Opportunity Detected.

* The crux of the SEC's interpretive guidance for management is a top-down, risk-based approach that puts risk first and foremost. Four key areas of opportunity can be used to reduce an organization's overall SOX 404 compliance effort-risk assessment, entity-level controls, control selection and testing approach. * AS5 complements the SEC interpretive guidance to management and includes the following key points: * Risk assessment underlies the entire audit process. * Evaluation of entity-level controls can result in increasing or decreasing the testing that otherwise would be performed on controls at the process, transaction or application levels. * Auditors are specifically permitted to consider the nature, timing and extent of procedures performed in the prior year and the results of those procedures in determining the risk associated with a particular control. * The standard makes it easier to use the work of others and allows auditors to use direct assistance from other parties in performing walk-throughs. * The external auditor will no longer be required to opine on management's assessment. * The definition of a material weakness was changed to conform to FASB Statement no. 5 and the definition of a significant deficiency was changed to focus the auditor on the communication requirements rather than scoping issues. * The authors recommend a "stop-rethink-reuse" strategy for implementing the new guidance: Stop. To avoid changing simply for the sake of change, risk should be at the center of any adjustments that are made to existing compliance frameworks. Rethink. With risk at the forefront, management should consider increasing the rigor of its existing risk assessment to focus on financial reporting elements that represent a higher risk of material misstatement to the financial statements. Reuse. Once a thorough risk assessment has been performed, management should consider revisiting the existing controls portfolio, starting with the entity-level controls. Carefully designed entity-level controls can reduce the number of supporting process-level controls that need testing. INSET: Communication Continues to Be Key. [ABSTRACT FROM PUBLISHER]