Sarbanes-Oxley 404 Update #3

Available Resources, Automated Compliance Tools and the Use of Third Parties in the Evaluation Process

Available Resources

Numerous resources are available that can provide additional information and guidance in completing a Section 404 project. The following information represents only a sample of items available and is not intended to recommend or exclude any specific resources or organizations.

COSO Internal Control-Integrated Framework (published 1992)-Although PCAOB Auditing Standard No. 2 does not define a specific framework for evaluating internal control, the framework described in the Standard is the COSO framework. The two volume set contains “Evaluation Tools”-a series of points of focus to help the company analyze its internal control structure.

PCAOB Staff Question and Answers: Auditing Internal Control over Financial Reporting located at http://pcaobus.org/pcaob_standards.asp

SEC staff Management’s Report on Internal Control Over Financial Reporting and Disclosure in Exchange Act Periodic Reports: Frequently Asked Questions located at http://www.sec.gov/info/accountants/controlfaq0604.htm

COBIT (Control Objectives for Information and related Technology) Framework provides a generally accepted standard for information technology security and control practices. Published by the ISACA-Information Systems Audit and Control Association and Foundation.

IT Control Objectives for Sarbanes-Oxley published by Information Technology Governance Institute (ITGI) in conjunction with ISACA. This publication is intended as a reference for IT professionals to help them understand management’s requirements and brings together the control components described in the COBIT framework with those described by COSO.

“Big 4” Publications (Refer to individual websites to access copies of Sarbanes-Oxley reference material)

• PricewaterhouseCoopers

• Publication: Practical Guidance for Management
• http://www.pwcglobal.com/

• Ernst & Young

• Publication: Preparing for Internal Control Reporting: A guide for Management’s Assessment under Section 404 of the Sarbanes-Oxley Act.
• Publication: Evaluating Internal Controls-Considerations for Evaluating Internal Control at the Entity Level
• Publication: Evaluating Internal Controls-Considerations for Documenting Controls at the Process, Transaction, or Application Level
• Publication: Evaluating Internal Controls-Evaluating Overall Effectiveness, Identifying Matters for Improvement and Ongoing Assessment of Controls
• http://www.ey.com/

• Deloitte

• Publication: Taking Control
• Publication: Moving Forward: A guide to Improving Corporate Governance Through Effective Internal Control
• http://www.deloitte.com/

• KPMG

• See Defining Issues Series
• http://www.kpmg.com/

Professional Associations/Business Publications

• AICPA
• Institute of Internal Auditors
• CFO Magazine
• ComuterWorld

Continuing Education Providers/Courses

• AICPA

• Course 732480 Internal Control Reporting: A Practical Guide to the PCAOB Standard
• Course 732490 Internal Control Reporting: A Manager’s Guide to Surviving the Audit
• Course 732470 Internal Control Reporting: A Guide to Effective Documentation

• SEC Institute

Publications

• How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control by Michael Ramos © 2004.

Internet/Other Sources

• General search engines can be used to obtain a variety of information on aspects of Sarbanes-Oxley compliance.
• Protiviti at http://www.protiviti.com/

• Frequently Asked Questions Regarding Section 404

Automated Compliance Tools

Several companies have developed computer software products to aid in complying with the internal control provisions of Section 404. These products range from automated checklists to aid in the documentation process to testing and evaluating internal controls. Software prices range from free to over $100,000 (excluding any additional software or hardware upgrade costs needed), depending on the package selected.

Software packages generally fall into one of three categories (some packages will be more comprehensive than others). Categories include:

• Documentation software-The purpose of this software is to assist the company in documenting its system of internal control. It can also be used for documenting the process of verifying the integrity of the controls.
• Monitoring software-This type of software is designed to run along side the company’s primary operating system and to observe and flag transactions that meet (or don’t meet) certain criteria.
• Testing software-Testing software is used to create sampling lists to verify various processes.

Some considerations in purchasing a package:

• Documentation of systems and controls should be adequate so that current and complete information is entered into the system (software packages do not create information, they only reflect information input into the package).
• The company must have the necessary hardware to run the program correctly.
• The software should be able to interface with other software, as needed.
• The client must have the ability to maintain information in the system and upgrade the software, as necessary.
• Vendor must be a going concern.
• If customization is important, this feature should be available in the software.
• Price.
• Available training.

With the above factors in mind, the company should have clear expectations about what the software will accomplish for the company and its information system requirements. Once the company has rated the critical software components, it should contact several vendors for software demonstrations or detailed product information. A matrix can be used to evaluate the software by vendor and criteria.

Many smaller companies are using more simplified software for the first year compliance requirements (Word, Excel, Access, Visio, etc). As the SOX software market matures it is anticipated that more cost efficient software will be developed to aid the small business in compliance.

Use of Third Parties in the Evaluation Process

Companies have the option of outsourcing some of the documentation and testing required under Section 404. The company should have a clear understanding with the outside consultant regarding the scope, responsibility and expectations of each party. Outsourcing does not relieve management of the responsibility of assessing the effectiveness of internal control.

The company’s registered accountant is limited in the amount of guidance it can provide in assistance with the Section 404 project. The registered accountant must be independent from the documentation and testing process since they are required to issue a separate opinion on the reliability of the company’s system of internal control. This does not mean to imply that communication should not exist between the company and its external auditors. Good communication is critical to the success of the Section 404 project. The company, however, must take responsibility for all decisions regarding the establishment and ongoing monitoring of the internal control system. Communication between the company and its auditor should be clear in the nature of advice the company is seeking and the purpose for which the auditor is involved.

Updates are designed to provide highly summarized information regarding general Sarbanes-Oxley and PCAOB Auditing Standard No. 2 information and are not intended to be a substitute for any official document. Please refer to the original source documents and other authoritative guidance provided by the SEC, PCAOB and others for more detailed information on these subjects.