Thinking outside the SOX: Let's talk about scoping

15 July 2019

It is this time of the year when companies focus on SOX scoping. I received several requests from clients over the past weeks asking about guidance about scoping, so I would like to share some thoughts.

Assuming you have already mapped your financial statements to the right business process, the next step of your SOX scoping is to consider the quantitative and qualitative risk factors remembering that:

- Quantitative risk factor should be applied at the financial statement line items level; but
- Qualitative risk factor should be applied at the business process level.

Regarding the quantitative risk factor, most companies use the same scoping materiality as their auditors. This is another example of why the dialogue between companies and auditors is important. Once you decided the scoping materiality, you can scope out the financial statement line items that are not material.

Regarding the qualitative risk factor, I like to consider the following topics and allocate a score to each business process:

● Level of Judgment & Estimates - The more the business process requires substantial judgment or places high reliance on the use of estimates, the higher the score;
● Risk of Fraud & History of Fraud or Error - The more the business process has a history of fraudulent entries or errors, the higher the score;
● Accounting & Reporting Complexities - The more the business process has complex and frequent a) accounting policy change or b) procedure used to record financial transactions, the higher the score;
● Nature of Account & Changes - The more the business process has a) unique and large transactions and b) many changes from the prior year in account or disclosure characteristics, the higher the score; and
● Lack of Automation & Extent of End User Computing - The more the business process a) has either manual transaction initiation, valuation or calculation or b) places a high reliance on end-user computing, particularly for complex calculations or c) relies on tools not supported by IT to perform calculations and other key controls, the higher the score.

As you can imagine, the higher the combined score, the more likely the business process is to be included in the SOX programme.

Then Ta-dah! You finished this part of your scoping. The next step is to assess which components are scoped in or scoped out. But this is for another blog.

Jerome Donny | SOX Centre of Excellence Leader
Profile | Email | +44 (0)7715 033972

More articles by Jerome Donny



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.