Scoping for Sarbanes Oxley can be a tiring and confusing process. One solution for company's can be to conduct a pre-sarbanes oxley self assessment. This can be done using the existing structure by the owners of the company. Such self assessment for 404 purposes can either be done at the business entity level or in case business is geographically disbursed at the location level. Each location should assess the level of its own risk and can grade itself on risk materiality. The 404 project team can then compile the data received from all locations. A questionnaire can be prepared for locations with less risk to document and test controls. The internal audit department can then take over and perform an independent assessment of controls. The above approach is the bottom up approach.

Coming to the top down approach for control self assessment. This is more suitable for companies not having a formal self assessment process in place. Based on pre-determined criteria, locations and controls can be
decided which fall within the testing scope. The bottom up approach is suitable for companies having a formal self assessment function. Both the approaches have their own advantages. Keeping timelines into view, a bottom up approach is considered much better. On the other hand, many companies believe a top down approach helps is focusing on areas of risk. Whatever approach one takes, it should focus on level of risk at each location and obtaining auditor agreement early on. I personally feel a hybrid approach combining the benefits of both approaches would be best.

Related Posts

How to Select the Right Audit Committee
Audit Techniques - Walkthrough
Scoping for ITGC
Role of Process Owners in 404 Compliance