2118 SOX brochure 1/28/04 2:35 PM Page 1

SARBANES-OXLEY
SECTION 404
A TOOLKIT FOR MANAGEMENT AND AUDITORS

VOLUME 1
This volume addresses PwC risk management policies and audit
methodology and is for internal distribution only. This toolkit
volume should not be issued to clients or third parties.
2118 SOX brochure 9/3/03 2:15 PM Page 2

Sarbanes-Oxley Section 404 An Introduction A Roadmap for

On May 27, 2003, the Securities and Exchange Commission (SEC) voted to adopt final rules on Managements
Report on Internal Control over Financial Reporting, as mandated by Section 404 of the Sarbanes-Oxley Act of 2002.
STEPS
1. Risk Assessment
The final rules will be effective for fiscal years ending on or after June 15, 2004 for SEC registrants with a public
2. Map Financial Statemen
float >$75 million; other than foreign private issuers; or for fiscal years ending on or after April 15, 2005 for other line items to cycles/proc
registrants, which includes small businesses and foreign private issuers. 3. Agree upon key risks an
controls
4. Document existing
Under Section 404, SEC registrants will be required to include processes (detailed
with their annual filing: flowcharts and narrative
5. Identify controls in plac
6. Gap Analysis
A statement of managements responsibility for establishing Identify weaknesses
and maintaining adequate internal control over financial Assess impact
Identify compensatin
reporting; controls
Fill gaps
A statement identifying the framework used by management 7. Test controls for effectiv
8. Gap Analysis
to evaluate the effectiveness of internal control;
9. Deliver completed pack

Managements assessment of the effectiveness of internal

control as of the end of the companys most recent fiscal Key Ev
year end; and
Most US-based registrants will be required
A statement that the companys external auditor has issued to meet the Section 404 requirements for
fiscal years ending on or after June 15, 2004; The following co
an attestation report on managements assessment April 15, 2005 for foreign registrants. for an entity to
Canadian companies will be impacted by the new regulations in Section 404:
two ways. Foreign private issuers will be required to meet the new requirements starting in fiscal 2005. In addition,
Canadian inbound subsidiaries of SEC registrants may be impacted by the new regulations for the 2004 fiscal year, Management
based on the parents assessment of the materiality of the subsidiary, in terms of the companys overall internal the effectivene
control structure. Controls are
The level of effort required by the audit team to conduct the attestation will depend primarily on the thoroughness implemented
of managements own assessment, and the level to which it is formally documented. Therefore, it will be beneficial objective (re
and necessary for management and the auditor to work closely together to prepare for these requirements. In reporting) usin
addition, while the extended implementation period may now cause some companies to re-evaluate their current Control object
readiness plans, the reality is that companies will ultimately need to address the requirements of this section, and need to be app
they should not wait until the last minute for preparation. The extension provides companies with the opportunity
to address control weaknesses prior to going live with the required 404 reporting requirements, including the Management
possibility of performing a dry run before the deadline. effectiveness
financial repo
Action Plan A Suggested Timeline (on both the
Major Project 2003 2004 2005 effectiveness o
Activities Jul - Sept Oct - Dec Jan - Mar Apr - Jun Jul - Sept Oct - Dec Jan - Mar
Some companie
substantial docum
controls, includin
Project Initiation
formal policy and
Documentation and manuals, etc. Mo
Evaluation will not have com
Remediation of evaluation of their
Identified Gaps the organization.
documentation m
Attestation Dry Run
meet the demand
Assertion and virtually all organ
Attestation
formal plan to add
2118 SOX brochure 9/3/03 2:16 PM Page 2

A Roadmap for Section 404 Readiness The COSO Co

Financial Cycles / Controls Monitoring
Statements Processes
BENEFITS Assessment of a
STEPS Scoping Sustainable
1. Risk Assessment
Risk Assessment and Scalable systems perfor
2. Map Financial Statement
Focused time.
High Level Benchmark Approach
line items to cycles/processes Combination o
Collaborative
3. Agree upon key risks and Knowledge
controls
Controls Maturity Model and separate ev
Transfer
4. Document existing Data Auditable Management a
processes (detailed Collection Inventory Policies Conclusions
and Procedures supervisory act
flowcharts and narratives)
5. Identify controls in place Controls Documentation Internal audit a
TEAM
6. Gap Analysis Corporate
Identify weaknesses Maturity Business Unit
Assess impact Assessment
Gap Analysis and Remediation Internal Audit
Identify compensating External Audit Information &
controls Communication
Fill gaps Validation & Control Environment Treasury Cycle
7. Test controls for effectiveness Testing Pertinent inform
Information and
8. Gap Analysis Communication Purchasing Cycle identified, capt
9. Deliver completed package
Revenue Cycle Monitoring Controls communicated
manner.

Agree Key Risks and

Access to intern
Key Events: Project Launch Re-assess Test Plan Deliver 404 Package
Controls to be assessed externally gene
information.
Flow of informa
The following conditions are necessary allows for succ
for an entity to be auditable under actions from in
Section 404: responsibilities
of findings for m
Management accepts responsibility for action.
the effectiveness of control

Controls are suitably designed and Audit of Financial Statements versus

Internal Cont
implemented to achieve the control 404 Controls Attestation The Committee
objective (reliability of financial 1980s with the
reporting) using established criteria Audit of Financial Statements Section 404 Attestation
publication in 1
Control objectives and related controls Understanding and 100% controls-based assessing a struc
need to be appropriately documented consideration of internal approach. No comfort
Section 404 rep
controls only to the extent from substantive/analytical
Management assesses the recognized cont
necessary to develop the procedures
effectiveness of internal control over broad distributio
audit approach Must evaluate and test
financial reporting and reports thereon framework that
Overall objective is an controls across business makes reference
(on both the design and operating opinion on the financial and functional areas to
effectiveness of controls) become the esta
statements, not to opine on opine on effectiveness
Some companies may already have internal controls (broader and deeper) Under the COSO
substantial documentation of their internal Internal control reports have Lack of errors, or material an entitys board
controls, including internal audit files, been very rare in practice adjustment, historically, in reasonable assu
formal policy and accounting procedures and are the subject of financial statements is not categories:
manuals, etc. Most companies, however, different attestation de-facto evidence onto Effectivene
will not have completed a comprehensive standards itself, of an appropriate Reliability
evaluation of their internal controls across internal control structure Complianc
the organization. In addition, the existing
documentation may not be adequate to COSO identifies
meet the demands of SOX 404. As such, control activities
virtually all organizations will require a in place and int
formal plan to address the new regulations. In preparing for
which address a
2118 SOX brochure 9/3/03 2:16 PM Page 2

The COSO Controls Framework

Monitoring Control Activities
Assessment of a control Policies/procedures that
systems performance over ensure management
time. directives are carried out.
Combination of ongoing Range of activities
and separate evaluation. including approvals,
authorizations, verifications,
Management and
recommendations,
supervisory activities.
performance reviews, asset
Internal audit activities. security and segregation of
duties.

Information &
Communication
Pertinent information
identified, captured and
communicated in a timely
manner.
Control Environment
Access to internal and
externally generated
information.
Flow of information that
allows for successful control
actions from instructions on
responsibilities to summary
of findings for management
action.
Risk Assessment
Risk assessment is the
identification and analysis
of relevant risks to
achieving the entitys
Sets tone of organization-
objectives- forming the
influencing control
basis for determining
consciousness of its people.
control activities.
Factors include integrity,
ethical values, competence,
authority, responsibility.
Foundation for all other
components of control.

Internal Control Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was charged in the mid
1980s with the responsibility of defining an effective framework for systems of internal controls. Since its
publication in 1992, the COSO framework has become widely accepted as the benchmark for establishing and
assessing a structure for internal controls.

Section 404 reporting requires that managements evaluation of internal controls be based on a suitable,
recognized control framework that is established by experts using due process; a process which includes the
broad distribution of the framework for public comment. COSO is recognized as an example of an acceptable
framework that would meet these criteria. The definition of internal control used in the final regulations also
makes reference to the COSO framework. Accordingly, it is widely agreed that the COSO framework will
become the established benchmark for Section 404 reporting.
INTERNAL CONTROL-
Under the COSO framework, internal control is defined as a process, effected by INTEGRATED FRAMEWORK
an entitys board of directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the following
categories:

Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and regulations Committee of
Sponsoring
Organizations of the
COSO identifies five components of control (control environment, risk assessment, Treadway Commission
control activities, information and communication, and monitoring) that need to be
in place and integrated to ensure the achievement of each of these three objectives. The COSO framework is
recommended as the
In preparing for Section 404 reporting, management will need to consider controls
benchmark for SOX 404
which address all five of these components. reporting.
2118 SOX brochure 9/3/03 2:15 PM Page 1

Assessing Controls Section 404 Prep

The most effective way to meet the enhanced legal requirements of Section 404 will depend on the size, nature
and complexity of the entity, including the quality of business processes and internal control systems. Project Initiation
Accordingly, it is recommended that an evaluation of the controls and procedures be made by developing an and Planning

internal controls maturity analysis (see diagram below). An internal controls maturity analysis can make it
easier for a company to evaluate how its existing control structure impacts the level of effort required to meet its
control reporting requirements. In addition, the level of maturity can have a significant impact on the level of
Ensure that Ma
additional effort that will be required by management and the external auditor to meet SOX 404 requirements, continuous sta
education takes bu
which would require a level of at least monitored for significant controls. place, including: tha
Requirements an
Internal Controls Maturity Framework COSO/Internal
Controls
dis
Est
Form project team pe
Unreliable Informal Standardized Monitored Optimized and align objectives ass
Steering act
- Unpredictable - Control activities are - Control activities are - Standardized controls - Integrated internal
Committee fin
environment where designed and in place designed, in place with periodic testing controls with real time Stakeholders acc
control activities are not but are not adequately and are adequately for effective design monitoring by Core Team co
designed or in place documented documented and operation with management and Develop scope and

reporting to continuous project approach

management improvement Develop training
plan for core team
members and De
stakeholders un
Level 1 Unreliable Establish
Int
Unpredictable environment where controls are not designed or in place Ma
documentation
standards and Eva
Level 2 Informal templates bu
Controls are designed and in place but are not adequately documented (auditability an
requirements) ran
Controls mostly dependent on people
Develop project and
No formal training or communication of controls stakeholder
Level 3 Standardized communication plan

Controls are designed and in place

Controls have been documented and communicated to employees Project Charter
Deviations from controls may not be detected Project Plan F/S
Pro
Training Plan
Level 4 Monitored Ris
Communications
Standardized controls with periodic testing for effective design and operation with reporting to management Plan
Ra
Automation and tools may be used in a limited way to support controls
Level 5 Optimized
An integrated internal control framework with real time monitoring by management with continuous improvement
(Enterprise Wide Risk Management) Project Methodo
Automation and tools are used to support controls and allow the organization to make rapid changes to the control
activities if needed In evaluating inter
implementation plan
Companies with multiple business segments, geographic locations, or reporting units will need to determine 1. Form a projec
which locations are relevant. Consideration should be given to the financial significance of the location, in terms timing
of the potential for a material error, and the ability of the entity to commit the overall organization to financial
risk. Specific risks that should be considered would include major systems changes, management turnover, a 2. Collect data o
major acquisition, or a volatile business environment. 3. Prepare an inv
Individual locations or business units that are not individually significant may, when aggregated with other units, 4. Evaluate inter
result in a group that could create a material misstatement. In this case, consideration should be given to whether
there are entity-wide controls over this group of units that may provide comfort. The following diagram provides 5. Remediate the
guidance on testing for companies with multiple locations:
6. Continue to m
Multi-Location Testing Consideration
The table above furt
Is location or business unit individually important? Yes Evaluate documentation and test significant controls
both management a
at each location or business unit
No
Are there specific significant risks? Yes Evaluate documentation and test controls
over specific risk
No
Yes No further action required for such units
Are there locations or business units that are not important
even when aggregated with others? Evaluate documentation and test entity-wide
Yes Front cover: Lisandro Ser
No controls over group
2003 PricewaterhouseC
Are there documented entity-wide controls No Some testing of controls at individual locations or business liability partnership, or, a
over this group? units required is a separate and indepen
2118 SOX brochure 9/3/03 2:16 PM Page 1

Section 404 Preparedness and Attestation

Continuous Improvement
Management Auditor
Assertions and
Project Initiation Risk Assessment
Documentation Evaluation Financial Reporting Attest Report
and Planning and Prioritization
Objectives Scoping, Understanding, Evaluating,
Validating and Reporting

Project Management Support

Ensure that
continuous
Map financial
statements to
Inventory existing
internal control
Key Elements
Review existing
documentation for
Based on evaluation,
document assertions
Review
managements
Opine on
managements
SARBAN
SECTION
education takes business processes documentation for design effectiveness on financial supporting assertions pertaining
place, including: that drive financials appropriate Test operating reporting, based on: documentation for to financial reporting
Requirements and financial entities / business effectiveness of Classes of 404 assertion objectives
COSO/Internal disclosures units, etc. internal control transactions and Design tests of Leverage AT501
Controls Establish criteria to Compile an events clients key control reporting guidelines
Determine current
Form project team perform risk inventory of known state of internal
Account balances
procedures for internal control A TOOLKIT FOR MANAGEMEN
Presentation and
and align objectives assessment of control issues with controls assigning Execute testing and attestations and
Steering activities supporting financial reporting Disclosure make appropriate
as-is maturity evaluate results
Committee financial statement significance (internal rating Provide 404 adjustments based
Assess any known
Stakeholders accounts audit, external assertion to external on final 404
Use exception internal control
Core Team considering: audit, etc.) audit firms standards
F/S Assertions
handling process for weaknesses
Develop scope and Develop and issues encountered identified by
Balance
project approach communicate during control management
Complexity
Develop training documentation evaluation during their 302
Judgment
plan for core team standards to certification process
Review issues with
members and Develop project team
management to
stakeholders understanding of Collect internal obtain consensus
Internal Control control
Establish on areas needing
Maturity Framework documentation for
documentation improvement
standards and Evaluate identified each component of
Establish a plan,
templates business processes COSO
assigning
(auditability and establish risk Develop exception responsibility
requirements) ranking handling process for and timeline for
Develop project and internal control remediation efforts
stakeholder issues disclosed in
communication plan Evaluation Phase

Deliverables and Work Projects

Project Charter Inventory of exiting Internal control Management Controls evaluation Attestation report
Project Plan F/S to Business documentation evaluation findings assertion documentation (and management
Process Map Templates for internal use assertion) filed
Training Plan
Risk Assessment Documentation Remediation plan annually with SEC
Communications
Ratings Action Registry
Plan

Project Methodology
In evaluating internal controls for the Sarbanes-Oxley 404 certification process, PwC recommends an
implementation plan for management that addresses the following critical tasks:

1. Form a project team to allocate responsibilities, assess resources, decide on an approach, and establish
timing

2. Collect data on the current controls environment, by assessing areas of risk and reviewing existing practices

3. Prepare an inventory of existing and available documentation

4. Evaluate internal controls and prepare a gap analysis to identify areas of concern requiring further follow up

5. Remediate the identified gaps and validate that these areas have been fully addressed

6. Continue to monitor progress of remediation efforts towards sign-off of 404 assertions by management

The table above further indicates the key elements of a Section 404 project plan, and identifies responsibilities for
both management and the external auditor.

Front cover: Lisandro Serrano. Photographed by: Pia Cosmelli.

2003 PricewaterhouseCoopers LLP, Canada. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, Canada, an Ontario limited
liability partnership, or, as the context requires, the network of member firms of PricewaterhouseCoopers International Limited, each of which
is a separate and independent legal entity.