SOX 404 also requires the company's auditor to attest to, and report on, management's assessment of the effectiveness of the company's internal control over financial reporting.

Because SOX 404 focuses on internal control over financial reporting, it is important to understand what that means.  "Internal control over financial reporting" is defined as a process designed by, or under the supervision of, the principal executive and principal financial officers, and effected by the board of directors and management, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. It includes those policies and procedures for maintaining accounting records, authorizing receipts and disbursements, and safeguarding assets.

The process used by the management of public companies to assess the effectiveness of internal control over financial reporting as required by Section 404 of the Sarbanes-Oxley Act (SOX 404) can be divided into the following four phases:

• Phase I - Planning 

• Phase II - Assessing Design Effectiveness 

• Phase III - Assessing Operating Effectiveness 

• Phase IV - Ongoing Monitoring

In Phase I, management needs to focus on the following key activities:

Identifying the Framework
The framework on which management's evaluation is based will have to be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO report provides a suitable framework for this evaluation.

Identifying Significant Accounts and Disclosures
When identifying significant accounts and disclosures, it should be noted that an account is significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others, could be material. Accounts also may be significant based on qualitative factors, such as susceptibility of loss due to errors or fraud; complexity of transactions processed through the account; likelihood of contingent liabilities arising from activities represented by the account; and existence of related-party transactions in the account. Similar criteria should be used to evaluate the significance of financial statement disclosures; however, as a practical matter, each footnote should normally be assumed to constitute a significant disclosure.

Identifying Relevant Financial Statement Assertions
For each significant account or disclosure, the next step is to identify relevant financial statement assertions. Relevant assertions are those that have a meaningful bearing on whether an account or disclosure is fairly stated, such as existence or occurrence, completeness, rights or obligations, valuation or allocation, and presentation and disclosure.

Identifying Significant Processes
Significant processes include processes over classes of major transactions that are significant to the financial statements (for example, sales, purchases, cash receipts/disbursements, payroll, physical inventories, etc.). The period-end financial reporting process should always be considered a significant process

Implementing SOX 404 -- Management's Assessment Process: Phase II

The key activities in this phase involve documentation of processes and controls, and evaluation of the design effectiveness of internal controls over financial reporting.

Management's Documentation
For each significant process over a major class of transactions (for example, routine processes such as sales, purchases, cash receipts, cash disbursements and payroll), management must:

• Understand the flow of transactions within the process

• Identify points within the process where a misstatement could arise

• Identify controls that have been implemented to address potential misstatements

• Identify controls that have been implemented over the prevention or timely detection of unauthorized acquisition, use or disposition of assets

In addition to the routine processes, management should document significant non-routine and estimation processes.  Management's documentation must describe how significant transactions are authorized, initiated, recorded, processed and reported. It must cover all relevant assertions related to all significant accounts and disclosures. The form and content of documentation varies based on the size, nature and complexity of the company, but must be adequate to support management's evaluation of internal control.

Evaluation of the Design Effectiveness
The question that management must ask when evaluating the design effectiveness of internal controls over financial reporting is:  Would the controls, if complied with, prevent or quickly detect errors or fraud that could result in material misstatement of the financial statements? To answer this question, the company must identify its control objectives in each area and the controls that satisfy each objective.

We suggest first focusing on company-level controls that have a pervasive effect on process, transaction or application controls such as:

• The control environment

• Audit committee oversight

• Management's risk assessment process

• Controls over the period-end reporting process

• IT general controls

Next, management should use procedures to specifically evaluate whether controls would prevent or detect material error or fraud. Such procedures include inquiry, observation and inspection of documentation. All of these procedures are used in performing a "walkthrough" of a transaction from its authorization to its inclusion in the financial statements. Walkthroughs help assure the completeness and accuracy of management's documentation.

Evaluation of design effectiveness is critical because only properly designed controls are capable of operating effectively. The next article in this series will discuss management's assessment of operating effectiveness.

Implementing SOX 404 -- Management's Assessment Process: Phase III

Identifying Controls to Test
Management's assessment of operating effectiveness begins with identifying which controls to test. Although it is not necessary to test all controls, it is important to select controls that cover all relevant assertions related to all significant accounts and disclosures. It is also important to test both preventive and detective controls. Locations should be selected for testing based on individual importance and specific risks.

Examples of types of controls to test include:

• Controls over initiating, authorizing, initiating, recording, processing and reporting transactions  

• Antifraud controls  

• Controls over selection and application of accounting policies  

• Controls over the period-end reporting process (These are always significant!)  

• Controls over significant non-routine and estimation transactions  

• Controls upon which other controls depend (e.g., IT controls)

Performing Tests of Operating Effectiveness
When testing the operating effectiveness of controls, determinations need to be made as to whether the control is operating as designed, and whether the person performing the control function possesses the necessary authority and qualifications. Tests of controls include inquiry, observation, inspection and re-performance. Inquiry alone does not provide sufficient evidence of operating effectiveness! Further, management may not use results of tests performed by its external auditors as a basis for its assessment. However, management may use the results of tests performed by internal auditors, other company personnel and third parties. Tests should occur during a period of time that is adequate to determine that the controls are operating effectively as of the date of the financial statements. Management may test some controls during interim periods and then obtain additional evidence about continued operating effectiveness through the "as of" date. However, tests of certain controls (i.e., controls over estimation transactions and period-end adjustments) should be closer to the "as of" date. Daily or transactional controls are susceptible to statistical sampling, while other types of controls are not. Management must communicate its conclusions about operating effectiveness to the audit committee and to the external auditors..

Implementing SOX 404 -- Management's Assessment Process: Phase IV

Action steps in this phase include:

• Establishing an ongoing Sarbanes-Oxley monitoring plan

• Updating documentation/information previously prepared

• Conducting ongoing tests of operating effectiveness

• Conducting separate evaluations as deemed appropriate

• Determining internal audit interaction

An important ongoing activity in this phase involves correcting control deficiencies. First, management must analyze all identified control deficiencies for both the nature of the deficiency and its cause. Was it a deficiency in design, or in the operating effectiveness of the controls? Could the deficiency result in a material misstatement of the financial statements?

Management must take corrective action to remediate the deficiency. This could include redesigning the control, or retraining or replacing the individual who is responsible for the control function. Additional tests of operating effectiveness will be necessary to verify that the deficient control is operating effectively at the "as of" date. 

The resolution of each exception must be clearly documented. Corrections of control deficiencies made after year-end must not be considered in management's assessment of controls for the current year. Remember that auditors must evaluate the documentation of internal controls over financial reporting. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures would be a deficiency in the company's internal control over financial reporting. (As a result, we have concluded that the auditor should not assist in preparing the company's documentation.)

Implementing SOX 404 -- Auditor's Attestation

When implementing Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404), it is important for management of public companies to understand the requirements of the auditor. The Public Company Accounting Oversight Board has adopted Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements. This Standard addresses the attestation engagement referred to in SOX 404(b) as well as Section 103(a)(2)(A) of the Sarbanes-Oxley Act, and the relationship of this engagement to the audit of the financial statements. 

Auditing Standard No. 2 describes an integrated audit of the financial statements and internal control over financial reporting, resulting in two separate objectives:

• To express an opinion on whether the financial statements are fairly stated 

• To express an opinion on management's assessment of the effectiveness of the company's internal control over financial reporting

Throughout the Standard, the auditor's attestation of management's assessment of the effectiveness of internal control is referred to as the audit of internal control over financial reporting. The auditor's conclusion about management's assessment will pertain directly to whether the auditor can agree with management that internal control is effective, not just to the adequacy of management's process for determining whether internal control is effective. The auditor must obtain evidence about whether internal control over financial reporting is effective by:

• Evaluating management's assessment process 

• Obtaining an understanding of internal control over financial reporting 

• Identifying significant accounts, relevant assertions, and significant processes 

• Evaluating and testing the design of internal controls 

• Evaluating and testing operating effectiveness

The auditor should evaluate management's assessment process as each phase is completed, or even as each step within a phase is completed -- not when the entire process is completed. The auditor will identify controls and their objectives, and will determine whether the controls, if operating properly, would effectively prevent or detect errors or fraud. The auditor's procedures will include inquiry, observation and inspection of relevant documentation. Walkthroughs will be performed for each major class of transactions to confirm the auditor's understanding of the design of controls and their operating effectiveness. 

The auditor must evaluate the implications of the findings from the audit of internal control over financial reporting for the financial statement audit. Where controls are effective, the auditor may be able to alter the nature or timing, or reduce the extent of substantive tests; however, the auditor must still perform substantive procedures for all relevant assertions related to all significant accounts and disclosures during the financial statement audit, and will consider the effect of each control deficiency in designing the nature, timing and extent of those substantive procedures.

The auditor's report must include two opinions as a result of the audit of internal control over financial reporting: one on management's assessment and one on the effectiveness of internal control over financial reporting. Reporting and communication by management and the auditor are discussed in the final article of the Implementing SOX 404 series.

Implementing SOX 404 -- Reporting and Communication

Reporting and Communication by Management
Section 404 of the Act requires each annual report of a public company to include a report by management on the company's internal control over financial reporting. This report should contain:

• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company 

• A statement identifying the framework used by management to evaluate the effectiveness of this internal control 

• An explicit statement as to whether internal control as of the end of the most recent fiscal year is or is not effective 

• Identified material weaknesses that existed at the "as of" date 

• A statement that its auditor has issued an attestation report on management's assessment

In addition to the annual requirements, public companies must disclose, in Item 9A of Form 10-K or Item 4 of Form 10-Q, changes in internal control over financial reporting during the most recent quarter that materially affected, or are likely to materially affect, the registrant's internal control over financial reporting.

Reporting and Communication by the Auditor
The auditor's report must include two opinions as a result of the audit of internal control over financial reporting: one on management's assessment and one on the effectiveness of internal control over financial reporting. The auditor is not permitted to conclude that the registrant's internal control over financial reporting is effective if there are one or more material weaknesses in the registrant's internal control. In the event of a material weakness, the auditor could express an unqualified opinion on management's assessment, so long as management properly identified the material weakness and concluded in their assessment that internal control was not effective. If the auditor concludes a material weakness exists but management does not and therefore makes the conclusion in its assessment that internal control is effective, the auditor would render an adverse opinion on management's assessment.

Prior to the issuance of the report, the auditor should communicate, in writing, directly to management and the audit committee any significant deficiency or material weakness that has been identified by the auditor and has not previously been communicated to management and the audit committee, in writing, by the auditor, the internal auditor or others within the entity.