History of SOX 404 top–down risk assessment in Timeline

SOX 404 mandates a top-down risk assessment (TDRA) to guide the scope of internal control testing. Management performs this assessment to identify significant accounts and relevant assertions. The process begins at the financial statement level, then drills down to entity-level controls (e.g., tone at the top, risk assessment processes), and finally to significant processes and transactions. The goal is to pinpoint areas with a reasonable possibility of material misstatement if controls fail. While external auditors formerly provided an opinion on management's assessment, Auditing Standard No. 5 removed this requirement, focusing the external audit on the company's internal controls.

1992: COSO Framework Definition

In 1992, the COSO framework defined the five components of internal control: Control Environment, Risk Assessment, Information & Communication, Monitoring, and Control Activities.

1994: COSO Evaluation Suggestions

In 1994, evaluation suggestions were included at the end of key COSO chapters and in the "Evaluation Tools" volume which could be modified into objective statements.

2002: Sarbanes-Oxley Act of 2002 (SOX 404) Enacted

In 2002, the Sarbanes-Oxley Act of 2002 (SOX 404) was enacted, mandating that management test internal controls and external auditors provide an opinion on these controls. SOX 404 requires a financial risk assessment known as a top–down risk assessment (TDRA) to determine the scope of testing.

2007: SEC and PCAOB Direction on SOX 404 Compliance

In 2007, based on new guidance, the SEC and PCAOB directed a significant reduction in costs associated with SOX 404 compliance by focusing efforts on higher-risk areas and reducing efforts in lower-risk areas.

2007: PCAOB Auditing Standard No. 5 and SEC Interpretive Guidance

In 2007, detailed guidance for performing TDRA was included with PCAOB Auditing Standard No. 5 and the SEC's interpretive guidance, applicable for 2007 assessments for companies with a 12/31 fiscal year-end. The PCAOB release superseded PCAOB Auditing Standard No. 2, and the SEC guidance was the first detailed guidance for management.

2007: Focus on Specific MMR in Determining Scope and Sufficiency

In 2007, the guidance focused on specific MMR, rather than dollar magnitude, in determining the scope and sufficiency of evidence to be obtained at decentralized units.

2007: Fraud Risk Assessment Requirement

Under the 2007 guidance, companies are required to perform a fraud risk assessment and assess related controls, including identifying scenarios in which theft or loss could occur and determining if existing control procedures effectively manage the risk.

2007: Increased Reliance on Period-End and Management Review Controls

Under the 2007 guidance, it appeared acceptable to place significantly more reliance on period-end controls and management review controls, enabling either the elimination of transactional controls or reducing related evidence obtained.

2007: Material Misstatement Risks (MMR) Guidance

Under the 2007 guidance, risks that inherently have a "reasonably possible" likelihood of causing a material error in the account balance or disclosure are the material misstatement risks (MMR). This amended the "more than remote" likelihood language of PCAOB AS2.

June 2013: Early Stages of Development of COSO Approaches

As of June 2013, the approaches used in practice relating to the revised COSO guidance were in the early stages of development.

October 24, 2013: PCAOB Issues Staff Audit Practice Alert #11

On October 24, 2013, the PCAOB issued Staff Audit Practice Alert (SAPA) #11, which discussed significant audit practice issues regarding ICFR assessment.

December 15, 2014: COSO Revised Guidance Effective Date

On December 15, 2014, COSO issued revised guidance effective for companies with year-end dates after this date. The guidance requires control statements to be referenced to 17 "principles" beneath the five COSO "components."

December 31, 2017: PCAOB Reorganization of Auditing Standards

On December 31, 2017, the PCAOB reorganized the auditing standards. The relevant SOX guidance was then included under AS2201: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements.