How to Comply with Sarbanes-Oxley Section 404:
Assessing the Effectiveness of Internal Control
In addition to financial results, companies must now analyze
and evaluate the quality of the processes and controls used to
report these results. How to Comply with Sarbanes-Oxley Section
404 provides a comprehensive, logically structured approach to
help readers test and evaluate internal control in their companies.
Preface.
Acknowledgments.
1. The Engagement Approach.
Management’s Required Assessment of the Entity’s
Internal Control.
The Independent Auditor’s Reporting Responsibilities.
A Structured, Comprehensive Approach for Evaluating Internal
Control.
Considerations for Outside Consultants.
Appendix 1A: Action Plan: Structuring the Engagement.
Appendix 1B: Requirements for Management’s Assessment
Process: Cross Reference to Guidance.
Appendix 1C: Pre-Engagement Questioning Strategy and Example
Questions.
2. Internal Control Criteria.
The Need for Control Criteria.
The COSO Internal Control Integrated Framework.
Information and Communication.
Monitoring.
Business Process Activities.
Controls Over Information Technology Systems.
Disclosure Controls and Procedures.
Appendix 2A: Example Value Chains.
3. Project Planning.
The Objective of Planning.
Information Gathering for Decision Making.
Information Sources.
Structuring the Project Team.
Coordinating with the Independent Auditors.
Documenting Your Planning Decisions.
Appendix 3A: Action Plan: Project Planning.
Appendix 3B: Summary of Planning Questions.
4. Identifying Significant Control Objectives.
Introduction.
Entity-Level Control Objectives Presumed to Be Significant.
System-Wide Monitoring.
Identifying Significant Activity-Level Control Objectives.
Coordinating with the Independent Auditors.
Appendix 4A: Action Plan: Identifying Significant Control Objectives.
Appendix 4B: Example Significant Control Objectives.
Appendix 4C: Map to the COSO Framework.
Appendix 4D: Map to the Auditing Literature.
5. Documentation of Significant Controls.
Documentation: What It Is … And Is Not.
Assessing the Adequacy of Existing Documentation.
Documentation of Entity-Level Control Policies and Procedures.
Documenting Activity-Level Controls.
Coordinating with the Independent Auditors.
Appendix 5A: Action Plan: Documentation.
Appendix 5B: Evaluating the Design and Implementation of Sarbanes-Oxley
Automated Compliance Tools.
Appendix 5C: Linkage of Significant Control Objectives to Example
Control Policies and Procedures.
Appendix 5D: Documentation Example.
6. Testing and Evaluating Entity-Level Controls.
Introduction.
Internal Control Reliability Model.
Overall Objective of Testing Entity-Level Controls.
Testing Techniques.
Evaluating the Effectiveness of Entity-Level Controls.
Documenting Test Results.
Coordinating with the Independent Auditors.
Appendix 6A: Action Plan: Testing and Evaluating Entity-Level
Controls.
Appendix 6B: Survey Tools.
Appendix 6C: Example Inquiries of Management Regarding Entity-Level
Controls.
Appendix 6D: Guidance for Designing a Computer General Controls
Review.
7. Testing and Evaluating Activity-Level Controls.
Introduction.
Assessing the Effectiveness of Design.
Operating Effectiveness.
Evaluating Test Results.
Documentation of Test Procedures and Results.
Coordinating with the Independent Auditors.
Appendix 7A: Action Plan: Documentation.
Appendix 7B: Example Inquiries.
Appendix 7C: Example Control Activities.
8. Reporting.
Annual and Quarterly Reporting Requirements.
Expanded Reporting on Management’s Responsibilities for
Internal Control.
Coordinating with the Independent Auditors and Legal Counsel.
Appendix 8A: Action Plan: Reporting.
Appendix 8B: Example Disclosures of a Material Weakness.
Appendix 8C: Example Reports on Management’s Responsibilities
for Reporting and Internal Control.
Index.