Companies complying with Section 404 of Sarbanes-Oxley should, among other things, have internal experts develop the plan for documentation and testing; should maintain open and continuous communication between management and the internal and external auditors; and should include the external auditors in internal audit training sessions, according to a new report detailing 404 best practices.
Other leading practices for the company relationship with its auditor include setting reasonable milestones and conducting an annual debriefing, according to a report describing the 404 compliance practices of companies. The Financial Executives Research Foundation report is based on a discussion by 31 SOX 404 implementation leaders from 27 Fortune 500 companies on their experiences with 404 compliance during fiscal year 2004.
In addition to best practices for the relationship with the auditor, the report describes leading practices for organization structure; scope, documentation and testing; IT controls; the use of external resources; deficiency management; audit committee communications; Section 302/404 certification process; and management letter and reporting.
Rather than asking for initial guidance for 404 compliance from their external auditor in order to assure auditor independence, internal experts should develop a company's initial plan for documentation and testing and then get the external auditor to buy in to the plan, according to the report. Doing so may allow more external auditor reliance on the work of internal audit and management and would also allow the external auditors to provide comments and suggestions on the plan before too much work is done by the company.
Management should meet on a regular basis with its internal and external auditors so issues can be resolved without unnecessary delay and to eliminate the possibility of any surprises toward the end of the audit.
External auditors should be included in internal audit training sessions, because they should be able to rely more on testing done by internal audit if they have an opportunity to see how internal audit is trained in internal control testing procedures, according to the report.
The report also recommends setting reasonable milestones and holding both internal and external auditors more accountable to meeting those deadlines and conducting an annual debrief, which can be used to identify ways in which the audit can be done more effectively and more efficiently the following year. Management should provide a report on this debrief to the audit committee, according to the report.
The full report is available for $99 at
