Industries
    Services
    Firm Information
    News
    Events
    Careers
    Global Network
 
 
 
 

Sarbanes-Oxley Section 404 Update #4
Initial Planning Considerations and Team Organization

Based on the complexity and size of the Section 404 compliance project, it is important for the project to be well planned and executed. Good planning can help identify any potential issues so that they can be resolved early and not affect management’s report on internal control. Good planning will allow the process to proceed efficiently, effectively, and will provide a clear understanding of the expectations for each member of the team.

Planning Objectives

  • Develop an overview of the project
  • Perform a preliminary analysis of the control structure
  • Organize the project team
  • Develop the project plan
  • Establish communication with external auditors
  • Document the planning process

1. Develop an Overview of the Project

PCAOB Auditing Standard No. 2 requires that an acceptable framework be established by management to assess internal control over financial reporting. The Standard does not specify a framework since several acceptable frameworks exist; however, the Standard references the COSO framework. (COSO is described in greater detail in Attachment 1).

Management must also:

Understand other internal control terms or concepts noted in PCAOB Auditing Standard No. 2: (These terms are described in greater detail in Attachment 2)

  • Internal Control Over Financial Reporting
  • Control Deficiency
  • Significant Deficiency
  • Material Weakness
  • Reasonable Assurance
  • Materiality

Identify Company Level Controls:

  • Key controls within the control environment
  • Risk (including fraud) assessment process
  • Data processing controls, including use of outside processors
  • Controls to monitor results of operations
  • Controls over the period-end reporting process

Understand other items which can have an effect on the project:

  • Business environment
  • Number of business locations or reporting units
  • Critical accounting policies
  • Current system, controls and existing documentation of internal control
  • Extent of involvement by the company’s Audit Committee
  • Previous internal control deficiencies noted by external auditors

 

2. Perform a Preliminary Analysis of the Control Structure

Preliminary research conducted during the overview process will result in a tentative assessment of the system of internal control. Understanding and being able to identify these items will have a direct effect on the nature and timing of future test-work. Several of these “entity level” concepts will be described in greater detail in Update #5.

3. Organize the Project Team

The organization of the team requires several considerations including:

  • Experience and technical knowledge of team members.
  • Authority to have access to information and ability to make decisions.
  • Time availability (based on the size of the project, some employees may need to be devoted full time to the project).

A team structure would typically include:

  • Team Sponsor -ideally a certifying officer (CEO/CFO) who would have the overall responsibility for the project. (Larger organizations should consider establishing a Project Steering Committee to oversee the project-see below)
  • Project Leader -a person who will oversee the project on a day-to-day basis, often the company controller.
  • Operating Representatives - these employees have a detailed knowledge of company operations and some of the risks and offsetting controls associated with the operating processes.
  • Technical or Subject Matter Specialists -these individuals (employees or consultants) provide specialized knowledge (such as human resources, information technology, etc.)
  • Testing Personnel- perform the detailed testing.
  • Evaluation Personnel- individuals who will evaluate the test results.
  • Others -as needed to make key decisions.

Due to the significance of the project, senior members of management should be involved at all stages of the project. The team should have access to and regular communication with the Audit Committee or Board designated sub-committee (if established) and the external auditors.

Depending on the size and complexity of the organization and project, consideration should be given to creating a Project Steering Committee who oversees several smaller teams such as the documentation team, testing team, etc. This committee would be comprised of members of senior management, selected Audit Committee members and other stakeholders who would control the overall development of the project.

4. Develop the Project Plan and Set the Project Scope

  • Define objectives (determine engagement process and approach)
  • Determine the scope of the project (identify significant process, accounts, etc. – (Will be described in greater detail in Update #6)
  • Establish a project timeline including activities and estimated completion dates
  • Assign team responsibilities including accountability and lines of reporting
  • Establish communication channels (external and internal)
  • Establish a process to resolve discrepancies or to create new procedures, as needed
  • Develop consistent standards for documenting, testing, evaluating and reporting
  • Identify external sources who may need to provide information
  • Create a reporting and certification process

5. Establish Communication with External Auditors

  • Communicate the outcome of the planning process to external auditors to obtain agreement on key planning matters
  • Maintain a written record of matters discussed with auditors and any pending or issues to be resolved

6. Document the Planning Process

Documentation of the planning process is important since it clarifies an understanding of the process with team members and provides a record of the items considered in the planning process. Since management is required to review the effectiveness of internal control, documentation of the initial (and subsequent) planning will contribute toward fulfilling this requirement. Documentation of the planning process will also assist the external auditors in their examination of the company’s system of internal control.

Items to document:

  • Items considered in planning process
  • Tentative conclusions regarding significant planning matters
  • Organization of project team and the project
  • Discussions with external auditors and Audit Committee

Note to the Reader: While the GHP Updates provide information in what appears to be a sequential order; many steps in the Section 404 compliance effort will be performed or assessed through-out the entire project. Information may be developed, identified, or events change which will require a reassessment of the company’s Section 404 process.


 

Sarbanes-Oxley Section 404 Update #4
Attachment 1

 

COSO

 

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission published Internal Control-Integrated Framework which is regarded as the standard for most organizations to evaluate the internal control over financial reporting.

 

The COSO framework identifies three primary objectives of internal control:

 

  • Efficiency and effectiveness of operations -encompasses achieving the company’s basic business objectives, including profitability, performance and the safeguarding of assets.
  • Reliability of financial reporting -financial statements are prepared in accordance with generally accepted accounting principles.
  • Compliance with laws and regulations -applies to the company complying with applicable laws and regulations for which the company is subject to.

 

While the assessment of the effectiveness of internal control over financial reporting focuses on financial reporting, it is important to understand that controls implemented by management often achieve more than one objective. In addition, operations and laws and regulations which have a direct impact on the required disclosures in the financial statements are encompassed in internal control over financial reporting.

 

COSO identifies 5 components of internal control, each spanning the three objectives:

 

  • Control Environment -The individual attributes, including integrity, ethical values and competence of employees in an organization. Because of the pervasive effect of the control environment on the reliability of financial reporting, preliminary judgment about this component will influence the nature, timing, and extent of the tests of operating effectiveness.
  • Risk Assessment -The mechanisms established to identify, analyze and manage risks associated in the activities of a company. Management must identify the risks of material misstatement in the significant accounts and disclosures and related assertions of the financial statements and implement controls to prevent or detect errors or fraud that could result from the misstatements.
  • Control Activities -Controls that management has implemented to carry out the policies and procedures established by management to ensure that the company’s objectives are achieved.
  • Information and Communication -Systems that enable the company to capture and exchange information needed to operate the business.
  • Monitoring- Controls over monitoring including control activities which have been designed to prevent or detect material misstatement in the accounts and disclosures and related assertions of the financial statements.

 

Each component is relevant to all companies although their implementation may be different from company to company.


Sarbanes-Oxley Section 404 Update #4
Attachment No. 2

 

Term Definitions (Reference PCAOB Auditing Standard No. 2)

 

Internal Control over Financial Reporting - a process designed by, or under the supervision of, the company’s principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management, and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes policies and procedures that:

 

  • Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company

 

  • Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles , and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company

 

  • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.

 

Control Deficiency -A deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

 

Significant Deficiency -A control deficiency or combination of control deficiencies that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliability in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.

 

Material Weakness -A significant deficiency or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

 

Reasonable Assurance -Management’s assessment of the effectiveness of internal control over financial reporting cannot provide absolute assurance of achieving financial reporting objectives. The concept of reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis.

 

Materiality -A threshold used in the evaluation process to determine the significance of an item. Something is considered to be materially misstated if the effect-individually or in the aggregate is important enough to cause the financial statements not to be presented fairly, in all material aspects in conformity with generally accepted accounting principles. In the planning and evaluation process, it is used to determine if a deficiency or combination of deficiencies in controls is a significant deficiency or material weakness. Materiality is considered at both the financial statement level and individual account balance level.

 

 

Updates are designed to provide highly summarized information regarding general Sarbanes-Oxley and PCAOB Auditing Standard No. 2 information and are not intended to be a substitute for any official document. Please refer to the original source documents and other authoritative guidance provided by the SEC, PCAOB and others for more detailed information on these subjects.

  

 

 


Disclaimer | Privacy Policy

© 2006 GHP Horwath, P.C. All Rights Reserved.