SOX requires the auditor to assess the risk of material mis-statements both at the transaction level and also at the financial statement level. At the financial statement level, the auditor should make an overall assessment of the risk of material mis-statement. This would mean looking at the controls envorinment and the accounting system in place at the organization.

You may ask why is risk assessment at the financial statement level so important. Well, auditors assessment at the financial statement level affects the overall audit strategy. Over and above this, risks assessed at the financial statement level help the auditor in deciding the nature, timing and extent of the testing to be performed. My experience tells me that auditors tend to limit the extent of substantive procedures if they are comfortable with the risk assessed at the financial statement level. You may want to check my posts on company level controls and indirect company level controls for some additional information.

Related Posts

Continous Auditing of Controls
How to Evaluate Internal Control Exceptions?
Role of Process Owners in SOX Compliance
Cost Estimates for Sarbanes Oxley Compliance