Step 1: Determine what is considered material to the P&L and balance sheet
How can this be done?
This is usually determined by calculating a certain percentage of key financial statement accounts. For example, 5% of total assets, 3-5% of operating income, or some analysis of multiple key P&L and BS accounts. It’s good to check with your CFO and external auditor to get their thoughts on this.
Step 2: Determine all locations with material account balances
How can this be done?
Analyze the financials for all the locations you do business in. If any of the financial statement account balances at these locations exceed what was determined as material (in Step 1), chances are they will be considered material and in-scope for SOX in the coming year.
Step 3: Identify transactions populating material account balances
How can this be done?
Meet with your Controller and the specific process owners to determine the transactions (i.e. debits and credits) that cause the financial statement account to increase or decrease. How these transactions occur and how they’re recorded should be documented in a narrative, flowchart, or both.
Step 4 : Identify financial reporting risks for material accounts
How can this be done?
Seek to understand what could prevent the transaction from being correctly recorded, or the risk event. Then, document the effect the risk event could have on how the account balance could be incorrectly recorded, or the breakdown of the financial statement assertion.
Step 5: Identify and document controls preventing or detecting transactions from being incorrectly recorded.
How can this be done?
Seek to identify the checks and balances in the financial reporting process that ensure the transactions are recorded correctly, and account balances are calculated accurately.
Some examples of preventative or detective controls include segregating conflicting duties (e.g. the ability to post and approve invoices), reviews of individual or multiple transactions recorded in the period, and account reconciliations.
Step 6: Determine key controls
How can this be done?
Of all the controls identified in Step 5, determine which ones, either individually or in aggregate, if operating effectively, would provide reasonable assurance that the transactions populating the material account balance will be recorded correctly. Material accounts usually, but not always, need multiple controls in place to prevent a material misstatement from occurring. You’ll have to analyze all the controls to determine which ones best provide that assurance, keeping in mind the people, process, and technology in place.