by J. Stephen McNally
Many companies are aggressively documenting, assessing and testing their internal controls for financial reporting and disclosure to ensure compliance with Section 404 of the Sarbanes-Oxley Act of 2002.
Even companies that are not required to comply with this law are reviewing their internal control environments, recognizing that adequate internal controls are a prerequisite for long-term business continuity. Thus, for many, 2004 has become the “Year of Internal Control.” The following provides insight into the key phases a company will pass through for Sarbanes-Oxley compliance.
Background
In July 2002, President Bush signed into law the Sarbanes-Oxley Act to restore trust in the public securities market after corporate debacles such as Enron and WorldCom. Specifically, the government enacted this law “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.”
When fully implemented, this law is intended to improve corporate governance, promote ethical business practices, enhance the transparency of financial statements and disclosures, ensure that company executives are aware of material information emanating from their business, and hold management accountable for material information filed with the Securities and Exchange Commission and released to investors.
Sarbanes-Oxley consists of 11 titled sections and nearly 70 subsections. There has been significant press regarding the Public Company Accounting Oversight Board, auditor independence, corporate responsibility, and other sections of the law, but there has been limited focus on the six sentences that comprise Section 404 of the act.
Ironically, compliance with this brief section, titled “Management Assessment of Internal Controls,” might result in the most complex and costly endeavors. For example, the cost of dedicating numerous staff to document, assess and test one’s current internal control environment could be significant. There is the added cost if companies invest in third-party consultants and software to support their effort, and if internal control gaps are identified, there are the gap-remediation costs. External audit fees, too, are expected to significantly increase due to the external auditor’s new responsibilities.
Section 404 of Sarbanes-Oxley requires management to state their responsibility for establishing and maintaining adequate internal controls over financial reporting, including authorization and disclosure. Management must also include an assessment of the effectiveness of their company’s internal controls for the current fiscal year and identify the framework used to make this evaluation.
In other words, SEC-reporting companies must document and assess their current practice regarding financial reporting and disclosure, and then ensure that these control activities are operating as they were designed via validation testing.
Finally, once management has fulfilled its responsibilities, Section 404 requires the company’s external auditors to issue an attestation report on management’s internal control assessment.
Steps to compliance
As a company’s leadership works toward compliance with Section 404, the scope and magnitude of this effort will depend on the nature and complexity of their business. Even so, there are four key phases that all companies will pass through to reach compliance: planning, documentation and evaluation, validation, and external review and testing.
Planning phase
To begin, a company’s leadership must become familiar with the Sarbanes-Oxley Act itself, the rules issued by the SEC pursuant to Section 404, proposed auditing standards issued by the PCAOB, and other authoritative literature.
Next, management must develop a Section 404 compliance methodology and implementation strategy. Specifically, it must appoint a core team to manage the initiative, develop a project plan with key milestones, identify tools that will facilitate both capturing the company’s Section 404 documentation and progress tracking, and define the internal control framework.
As noted above, Section 404 requires management to identify the framework used to evaluate the effectiveness of its internal controls over financial reporting, authorization and disclosure. Many companies are adopting the internal control framework developed by the Committee of Sponsoring Organizations as a foundation, then customizing it based on company-specific processes, financial disclosures and risk history.
For example, you could structure your framework to include the major processes that capture all business and IT activities performed by the company and impacted by Section 404. Then, embedded within the context of these major processes, you could define specific internal control objectives that reflect management’s internal control expectations for each process.
After defining your company’s overall approach, you need to engage the broader organization. Depending on the nature and complexity of the company, there may be one centralized assessment, or there may be multiple levels of Section 404 documentation. For instance, each business unit or location may prepare its own local-level assessment.
Either way, formally train those involved in the initiative by providing background information, discussing your company’s methodology and approach, and clarifying your expectations regarding the local team’s roles, responsibilities and timelines.
Finally, the company’s external auditors should be engaged early in the planning phase to provide insight regarding their expectations and to ensure that they are comfortable with your methodology and approach.
Documentation & evaluation phase
Once the local Section 404 teams have been engaged and trained, the real work begins. Many companies are confident that their current financial reporting control environment is adequate, but documentation is often sparse or lacking. Significant time and resources, therefore, need to be spent adequately documenting and assessing a company’s current controls. This documentation should focus on key control activities, with enough process to weave the controls together, and should address key questions such as who, what, when, where and how.
As a guiding principle, a team should strive for documentation that is “stand alone” and “auditable” to facilitate the external auditor’s eventual review.
There are several ways to facilitate the preparation of complete, high-quality Sarbanes-Oxley documentation.
First, clearly articulate the company’s documentation requirements and provide tools to support this effort, including templates, guidance to clarify the intent of each control objective, and several “gold standard” examples. In addition, include appropriate cross-functional subject matter experts in the documentation process, and assign process owners to review and approve all documentation related to each process. Finally, perform a quality review of local Section 404 team documentation.
After the company’s current control activities have been documented, they must also be evaluated for design effectiveness. “To be effective, internal controls must be designed properly, and all the controls necessary to provide reasonable assurance about the fairness of a company’s financial statements should be in place,” according to the PCAOB’s proposed auditing standard.
In other words, if you are doing everything that you said you are doing in terms of control activities, would it be enough to satisfy the given control objective? Or are you missing some or all of the control activities needed, resulting in a control gap? If the assessment is less than adequate, develop, document and ultimately implement a gap-remediation plan. Gap-remediation plans might entail two phases, including a manual approach to mitigate the gap in the short term and a more efficient approach to close the gap in the long term.
The overall goal is to identify and then mitigate all significant control weaknesses prior to financial year-end.
Validation testing
Once comfortable with the effectiveness of the company’s design of controls around financial reporting and disclosure, validation testing needs to be performed to ensure that these controls have been implemented and are operating as expected. In other words, you must confirm that people are actually doing what they say they are doing as it relates to Section 404 compliance.
The leadership team for a local business unit is ultimately accountable for its own internal control environment and, as such, should be accountable to test the operating effectiveness of these controls. That said, some companies may perform validation testing at a local level, while other companies may leverage their internal audit team to perform this testing, or they may use a combination of the two approaches. By leveraging internal audit for testing, the local teams can focus on the documentation phase, and by working closely with the internal audit group, they can build their competency for future validation testing.
To confirm how the system of internal control is designed and operates at a given location, perform a walkthrough of all significant business processes. This walkthrough should include making inquiries and observing personnel involved in each process, reviewing key documents used in or resulting from key control activities, and comparing supporting documents to the accounting records.
Then, using these walkthroughs and an overall risk assessment of the significant business processes and financial statement accounts, determine which specific control objectives are critical. In other words, determine which subset of control objectives effectively demonstrates that an overall process is operating effectively.
You may determine, for example, that 60 percent of the control objectives comprising the “Sell Product” process are critical, and therefore only these control objectives need to be tested. For another process, however, you may determine that each control objective is critical, and each should be tested.
Once the scope of the controls to be tested has been determined, evaluate the local team’s documentation related to these critical controls for completeness, consistency and adequacy. In addition, evaluate the design of these critical controls, consider if there is an appropriate segregation of duties, and review control gaps and related remediation efforts as applicable.
While performing this evaluation, consider how each control objective can be most effectively tested. For example, the local team may have identified five distinct control activities that, in combination, satisfy the given control objective. To gain satisfaction that the controls are operating effectively, you may only need to test one or two of these distinct activities.
Finally, perform validation testing for the critical control objectives identified. Specifically, obtain evidence to validate the operating effectiveness of each critical control by interviewing appropriate company personnel, observing key control activities in operation, reviewing relevant documents, reapplying the control, and so on. To do so, determine the appropriate duration for and extent of the testing. For example, if your company operates on a calendar year and the validation testing begins July 1, the initial duration of the testing could be January 1 through July 1.
The extent of testing represents how many items are tested and is driven by the nature and frequency of a given control activity. Determine the appropriate extent of testing based on the PCAOB’s requirements for external auditor internal control attestations, likely increasing the scope versus these minimum standards.
External review & testing
The final step on the road to Section 404 compliance relates to the external auditor’s attestation on management’s assessment of the effectiveness of the company’s internal controls. An attestation “is an expert’s communication of a conclusion about the reliability of someone else’s assertion,” according to the PCAOB’s proposed standard.
To facilitate this attestation, the external auditor will need to evaluate the company’s Section 404 methodology and the approach that enabled management to make its overall assessment. Then the external auditors will need to gather evidence regarding the design and operating effectiveness of the internal controls, performing a walkthrough of significant processes, reviewing Section 404 documentation, and performing validation testing similar to your own review and testing.
Finally, the external auditor will need to determine if the evidence gathered supports or refutes management’s assessment, and then issue a formal opinion as to the fairness of this assessment. Specifically, external auditors are now required to issue two audit opinions: one regarding the company’s internal control over financial reporting and the other for the company’s financial statements themselves, consistent with the new requirement to perform an integrated audit.
Conclusion
Compliance with Section 404 will prove complex and costly. The road to compliance, however, begins with the planning phase, which includes defining the Section 404 methodology, approach and implementation strategy.
The leadership team then needs to document the company’s current control activities, evaluate these controls for design effectiveness, and perform validation testing to ensure that these controls have actually been implemented and are operating as expected. Finally, the external auditor must attest to the management team’s internal control assessment.
Easy, right? You better get to work — the clock is ticking....
J. Stephen McNally, CPA, is a director of finance for Campbell Soup Co.’s corporate controlling group and is a member of the Pennsylvania CPA Journal Editorial Board. Reach him at
