#20 | Part 4 – Top-Down Approach in Demystifying SOX 404 – Auditing Standards 5
Think about a funnel that has a broad opening at the top which gets narrower as it reaches the bottom. Quite a familiar concept used in most business disciplines, right? This is the same for the Top-Down Approach that is part of the Auditing Standards No. 5 of PCAOB. In part 4, you will learn more about this so you can easily understand SOX compliance.
If you haven’t seen the first 3 parts of this series, just click on the links below to view them in order.
Part 1 – Integrated Audit Planning
Part 2 – Fraud Risk
Part 3 – Work of Others and Materiality
This part of the series will cover the following sections under Top-Down Approach:
- Financial Statement Level
- Entity-Level Controls
- Significant Accounts and Disclosures
- Relevant Assertions
- Financial Processes and Controls
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Using a Top-Down Approach
Paragraph 21 of AS5 says that this approach starts with the financial statement level. This means you will look at your balance sheet, income statement, statement of cash flows, and shareholders’ equity. Then you drop down to the next level.
Let’s break down the top-down approach and go deeper into the different levels.
Financial Statement Level
On this level is where you focus on internal controls and not look at every single general ledger account. Let’s say you are going through the cash balance at the FS level and it’s $1 million. By using the top-down approach, you only look at the amount of $1 million as a whole as it could be made up of one bank account in the GL or of multiple GL accounts, which is not needed at this level. If $1 million is not risky or material, you can skip it.
Entity-Level Controls
In this level, we will look at the people at the top. It’s best to know that there is a difference between the terms entity-level and company-level. Entity is broader than company. There can be different companies or subsidiaries, but they are all part of one entity. Therefore, you need to look at a broader scope on what is the overall culture, management tone, etc. This starts at the very top with the CEO, CFO, and senior management.
Significant Accounts and Disclosures
In the example of $1 million cash earlier, you may have two cash accounts that are the biggest dollar amounts. It’s the $900,000 of your $1 million total. You want to focus on the two significant accounts or the account that may be risky. Even though you have 100 GL accounts or bank accounts, not all of them are the same. At this stage, AS5 places emphasis on significant accounts.
Also included here are the disclosures to the balance sheet, P&L, and the cash flow statement. The financial statements are not complete without the disclosures such as debt or stock options. It’s important to note that accuracy and completeness in the disclosure is also included in the scoping.
Relevant Assertions
The financial statement assertions are as follows:
- Completeness
- Accuracy
- Classification
- Existence
- Disclosure/Presentation
For assets, your focus is on existence and accuracy of the amounts. It’s less about completeness because if it’s an asset, the incentive is to include all the assets on the balance sheet and making sure you list as many assets as possible.
For liabilities, you focus on the completeness and disclosure. Completeness is important because either you are not aware of liabilities because someone hasn’t told you or you have more incentive to leave out your liabilities and show higher equity. Classification is also something to look at because if you have a certain financial covenant for your debt or lenders, you have an incentive to move something from current to long-term liability.
Financial Processes and Controls
The focus here is around financial statements and related controls. Going through a SOX audit means we narrow the scope to the impact on the financial statement and disclosures. Yes, operational risks are important to a business, but it’s out of scope for SOX.
In the case of cash or AR, they are related to the order-to-cash process. Cash also overlaps with the procure-to-pay process. We then select the controls that address the risk for each of the assertions.
After Paragraph 21 of AS5, you will find this note that says about the auditor’s thought process.
Again, the top-down approach consists of the following: financial statement, entity-level controls, significant accounts and disclosures, relevant assertions, and financial processes and controls.
This is the end of part 4 of the Auditing Standards No. 5. If you want to learn more about ELCs, proceed to Part 5 – Entity-Level Controls.
Leave a Reply