclude on the effectiveness of the individual controls based on test
results. There are three types of possible testing results:
a. Test effective: when there is reasonable evidence, that for the period and the sample
selected, the control properly works.
b. Test ineffective: when for the period and the sample selected, there exists at least one item
that is not effective, or the control does not cover the real risk. The cause of the deficiency
will be documented and an action plan carried out.
c. N/A: when no events have occurred during the period selected, thus no test can be
performed.
2. The Process Owner will conclude on the effectiveness of the collective controls in mitigating the
process risks.
3. The Process Owner certifies to the adequacy of the design and operating effectiveness of the
internal controls affecting financial statement assertions for the entire process.
Management will need to evaluate any control deficiencies and determine whether they, individually or in
the aggregate, require remediation and/or might need to be disclosed to the independent auditors and the
Audit Committee. Timely evaluation of control deficiencies will allow sufficient time for follow-up remediation
and re-evaluation of controls before management must make its assertion. All conclusions and
recommendations should be documented in writing.
19