April 28, 2006
One obstacle to removing risks from the SOX documentation requirement is that SOX also deals with fraud with no context regarding significance.
For risks that are deemed too insignificant to cause a significant deficiency to the financial statements, external auditors prevent their removal (especially anything related to authorization), because they relate to fraud.
Investors care about fraud at a high level of management ("cooking the books") and to a much lesser extent about employee reimbursements and others that are insignificant to a company. The controls are there, why do we need to subject them to the whole array of SOX procedures, reviews and testing? Not all fraud risks are equal. Could you please provide guidance to allow us to make the distinction?