Let me put what’s called the “top-down (risk-based) approach” into perspective at an entity level.
According to SOX 302,
A reporting company’s CEO/CFO shall certifies that;
a.4 “… the signing officers —
A) are responsible for establishing and maintaining internal controls;
B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared….”
Here, a listed company’s CEO/CFO are required to design internal controls in such a way that the company’s material information “is made known to” them “by others within those entities.”
This means that the CEO/CFO, who must have been authorized — by the Board of Directors — on the responsibility (for establishing/maintaining internal controls), shall delegate the authority to the members of their management team, who are in turn accountable about the responsibility (for designing, establishing, and maintaining such internal controls).
On Management Override –
Why do the signing officers (i.e., the CEO and CFO) need to delegate the authority to the members of management team?
The answer is;
in order to prevent “management override.”
meaning that;
As they are the “top” management/authority, who are authorized by the Board of Directors (BoD), the CEO/CFO would be technically able to abuse the power/authority, if retained or if not delegated to subordinate managers.
In other words;
The control authority/ownership shall be delegated by the signing officers to the “others,” or the management team, “within those organizations” in order to prevent the CEO/CFO’s “management override” of the internal controls, which would have been otherwise effectively designed and owned by the management team.
The accountability is the flip side of the authority (delegated “top-down”)
The authority/accountability relationship within in the consolidated entities is the key concept of the “top-down approach” at an entity level.
Under the COSO framework, which requires a proper oversight by the BoD, the authority (of the responsibility above) should be explicitly given by the BoD first to the CEO and then to CFO.
And the subsequent authority/accountability delegations (i.e., the “top-down”) should be clearly described in each group company’s Policies and Procedures, or more specifically, the Roles and Responsibilities that describes each manager’s roles and responsibilities.
Managers’ “Competence” to Own Internal Control Activities
The Roles and Responsibilities should be authorized by the BoD, which fulfills their proper oversight as dictated by the COSO framework.
And this (entity-level) “top-down” authority/accountability delegation is the backdrop of the top-down (control/SOX) audit approach at a process level as I explain here.
(Refer to para. 21 of AS 5 about the top-down approach from auditors’ perspectives.)
(Why also the risk-based approach at an entity level? Because, per COSO Principles, risk-assessment/control authorities must be delegated first from the oversight body (i.e., the BoD or the top) to management, and then further to junior manager levels, who in turn are accountable for the risk-assessment and THEN for controls to effectively “control” the risks (thus, the “risk-based”. Refer to the same post as above for more about risk-based approach at a process level.)
Remember that the context of SOX 302 requirements, a listed company’s management, as a team, shall make the CEO and CFO get known about how the material information of the company financial statements is ensured to be accurate.
In other words, under SOX 302, the company management shall organize the management team, under the COSO framework and the BoD’s proper oversight, in such a way that their internal controls are sure to mitigate associated misstatement risks (to a material extent) and shall be accountable, to the CEO/CFO, as to how they have designed, established, and maintained such “effective“ (as in SOX 404) internal controls.
And this is part of the reasons why one of the control attributes (or control objectives) of a management review control should always be;
The review manager’s review (or approval) “competence” is authorized by the BoD and is explicitly specified, in the Roles and Responsibilities, to be “effectively” sufficient for the competent review/approval. (See this blog post for an example of such an approval competence described as a control attribute.)
For further discussion, please refer to my blog post here.
Please also refer to my blog posts for “Why SOX?” or the summary of the SOX enactment background and “What is SOX for?” or the conceptual background of the SOX Act.