Académique Documents
Professionnel Documents
Culture Documents
SARBANES-OXLEY
SECTION 404
A TOOLKIT FOR MANAGEMENT AND AUDITORS
VOLUME 1
This volume addresses PwC risk management policies and audit
methodology and is for internal distribution only. This toolkit
volume should not be issued to clients or third parties.
2118 SOX brochure 9/3/03 2:15 PM Page 2
Information &
Communication
Pertinent information Risk Assessment
identified, captured and
Risk assessment is the
communicated in a timely
identification and analysis
manner.
Control Environment of relevant risks to
Access to internal and achieving the entitys
Sets tone of organization-
externally generated objectives- forming the
influencing control
information. basis for determining
consciousness of its people.
Flow of information that control activities.
Factors include integrity,
allows for successful control
ethical values, competence,
actions from instructions on
authority, responsibility.
responsibilities to summary
of findings for management Foundation for all other
action. components of control.
Section 404 reporting requires that managements evaluation of internal controls be based on a suitable,
recognized control framework that is established by experts using due process; a process which includes the
broad distribution of the framework for public comment. COSO is recognized as an example of an acceptable
framework that would meet these criteria. The definition of internal control used in the final regulations also
makes reference to the COSO framework. Accordingly, it is widely agreed that the COSO framework will
become the established benchmark for Section 404 reporting.
INTERNAL CONTROL-
Under the COSO framework, internal control is defined as a process, effected by INTEGRATED FRAMEWORK
an entitys board of directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the following
categories:
internal controls maturity analysis (see diagram below). An internal controls maturity analysis can make it
easier for a company to evaluate how its existing control structure impacts the level of effort required to meet its
control reporting requirements. In addition, the level of maturity can have a significant impact on the level of
Ensure that Ma
additional effort that will be required by management and the external auditor to meet SOX 404 requirements, continuous sta
education takes bu
which would require a level of at least monitored for significant controls. place, including: tha
Requirements an
Internal Controls Maturity Framework COSO/Internal
Controls
dis
Est
Form project team pe
Unreliable Informal Standardized Monitored Optimized and align objectives ass
Steering act
- Unpredictable - Control activities are - Control activities are - Standardized controls - Integrated internal
Committee fin
environment where designed and in place designed, in place with periodic testing controls with real time Stakeholders acc
control activities are not but are not adequately and are adequately for effective design monitoring by Core Team co
designed or in place documented documented and operation with management and Develop scope and
reporting to continuous project approach
management improvement Develop training
plan for core team
members and De
stakeholders un
Level 1 Unreliable Establish
Int
Unpredictable environment where controls are not designed or in place Ma
documentation
standards and Eva
Level 2 Informal templates bu
Controls are designed and in place but are not adequately documented (auditability an
requirements) ran
Controls mostly dependent on people
Develop project and
No formal training or communication of controls stakeholder
Level 3 Standardized communication plan
Ensure that
continuous
Map financial
statements to
Inventory existing
internal control
Key Elements
Review existing
documentation for
Based on evaluation,
document assertions
Review
managements
Opine on
managements
SARBAN
SECTION
education takes business processes documentation for design effectiveness on financial supporting assertions pertaining
place, including: that drive financials appropriate Test operating reporting, based on: documentation for to financial reporting
Requirements and financial entities / business effectiveness of Classes of 404 assertion objectives
COSO/Internal disclosures units, etc. internal control transactions and Design tests of Leverage AT501
Controls Establish criteria to Compile an events clients key control reporting guidelines
Determine current
Form project team perform risk inventory of known state of internal
Account balances
procedures for internal control A TOOLKIT FOR MANAGEMEN
Presentation and
and align objectives assessment of control issues with controls assigning Execute testing and attestations and
Steering activities supporting financial reporting Disclosure make appropriate
as-is maturity evaluate results
Committee financial statement significance (internal rating Provide 404 adjustments based
Assess any known
Stakeholders accounts audit, external assertion to external on final 404
Use exception internal control
Core Team considering: audit, etc.) audit firms standards
F/S Assertions
handling process for weaknesses
Develop scope and Develop and issues encountered identified by
Balance
project approach communicate during control management
Complexity
Develop training documentation evaluation during their 302
Judgment
plan for core team standards to certification process
Review issues with
members and Develop project team
management to
stakeholders understanding of Collect internal obtain consensus
Internal Control control
Establish on areas needing
Maturity Framework documentation for
documentation improvement
standards and Evaluate identified each component of
Establish a plan,
templates business processes COSO
assigning
(auditability and establish risk Develop exception responsibility
requirements) ranking handling process for and timeline for
Develop project and internal control remediation efforts
stakeholder issues disclosed in
communication plan Evaluation Phase
Project Methodology
In evaluating internal controls for the Sarbanes-Oxley 404 certification process, PwC recommends an
implementation plan for management that addresses the following critical tasks:
1. Form a project team to allocate responsibilities, assess resources, decide on an approach, and establish
timing
2. Collect data on the current controls environment, by assessing areas of risk and reviewing existing practices
4. Evaluate internal controls and prepare a gap analysis to identify areas of concern requiring further follow up
5. Remediate the identified gaps and validate that these areas have been fully addressed
6. Continue to monitor progress of remediation efforts towards sign-off of 404 assertions by management
The table above further indicates the key elements of a Section 404 project plan, and identifies responsibilities for
both management and the external auditor.