Home > Risk > Common SOX scoping mistakes

Common SOX scoping mistakes

This last week, I held another (the fourth) of my ‘master classes’ for SOX program leaders. In these small groups, we explore how to use a true top-down approach to ensure management’s SOX program focuses on the ‘right’ controls. (I say ‘true top-down approach’ because it extends from financial reporting risks all the way down to IT general controls and up to activities in the COSO Control Environment component – often referred to as indirect entity-level controls). We also cover techniques for minimizing the cost of the SOX program such as the value of entity-level controls, automated testing, and more. But, this post is not about the classes.

Companies have had SOX compliance programs for as many as ten years. Yet, when I talk to the leaders of those programs I find that many are still making ‘mistakes’ that are costing their company in terms of unnecessary cost. That cost may be in external auditor fees as well as in management time, plus disruption to the business.

The more common mistakes include these five:

1. Failing to take a true risk-based approach, with the result that more controls are included in scope as ‘key controls’ and tested by both management and the external auditor.

A simple test is whether the scope includes any controls where a failure would never rise to the level of a material weakness. If they would not, how can they be key? How can it be said that they are relied upon to either prevent or detect (in a timely manner) a material misstatement of the filed financial statements?

Too many organizations are testing controls that are ‘important’ but are not key to the risk of an error that is material. Many still test controls that were identified years ago based on somebody’s checklist (usually the external auditor’s) of important controls.


2. Failing to focus on the risk of a material error. Only failures that could result in a material error need to be considered as risks for the purposes of SOX.

It is essential to understand what material means. It is not an automatic percentage of net income. It is what is important to the reasonable investor in making their buy/sell decision.

This is especially true when it comes to fraud. Fraud is only a risk that needs to be addressed in the SOX program if it would result in an error in the financial statements that is material. Most frauds fail both tests: they would not result in an error, and any such error would not be material. Fraud is much more of a threat to operational efficiency than to external financial reporting.

In addition, it is important to remember that there has to be at least a reasonable likelihood that a material error would result from a control weakness. Just because it is theoretically possible doesn’t mean that it is reasonably likely.


3. Separating who is responsible for the identification of key controls between those in business processes (including at the entity-level) and IT general controls (ITGC) processes. Often, a separate IT team (whether within the IT department or a group of IT auditors) defines the IT general controls work based on a professional feel for important IT-related risks based on their experience or a checklist of ‘best practices’ rather than extending the top-down and risk-based scoping process into ITGC. The IT general controls work is not clearly linked to risks of material financial reporting errors and this inevitably leads to a scope that is far larger than necessary – and running the risk of missing areas that should be included.

For example, I still find companies that have included in scope controls related to viruses and back-up procedures (under pressure from the external auditors). It is extremely unlikely that either would lead to a material error, and the PCAOB included language in Auditing Standard Number 2 specifically excluding backup from scope.

Others get into controls over the operating system simply on principle rather than understanding the potential for a failure in that area resulting in a material mistake in the financial statements. That potential is, for almost everybody, rare; if there is an operating system failure it (a) is immediately apparent to both users and IT, and (b) extremely unlikely to create a change in a financial statement balance that is material and unnoticed.

The overall SOX program lead often has little authority over the work done in the IT area – and may have about the same level of understanding!

If any organization is to have a true risk-based SOX program, all of it has to be based on the risk of a material misstatement. The SOX lead has to be actively involved in everything.

The IIA has guidance on how to extend the risk-based approach into ITGC that should be mandatory reading for every SOX practitioner. The GAIT methodology is available from the IIA web site and I have included it in the files I share in this page on my blog.


4. Not establishing a goal for reliance by the external auditor on management testing. While people understand that the external auditor can place a lot of reliance on management’s testing of key controls, and they may have a soft goal for improving it, this opportunity to make significant reductions in the cost of compliance is often not fully appreciated.

Taking for granted that the external auditor will maximize reliance is a mistake. They won’t unless they are pushed. They may, themselves, underestimate what is possible and mistakenly inform management that they cannot, for example, place any reliance on management testing for so-called high risk areas. In fact, they can – and they often assess as high risk areas that don’t merit that label if a risk-based approach is in place.

So, organizations should (a) understand the current level of reliance, (b) set a target to improve that level and reduce total costs, and (c) execute.

One of the keys is to understand what is possible and set a target. In my last company, we had 80% reliance (across all controls, including so-called high-risk) and I have heard others achieving the same level.

Be a hero, and take a seven-figure amount out of SOX costs!

By the way, management should not assume that the external auditor has a perfect understanding of SOX and Auditing Standard Number 5. Many mistakes are being made based on imperfect directives from the externals.


5. Mistakenly believing that entity-level refers only to controls at the corporate level. In fact, controls operate at several levels within the organization (COSO Internal Controls Framework tells us that activities in all components operate at all levels of the organization).

For example, at my last company we had controllers in each country performing trend analyses and HR professionals ensuring awareness of the corporate code of conduct: in other words, we had both direct (trend analyses) and indirect (code of conduct awareness) controls operating at the country level. We also had budget to actual and trend analyses being performed at regional level, and all of these were in addition to the controls being performed at the corporate level.

Controls can be identified, both direct and indirect entity-level, at many different levels within the organization.

This is an opportunity to bring more entity-level controls into scope that are below the corporate level and operate at a higher level of precision.

I have had a lot of success bring these in to replace a much larger number of controls at the activity level, shaving a lot of cost from the SOX program.


These five are not the only mistakes. Can you identify more? Please share.


For more on how to optimize the SOX program, see this publication from the Institute of Internal Auditors: Minimize Costs and Increase the Value of Your Sarbanes-Oxley 404 Program: Management’s Guide to Effective Internal Controls

  1. October 1, 2012 at 4:09 PM

    Hi, Norman. . .

    A colleague forwarded the link to this post to me. While I definitely agree with most of the points you raise, I think your statement that “Fraud is only a risk that needs to be addressed in the SOX program if it would result in an error in the financial statements that is material” could be improved. I’m confident you’re not recommending that companies ignore fraud risk altogether, but that it only needs to be addressed in the SOX program under the limited circumstances you identify.

    Warm regards. . .

    Dr. Bob Hurt, C.F.E.

    • Norman Marks
      October 1, 2012 at 4:46 PM

      That is 100% correct, Bob. There are many controls that are important for the business, including those that prevent or detect fraud. But the only ones that need to be included in the scope for SOX, and tested by both management and external auditors, are those relied upon to prevent or detect a material misstatement of the financials.

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

  2. michael corcoran
    October 2, 2012 at 7:15 AM

    Thanks, Norman. Great insights on improving the efficiency and effectiveness of SOX compliance programs.

  3. Iain coles
    October 5, 2012 at 3:28 PM

    I have just overseen the completion of my companies 2012 Sox testing programme, which is quite extensive and includes testing in three countries.
    Our external auditors have now started to review this testing and are placing a lot of reliance on management testing, but still want to independently reperform some of our key controls testing and have submitted a hefty request for additional evidence, with sample sizes that are far bigger then the number we require.
    This has caused a great deal of problems for us, since we have tried to reduce our controls testing each year. I met with a senior partner and was amazed when he confirmed that it was possible to carry out this work using the original samples that we had obtaind and ‘ top up’ with update samples.

    I have no idea why our auditors were unaware of this, but after five years of providing additional samples on top of what we have obtained ourselves, we now only have to provide top up samples, which has saved us a lot of time money and also my sanity !!

  4. Jimmy Allen, CFE, CPA
    October 7, 2012 at 8:31 AM

    Hello Norman,

    Another great post, thank you. All very good examples of common mistakes or inefficiencies in 404 compliance.

    The point I’d like to add relates to one of the biggest drivers of SOX compliance cost – TIME. That is time your employees, consultants, and external auditors are spending on SOX compliance. Surprisingly, the biggest time consuming activity in the maintenance of a SOX program is exceedingly easy to understand and to confirm as a problem within your organization.

    Drum roll please… the biggest time consuming inefficiency I’ve identified is, “explaining control activities and process functionality to others.”

    Ask your control owners how many times they’ve had to explain how a control works, how often the control is used, where the data comes from, who reviews, etc., etc., etc. They will quickly and likely with great passion tell you how much time it takes and how frustrating it is to explain the same thing over and over for every new external auditor and new hire.

    So how to deal with this issue? When I worked at a large financial services company I came up with a solution: a “simplified control structure”. What I noticed was that all financial controls fall into one of three categories: (1) reconciliation, (2) review, and (3) approval (I’ve debated whether #3 is actually a financial control but I’ll include for this discussion). For each of these controls I created standard verbiage to use with each control, entity-wide. The control verbiage contains all the pertinent information (i.e., frequency of control, source of data, position (possibly persons name) responsible for the control activity, etc.). By having standard, complete and easy to understand verbiage, the questions received by the control owners drastically decreased. A true blessing for everyone, including shareholders.

    Adopting this very simple idea can save your organization a lot of time/money and reduce employee frustration.

    There are other efficencies to be had as well, but for another time…

  5. Jeff Kendig
    May 21, 2014 at 12:07 PM

    You make some great points, but you gloss over pressure from the external auditor and go on to speak about a reliance strategy. At the end of the day management probably has a higher risk tolerance than the external auditor, but there is an equilibrium that must be achieved for the auditor to rely on management’s work. Without alignment there will be no reliance. I’d also like your thoughts on how COSO’s update impacts the SOX assessment as the updated framework/guidance employs a more internal control centric theme than financial reporting centric (and yes, the auditors are asking how the companies are meeting the new guidelines/framework). Thanks

  6. Norman Marks
    May 21, 2014 at 12:25 PM

    Jeff, I have written several posts recently on COSO 2013 and SOX. Have you seen them? Please look here and on my IIA blog. (See details in rightmost column of this page)

  7. Norman Marks
    May 21, 2014 at 12:28 PM

    PS, management and the external auditor should have the same risk tolerance – reasonable assurance that there are no material weaknesses.

  8. Michelle
    October 21, 2014 at 6:04 PM

    Norman – Can you share with me some of the persuasive reasons which you use to increase reliance by external auditor? I recently joined a Company which has a well established IA organization for at least 7 years with a competent team of IA members. However, this Company was and is still not able to get any reliance from the external audit firm. The external audit firm did not provide specific reasons unfortunately; purely said it’s the firm audit strategy and approach. What do you recommend us to do in this situation? Please advise.

    • Norman Marks
      October 22, 2014 at 6:35 AM

      Michelle, they are not required to rely on management testing. However, the Audit Committee can put pressure on them, as can the CFO. We cover this in my SOX classes through Marcus Evans.

  1. December 28, 2020 at 10:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: