What Are SOX 404 top–down risk assessment (TDRA)?

  Banking and Finance

Why is Section 404 of SOX important?

Section 404 aims to rebuild public trust by bolstering the internal controls that under-pin the accuracy and reliability of published financial information. Another part of the law, Section 103, requires direct auditor reporting on the effectiveness of public company internal controls.

What Are SOX 404 top–down risk assessment (TDRA)?

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company’s internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management’s assessment of its own internal controls.

Detailed guidance about performing the TDRA is included with PCAOB Auditing Standard No. 5 (Release 2007-005 “An audit of internal control over financial reporting that is integrated with an audit of financial statements”) and the SEC’s interpretive guidance (Release 33-8810/34-55929) “Management’s Report on Internal Control Over Financial Reporting”. This guidance is applicable for 2007 assessments for companies with 12/31 fiscal year-ends. The PCAOB release superseded the existing PCAOB Auditing Standard No. 2, while the SEC guidance is the first detailed guidance for management specifically. PCAOB reorganized the auditing standards as of December 31, 2017, with the relevant SOX guidance now included under AS2201: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements.

Key steps include:

  1. identifying significant financial reporting elements (accounts or disclosures)
  2. identifying material financial statement risks within these accounts or disclosures
  3. determining which entity-level controls would address these risks with sufficient precision
  4. determining which transaction-level controls would address these risks in the absence of precise entity-level controls
  5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls.

Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor’s) TDRA. As such, TDRA has significant compliance cost implications for SOX404.


The guidance is principles-based, providing significant flexibility in the TDRA approach. There are two major steps: 1) Determining the scope of controls to include in testing; and 2) Determining the nature, timing and extent of testing procedures to perform.

Determining scope

The key SEC principle related to establishing the scope of controls for testing may be stated as follows: “Focus on controls that adequately address the risk of material misstatement.” This involves the following steps:

Determine significance and misstatement risk for financial reporting elements (accounts and disclosures)

Under the PCAOB AS 5 guidance, the auditor is required to determine whether an account is “significant” or not (i.e., yes or no), based on a series of risk factors related to the likelihood of financial statement error and magnitude (dollar value) of the account. Significant accounts and disclosures are in-scope for assessment, so management typically includes this information in its documentation and generally performs this analysis for review by the auditor. This documentation may be referred to in practice as the “significant account analysis.” Accounts with large balances are generally presumed to be significant (i.e., in-scope) and require some type of testing. New under the SEC guidance is the concept of also rating each significant account for “misstatement risk” (low, medium, or high), based on similar factors used to determine significance. The misstatement risk ranking is a key factor used to determine the nature, timing, and extent of evidence to be obtained. As risk increases, the expected sufficiency of testing evidence accumulated for controls related to significant accounts increases (see section below regarding testing & evidence decisions).

Identify financial reporting objectives

Objectives help set the context and boundaries in which risk assessment occurs. The COSO Internal Control-Integrated Framework, a standard of internal control widely used for SOX compliance, states: “A precondition to risk assessment is the establishment of objectives…” and “Risk assessment is the identification and analysis of relevant risks to achievement of the objectives.” The SOX guidance states several hierarchical levels at which risk assessment may occur, such as entity, account, assertion, process, and transaction class. Objectives, risks, and controls may be analyzed at each of these levels. The concept of a top-down risk assessment means considering the higher-levels of the framework first, to filter from consideration as much of the lower-level assessment activity as possible. There are many approaches to top-down risk assessment. Management may explicitly document control objectives, or use texts and other references to ensure their risk statement and control statement documentation is complete. There are two primary levels at which objectives (and also controls) are defined: entity-level and assertion level. 

Control objectives may be organized within processes, to help organize the documentation, ownership and TDRA approach. Typical financial processes include expense & accounts payable (purchase to payment), payroll, revenue and accounts receivable (order to cash collection), capital assets, etc. This is how most auditing textbooks organize control objectives. Processes can also be risk-ranked.

Identify material risks to the achievement of the objectives

One definition of risk is anything that can interfere with the achievement of an objective. A risk statement is an expression of “what can go wrong.” Under the 2007 guidance (i.e., SEC interpretive guidance and PCAOB AS5), those risks that inherently have a “reasonably possible” likelihood of causing a material error in the account balance or disclosure are the material misstatement risks (“MMR”). Note that this is a slight amendment to the “more than remote” likelihood language of PCAOB AS2, intended to limit the scope to fewer, more critical material risks and related controls. Management develops a listing of MMR, linked to the specific accounts and/or control objectives developed above. MMR may be identified by asking the question: “What can go wrong related to the account, assertion or objective?” MMR may arise within the accounting function (e.g., regarding estimates, judgments, and policy decisions) or the internal and external environment (e.g., corporate departments that feed the accounting department information, economic and stock market variables, etc.) Communication interfaces, changes (people, process or systems), fraud vulnerability, management override of controls, incentive structure, complex transactions, and degree of judgment or human intervention involved in processing are other high-risk topics. In practice, many companies combine the objective and risk statements when describing MMR. These MMR statements serve as a target, focusing efforts to identify mitigating controls.

Identify controls that address the material misstatement risks (MMR)

For each MMR, management determines which control (or controls) address the risk “sufficiently” and “precisely” (PCAOB AS#5) or “effectively” (SEC Guidance) enough to mitigate it. The word “mitigate” in this context means the control (or controls) reduces the likelihood of material error presented by the MMR to a “remote” probability. This level of assurance is required because a material weakness must be disclosed if there is a “reasonably possible” or “probable” possibility of a material misstatement of a significant account. Even though multiple controls may bear on the risk, only those that address it as defined above are included in the assessment. In practice, these are called the “in-scope” or “key” controls that require testing.

The SEC Guidance defines the probability terms as follows, per FAS5 Accounting for Contingent Liabilities:

  1. “Probable: The future event or events are likely to occur.”
  2. “Reasonably possible: The chance of the future event or events occurring is more than remote but less than likely.”
  3. “Remote: The chance of the future event or events occurring is slight.”

Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing. PCAOB AS5 introduces a three-level framework describing entity-level controls at varying levels of precision (direct, monitoring, and indirect.) As a practical matter, control precision by type of control, in order of most precise to least, may be interpreted as:

  1. Transaction-specific (transaction-level) – Authorization or review (or preventive system controls) related to specific, individual transactions;
  2. Transaction summary (transaction-level) – Review of reports listing individual transactions;
  3. Period-end reporting (account-level) – Journal entry review, account reconciliations or detailed account analysis (e.g., utility spending per store);
  4. Management review controls (direct entity level) – Fluctuation analyses of income statement accounts at varying levels of aggregation or monthly reporting package containing summarized financial and operational information;
  5. Monitoring controls (monitoring entity level) – Self-assessment and internal audit reviews to verify controls are designed and implemented effectively; and
  6. Indirect (indirect entity level) – Controls that are not linked to specific transactions, such as the control environment (e.g., tone set by management and hiring practices).

It is increasingly difficult to argue that reliance upon controls is reasonable in achieving assertion-level objectives as one travels along this continuum from most precise to least, and as risk increases. A combination of type 3-6 controls above may help reduce the number of type 1 & 2 controls (transaction-level) that require assessment for particular risks, especially in lower-risk, transaction-intensive processes.

Considerations in testing and evidence decisions

The key SEC principle regarding evidence decisions can be summarized as follows: “Align the nature, timing and extent of evaluation procedures on those areas that pose the greatest risks to reliable financial reporting.” The SEC has indicated that the sufficiency of evidence required to support the assessment of specific MMR should be based on two factors: a) Financial Element Misstatement Risk (“Misstatement Risk”) and b) Control Failure Risk. These two concepts together (the account- or disclosure-related risks and control-related risks) are called “Internal Control over Financial Reporting Risk” or “ICFR” risk. A diagram was included in the guidance (shown in this section) to illustrate this concept; it is the only such diagram, which indicates the emphasis placed on it by the SEC. ICFR risk should be associated with the in-scope controls identified above and may be part of that analysis..

Strategies for efficient SOX 404 assessment

There are a variety of specific opportunities to make the SOX 404 assessment as efficient as possible. Some are more long-term in nature (such as centralization and automation of processing) while others can be readily implemented. Frequent interaction between management and the external auditor is essential to determining which efficiency strategies will be effective in each company’s particular circumstances and the extent to which control scope reduction is appropriate.

PCAOB guidance subsequent to 2007

The PCAOB issues “Staff Audit Practice Alerts” (SAPA) periodically that “highlight new, emerging or otherwise noteworthy circumstances that may affect how auditors conduct audits under the existing requirements of the standards…” Under SAPA #11 Considerations for Audits of Internal Control over Financial Reporting (October 24, 2013), the PCAOB discussed significant audit practice issues regarding ICFR assessment. These included, among other topics:

  1. System-generated reports (“Information provided by the entity” or “IPE”): Requirements that auditors (and by proxy management) obtain additional evidence that fully automated reports and manual queries used as control inputs are accurate and complete.
  2. Entity-level controls and management review controls: Excessive reliance was sometimes placed on entity-level controls and management review controls (similar conceptually to period-end controls), which were insufficiently precise to reduce the risk of material misstatement to the “remote” level. SAPA #11 provides additional criteria to assist in this evaluation of precision.
  3. Criteria for investigation: Auditors did not always obtain sufficient evidence that management’s controls were executed effectively where unusual variation outside of specified tolerances was noted. For example, management may have signed a control report saying it was reviewed but provided no other documentation of investigation, despite some unusual activity on the report. SAPA #11 states: “Verifying that a review was signed-off provides little or no evidence by itself about the control’s effectiveness.”

SAPA #11 may translate into more work for management teams, which may be required by auditors to retain evidence that these reports and queries were accurate and complete. Further, management may be required to retain additional evidence of investigation where detective control report amounts contain transactions or trends outside of predefined tolerance ranges.


What Are SOX 404 top–down risk assessment (TDRA)?
Article Name
What Are SOX 404 top–down risk assessment (TDRA)?
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
Publisher Name
Plianced Inc.
Publisher Logo