Thinking outside the SOX: Let's talk about scoping
July 15, 2019
It is this time of the year when companies focus on SOX scoping. I received several requests from clients over the past weeks asking about guidance about scoping, so I would like to share some thoughts.
Assuming you have already mapped your financial statements to the right business process, the next step of your SOX scoping is to consider the quantitative and qualitative risk factors remembering that:
- Quantitative risk factor should be applied at the financial statement line items level; but
- Qualitative risk factor should be applied at the business process level.
Regarding the quantitative risk factor, most companies use the same scoping materiality as their auditors. This is another example of why the dialogue between companies and auditors is important. Once you decided the scoping materiality, you can scope out the financial statement line items that are not material.
Regarding the qualitative risk factor, I like to consider the following topics and allocate a score to each business process:
- Level of Judgment & Estimates - The more the business process requires substantial judgment or places high reliance on the use of estimates, the higher the score;
- Risk of Fraud & History of Fraud or Error - The more the business process has a history of fraudulent entries or errors, the higher the score;
- Accounting & Reporting Complexities - The more the business process has complex and frequent a) accounting policy change or b) procedure used to record financial transactions, the higher the score;
- Nature of Account & Changes - The more the business process has a) unique and large transactions and b) many changes from the prior year in account or disclosure characteristics, the higher the score; and
- Lack of Automation & Extent of End User Computing - The more the business process a) has either manual transaction initiation, valuation or calculation or b) places a high reliance on end-user computing, particularly for complex calculations or c) relies on tools not supported by IT to perform calculations and other key controls, the higher the score.
As you can imagine, the higher the combined score, the more likely the business process is to be included in the SOX programme.
Then Ta-dah! You finished this part of your scoping. The next step is to assess which components are scoped in or scoped out. But this is for another blog.