Sarbanes-Oxley Section 404 Update #6
Understand Internal Control at the Transaction Level

The identification and evaluation of significant accounts, processes and transactions will provide management with a significant amount of support for its overall assessment of the effectiveness of internal control over financial reporting.

Companies with multiple locations or business units will need to address these items for all significant locations (See Attachment 1)

Identify Significant Accounts and Disclosures

An account/disclosure is significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements, considering the risks of both overstatement and understatement.

Overall considerations include:

• Identify at the financial statement level first-then at the account level
• Use both quantitative and qualitative factors
• Assessment as to the likelihood of misstatement is made without consideration to the effectiveness of internal control over financial reporting
• Individual accounts can be comprised of components with differing risks requiring the breakdown of the account to a more detailed level (i.e. by type of inventory category)
• Unrecognized obligations can make an account significant (i.e. off balance sheet)

Factors to include in identification process:

• Size and composition of account/disclosure
• Susceptibility of loss due to errors or fraud
• Volume of activity, structure of individual transactions in the account
• Nature of account/disclosure (suspense accounts warrant greater attention)
• Accounting and reporting complexities associated with the account
• Exposure to losses represented by the account
• Likelihood or possibility of significant contingent liabilities arising from activities represented by the account
• Existence of related party transactions
• Changes from prior period in account characteristics

Identify Financial Statement Assertions Related to the Significant Accounts

After identifying the significant accounts and disclosures, management should identify the financial statement assertions (and relevance) for each significant account. COSO has identified the following assertions, but the company is not limited (or required) to use these assertions, and may select other more relevant assertions for their business.

• Existence or occurrence
• Completeness
• Valuation or allocation
• Rights and obligations
• Presentation and disclosure

Relevance is determined by identifying the source of likely potential misstatements in each significant account. The following should be evaluated:

• Nature of the assertion
• Volume of transactions or data related to the assertion
• Nature and complexity of the system of internal control

Assertions are important because they ultimately drive the testing and overall evaluation of individual controls. For each significant account there should be an effective control (or combination of controls) for each relevant assertion.

Identify Major Classes of Transactions

Major classes of transactions are those classes of transactions that are significant to the company’s financial statements. Major classes of transactions rarely are encompassed within a single process.

Different types of major classes have different levels of risk associated with them and require different levels of management involvement. Consider categorizing identified major classes of transactions by transaction type:

• Routine transactions-recurring financial activities reflected in the accounting records in the normal course of business.
• Non-routine transactions-activities that occur only periodically
• Estimation transactions-activities that involve management’s judgments or assumptions in formulating account balances in the absence of a precise means of measurement (i.e. reserve accounts)

Identify Significant Processes

Management should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts.

Most processes require a series of tasks including:

• Capturing the data
• Sorting/merging data
• Making calculations
• Updating transactions or master files
• Generating transactions
• Summarizing and displaying data

For each significant process, management should obtain an understanding of the flow of transactions including how transactions are initiated, authorized, recorded, processed, and reported.

Identify Points in the Transaction Process where Errors can Occur

Each significant process should be examined for points where misstatements or errors in relation to each relevant assertion could occur. These points are used to assist management in the identification of the corresponding controls design to address the potential misstatements or errors, including the prevention or timely detection of unauthorized transactions.

Identify Controls that Prevent or Detect Errors

Controls are established by management to help ensure that the objectives (financial, in an audit of internal control) of a company are reached. Controls are often identified during the assessment of significant accounts and processes.

Controls should address all relevant assertions for each significant account/disclosure, significant process or major class of transactions.

Sarbanes-Oxley Section 404 Update #6-Attachment 1

Special Considerations for Companies with Multiple Business Units/Locations

Identify Significant Locations/Reporting Units

Companies with multiple locations or reporting units must develop an approach which will identify the significant locations which will require further evaluation and testing. To determine the locations or business units for performing audit procedures, management should evaluate their relative financial significance and the risk of material misstatement arising from them.

At a minimum, entity level controls and the reasons supporting whether or not the location is determined to be significant should be documented for each location/unit.

The evaluation should include the identification of four types of location/unit combinations:

Locations/business units which are financially significant on an individual basis

• Generally a small number of locations
• Document and test company-level controls
• Significant accounts and disclosures must be documented and tested
• Evaluate shared service environment with primary company

Locations/business units which involve specific risks

• Types of risks posed by unit may require documentation and testing
• Risks creating the potential for a material misstatement should be documented and tested

Locations/business units which are significant only when combined with other units

• Document and test company-level controls

Locations/business units which are not significant, even when combined

• No further work is necessary

When determining the significant locations or business units and the controls to test, the following factors should be evaluated:

• Relative financial significance of each location or business unit
• The risk of material misstatement arising from each location or business unit
• Similarity of business operations and internal control over financial reporting at the various locations/business units
• Degree of centralization of processes and financial reporting applications
• Effectiveness of the control environment, particularly management’s direct control over the exercise of authority delegated to others and its ability to effectively supervise activities at the various locations/business units. An ineffective control environment over the locations or business units might constitute a material weakness.
• Nature and amount of transactions executed and related assets at the various locations/business units
• Potential for material unrecognized obligations to exist at a location/business unit and the degree to which the location/business unit could create an obligation on the part of the .company
• Management’s risk assessment process and analysis for excluding a location/business unit from its assessment

Appendix B of the PCAOB Auditing Standard No. 2 provides additional guidance in the evaluation and testing of locations/business units.

Updates are designed to provide highly summarized information regarding general Sarbanes-Oxley and PCAOB Auditing Standard No. 2 information and are not intended to be a substitute for any official document. Please refer to the original source documents and other authoritative guidance provided by the SEC, PCAOB and others for more detailed information on these subjects.