Sarbanes-Oxley, section 404 compliance: a structured, comprehensive approach.

• Author: Ramos, Michael

Here's an approach that management can follow to evaluate and report on the company's internal controls in compliance with Section 404 of the Sarbanes-Oxley Act. It's the second in a series of articles that have been or will be published in various AICPA media.

In this article, we lay out a road map--a structured, comprehensive approach--which provides a first step toward alleviating some of the uncertainty about how to proceed in working with company management to evaluate and report on their internal controls in compliance with Section 404 of the Sarbanes-Oxley Act (SOX 404).

Building on what you already have As with most large projects, it helps to break down the assessment of internal control into several smaller, more manageable tasks. The following tasks should be performed in order to assess internal control:

1. Identify significant control objectives.

2. Document each significant control.

3. Test and evaluate the controls.

4. Prepare the report.

With each of these steps, it is important to avoid reinventing the wheel. For example, some documentation of controls already exists. At many companies, internal auditors have tested and evaluated controls in certain areas. Management should consider all of the company's efforts relating to understanding and evaluating financial reporting processes and controls to see whether some of this work can be used in support of its SOX 404 compliance effort.

Many of the decisions that management makes about the performance and documentation of its assessment process will affect the audit engagement and its cost. Choices made by management that do not meet the needs or expectations of the auditors can significantly increase the costs of compliance, so it is vital that management work closely with the external auditors at each phase of the assessment process to ensure that the work performed by the company contributes to an effective and efficient audit.

Planning

Because of the scope and complexity of the SOX 404 compliance effort, as well as the uncertainty over what, exactly, is needed to comply, the internal control assessment process must be planned properly. The following key issues should be addressed early in the process:

* The project team. An effective project team will include people from a wide variety of disciplines, including information technology, operations, financial reporting, and auditing. Management may need to engage third parties to provide the required expertise and other resources necessary to document and test controls. In addition to forming the team, the CEO and CFO should determine how they will be involved and provide the oversight necessary to...