Sarbanes-Oxley 404 Update #2
Overview of Sarbanes-Oxley Requirements (Section 404)

Background

In response to a series of financial reporting problems and the lack of apparent involvement in the financial process by members of senior management, Congress passed the Sarbanes-Oxley Act in 2002. Provisions of the Sarbanes Oxley Act (SOX) lay a foundation for restoring investor confidence in the integrity of public reporting. Building on that foundation, SOX Section 404, Management Assessment of Internal Controls, requires management to both take responsibility for maintaining an effective system of internal control and to report on the effectiveness of their internal control over financial reporting. Companies must also obtain an attest report from their independent registered public accountant regarding management’s assessment of internal control and the auditor’s own assessment of the effectiveness of the company’s internal control.

The Public Company Accounting Oversight Board (PCAOB), a private-sector non-profit corporation, was created as a part of SOX. The PCAOB was created to establish auditing standards for audits of public companies and oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative and independent audit reports.

In June 2004, the PCAOB’s Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, was released. This standard provides guidance to the external auditor on meeting the obligations for attesting to management’s report on internal control and issuing the auditor’s report on the company’s internal control. While this standard applies only to external auditors, management can use the guidance provided to external auditors to assist in their documentation and testing process. The complete Standard can be downloaded from http://www.pcaobus.org/

In summary, the Standard addresses the following topics:

Defining Internal Control

Determining a Framework to Conduct the Assessment

Management’s Responsibilities

Materiality Considerations

Fraud Considerations

Performing an Audit of Internal Control

• Planning
• Evaluating Assessment Process
• Obtaining an Understanding of the Internal Control Process
• Testing and Evaluating Design Effectiveness
• Testing and Evaluating Operating Effectiveness
• Using the Work of Others
• Forming an Opinion on the Effectiveness of Internal Control

Requirements for Written Representations

Relationship of an Audit of Internal Control over Financial Reporting to an Audit of Financial Statements

Documentation Requirements

Reporting on Internal Control Over Financial Reporting

Auditors Responsibilities for Evaluating Management’s Certification Disclosures

Required Communications

Several Appendixes

These topics will be addressed in more detail in future updates.

Management, the Board of Directors and the external auditors all have responsibilities under Section 404. A brief summary of these responsibilities is listed below.

Management Responsibilities in an Audit of Internal Control

Paragraph 20 of the Standard requires management to do the following:

• Accept responsibility for the effectiveness of the company’s internal control over financial reporting
• Evaluate the effectiveness of the company’s internal control over financial reporting using suitable control criteria
• Support its evaluation with sufficient evidence, including documentation
• Present a written assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year.

Management is required to make certain representations as detailed in Paragraph 142 of the Standard.

Board of Director (Audit Committee) Responsibilities in an Audit of Internal Control

Audit Committee and Board of Director oversight is a key element in an entity’s control environment and the monitoring component of internal control. External auditors are required to assess the effectiveness of the audit committee within the context of obtaining an understanding about the client’s control environment and the monitoring of internal control. The Standard lists several items which should be considered by the auditors in assessing effectiveness (Standard paragraphs 57-59).

External Auditor Responsibilities in an Audit of Internal Control

The auditor’s objective in an audit of internal control over financial reporting is to express an opinion on management’s assessment of the effectiveness of the company’s internal control over financial reporting. To obtain a basis for expressing this opinion, the auditor must:

• Plan and perform the audit to obtain reasonable assurance about whether the company maintained effective internal control.
• Before issuing an opinion, the auditor must report in writing to management and the company’s audit committee all significant deficiencies and material weaknesses. In addition, management must be informed of all deficiencies in internal control over financial reporting (that is, those deficiencies in internal control over financial reporting that are of a lesser magnitude that significant deficiencies) identified during the audit and inform the audit committee when such a communication has been made.
• Issue a report attesting to management’s report, as well as, the external auditor’s own report on the effectiveness of internal controls.

Reporting Requirements

Annually

• Management must issue a report on internal control which states the responsibility of management to establish and maintain adequate internal control over financial reporting and contains an assessment, as of year-end, of the effectiveness of that system.
• External auditors must issue an opinion on management’s assessment and a second opinion on the auditors assessment of the company’s internal control system.

Quarterly

• Management must report on the effectiveness of an entity’s disclosure controls and procedures. Disclosure controls encompass all material financial and non-financial information in Exchange Act reports.

Effective date for Compliance with Section 404:

Accelerated filers are required to comply with the reporting and attestation requirements for fiscal years ended on or after 11/15/04. Other public companies will be required to comply with these requirements for fiscal years ending after 7/15/05.

Potential Compliance Challenges associated with Section 404

Several recent professional surveys have queried management to obtain an understanding of where some of the challenges exist in achieving compliance with Section 404. The items listed below were taken from the Deloitte Touche Tohmatsu publication Sarbanes-Oxley Section 404: Ten Threats to Compliance. A full copy of this publication can be downloaded from their website located at http://www.deloitte.com/

1. Lack of an entity-level, executive management led, internal control management program.
2. Lack of a formal risk management program.
3. Inadequate board and audit committee understanding of risk and control.
4. Deficiencies in documentation of current accounting policies and procedures.
5. Lack of controls and documentation over the IT environment.
6. Lack of formal controls over closing process, including financial reporting and disclosure process.
7. Inability to evaluate and test controls over outsourced processes.
8. Inadequate controls over non-routine, complex or unusual transactions, including mergers.

Management should review these areas early in the planning process to allow for sufficient time to remedy any potential deficiencies. If deficiencies remain unresolved, they may prevent management from successfully completing the 404 project.

Updates are designed to provide highly summarized information regarding general Sarbanes-Oxley and PCAOB Auditing Standard No. 2 information and are not intended to be a substitute for any official document. Please refer to the original source documents and other authoritative guidance provided by the SEC, PCAOB and others for more detailed information on these subjects