Internal Controls: Sarbanes-Oxley Act §404 and Beyond, written by Simon M. Lorne, Esq., Kathleen Smalley, Esq., and Jeffrey L. Schultz, Esq., emphasizes a broad understanding of internal controls as a set of internal procedures of an enterprise providing reasonable assurances that an enterprise will meet its goals in all areas – rather than focusing solely on those procedures aimed at historical financial reporting.
Historically, internal controls were the domain of the internal auditor and limited largely to issues like segregation of duties over the bank account. But failures of controls on a massive scale – first, in the 1970s in bribery and kickbacks abroad, and, more recently and more dramatically, in the spectacular self-destruction of Enron, WorldCom, and other public companies – have changed the picture. Internal controls are now a hot topic for all businesses; auditors, often seen as the front line in internal controls, have become so much more glamorous that a Miss America contestant could express her desire to lead an internal audit department rather than work for world peace.Chief executive officers (CEOs) of publicly traded companies are rapidly (if sometimes reluctantly) becoming experts on internal controls.
The field of internal controls, broadly conceived, comprises all of the internal processes, checks, and balances that an entity employs in the effort to ensure that it meets its goals. Recent attention has been concentrated on the more limited field of internal controls over financial reporting, thanks to the focus of regulatory action under the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley).
The concepts of internal controls, though, are best understood in a larger framework, and it is there that they offer the most promise for organizations in furthering their business goals.
The central and most controversial of these, §404, together with the rules promulgated by the SEC, requires a public company's management to assess periodically, and report annually upon, the effectiveness of internal controls over financial reporting. Management's report must be accompanied by an opinion of the outside auditor attesting to the reliability of management's conclusions.
This Portfolio will first review the broad field of internal controls and then turn to statutory and regulatory developments under §404 of Sarbanes-Oxley. In keeping with the authors' view that internal controls transcend financial reporting, the Portfolio discusses several other key elements of internal controls mandated by Sarbanes-Oxley.
This Portfolio also looks beyond Sarbanes-Oxley to consider other legal and auditing dimensions of internal controls as well as the role of various actors in implementing systems of internal controls.
While the Sarbanes-Oxley Act is narrower in scope than the concept of internal controls, this Portfolio acknowledges the enormous impact of the legislation and analyzes a number of its provisions that touch on aspects of internal controls.
The exact extent of the ultimate applicability of §404 to smaller public companies in particular remains in flux.
Internal Controls: Sarbanes-Oxley Act §404 and Beyond allows you to benefit from:
This Portfolio is included in the Accounting Policy & Practice Series, a comprehensive series of titles which explain, explicate, and offer commentary on a wide range of accounting and financial management topics, including revenue recognition, income taxes, leasing, business combinations, debt instruments, risk management, internal controls and more.
Detailed Analysis
I. The Concept of Internal Controls
Introductory Material
A. Definitions
1. Foreign Corrupt Practices Act
2. The Committee of Sponsoring Organizations of the Treadway Commission
3. Sarbanes-Oxley and Implementing Regulations
4. The PCAOB and the AICPA
5. A Proposed Conceptual Definition
B. Comparison of Definitions
1. Overview
2. Elements of the Definitions
a. Controls Do Not Create Business Success
b. Controls Are a Form of Risk Management
c. Controls Provide Only "Reasonable Assurance"
d. Actors Who Effectuate the Control System
e. Business Processes Affected by the Internal Control System
f. The Elements of Internal Controls
C. Internal Controls and Risk Management
D. Design of a System of Internal Controls
1. The Control Environment
a. The Linchpin of the Control Environment: Tone at the Top
b. Other Elements of the Control Environment
i. Organizational Structure
ii. Strength and Competence in Important Control Functions
iii. The Risk Appetite of the Enterprise
iv. Human Resources Practices
2. Specific Control Activities
3. Information and Communication
4. Monitoring
E. Case Study - Design of Controls for a New Industry
F. Case Study - Weak Controls at a Public Company?
II. Key Statutory Provisions of the Sarbanes-Oxley Act of 2002
A. Summary of Key Statutory Provisions on Internal Controls
1. Section 404 - "Management Assessment of Internal Controls"
2. Section 302 - "Corporate Responsibility for Financial Reports"
3. Section 906 - "Corporate Responsibility for Financial Reports"
4. Section 103 - "Auditing, Quality Control, and Independence Standards and Rules"
5. Section 104 - "Inspections of Registered Public Accounting Firms"
6. Section 301 - "Public Company Audit Committees"
7. Section 307 - "Rules of Professional Responsibility for Lawyers"
8. Section 406 - "Code of Ethics for Senior Financial Officers"
9. Title II (Sections 201-209) - "Auditor Independence Rules"
B. New Tools for Detection, Deterrence, and Enforcement Under Sarbanes-Oxley
1. Detection: Protection of Whistleblowers From Retaliation Under Sections 806 and 1107
2. Deterrence: Certification of Financial Reports Under Sections 302 and 906
3. Enforcement
a. Civil Enforcement by the SEC: Forfeiture of Bonuses, Pay Freezes, and Remedies Under Sections 304, 1103, 305, and 1105
b. Criminal Penalties and Enforcement
i. Increased Penalties Applicable to Public or Private Companies
ii. Increased Penalties Applicable Only to Public Companies Under Sections 1104 and 906
iii. Increased Emphasis on Enforcement
c. Private Causes of Action by Employees and Investors Under Sections 806 and 306; Extension of Statute of Limitations Under Section 804
III. Sarbanes-Oxley Act Section 404 and Internal Controls Over Financial Reporting
A. Management's Report on Internal Controls
1. Who is Subject to the Requirement?
2. When Does the Requirement Become Applicable?
3. What Must Management's Report Cover?
a. Definition of "Internal Controls"
b. Responsibility of Management
c. Conclusion on Effectiveness of Internal Control System
d. Framework for Evaluation
e. Auditor's Assessment
f. Location of Management's Report
g. Impact of Restatement on Management's Report
4. What Time Period Must Be Covered?
5. What Work Must Be Done to Support Management's Report?
a. Financial Reporting Risk Identification
(1) Identify Financial Reporting Risks
(2) Limit Evaluation to Significant Risk
b. Identification of Relevant Controls
(1) Documentation of Controls
(2) Type of Controls
(3) Entity-level Controls
(4) Technology Controls
c. Standards for the Evaluation of Controls
(1) Design and Operation
(2) Quality and Quantity
(3) Sufficiency of Evidence
(4) Evaluation of Operation
d. Evaluation and Disclosure of Deficiencies
(1) Evaluation of Deficiencies
(2) Disclosure of Material Weaknesses
e. Special Situations
(1) Consolidated Entities
(2) Equity Investments
(3) Acquisitions
(4) Use of Service Organizations
B. Section 302 Certification
C. Auditor's Attestation
1. Text of the Attestation
2. Work Underlying the Attestation
a. Planning the Audit
(1) Role of Risk Assessment
(2) Scaling the Audit
(3) Addressing the Risk of Fraud
(4) Using the Work of Others
(5) Materiality
b. Using a Top-Down Approach
(1) Identifying Entity-Level Controls
(a) Control Environment
(b) Period-end Financial Reporting Process
(2) Identifying Significant Accounts and Disclosures and Their Relevant Assertions
(a) Relevant Assertions
(b) Evaluate Quantitative and Qualitative Risk Factors
(c) Company With Multiple Locations or Business Units
(3) Understanding Likely Sources of Misstatement
(a) Objectives to Understanding Likely Sources of Misstatement
(b) Information Technology
(c) Performing Walkthroughs
(4) Selecting Controls to Test
c. Testing Controls
(1) Testing Design Effectiveness
(2) Testing Operating Effectiveness
(3) Relationship of Risk to the Evidence to Be Obtained
(a) In General
(b) Evidence Will Depend on Nature, Timing, and Extent of Testing
(1) In General
(2) Changes by Management Prior to As-of Date Affects Timing of Testing
(c) Roll-Forward Procedures
d. Evaluating Identified Control Deficiencies
(1) Evaluation of Severity of Deficiencies
(2) Indicators of Material Weaknesses
3. Wrapping-Up
a. Forming an Opinion
b. Obtaining Written Representations
4. Documentation
D. Required Communications Between Auditor and Management
E. Cost, Timing, Outsourcing, and the Concerns of Smaller Public Issuers
F. Disclosure of Negative Results
G. Conclusion
IV. Other Areas of Special Concern for Internal Controls
A. Internal Audit
B. Corporate Counsel
C. Compliance With Laws
D. Disclosure Controls; Disclosure Committee Role
E. Information Technology Controls - General and Application Controls
F. Incentives for Employees
G. Agents Who Are Not Employees; Outsourcing - SAS 70
H. Disaster Preparedness; Business Continuity
V. Beyond Sarbanes-Oxley: The Legal Framework
VI. The Role of the Audit Committee in Overseeing Internal Controls
A. Control Environment
B. Controls Over Financial Reporting and Disclosure
C. Controls Related to Compliance With Laws and Ethical Behavior
D. Controls Related to Business Performance
VII. Beyond Sarbanes-Oxley: Controls and Business Performance
A. Operational Controls
B. Improving Controls and Performance
1. Improving the Design of Certain Controls
2. Centralizing Compliance Functions
3. Improving the Flow and Reliability of Information
Working Papers
TABLE OF WORKSHEETS
Worksheet 1 Sample Template Used By A Major Accounting Firm for a Periodic Review of Select Internal Controls
Worksheet 2 Sarbanes-Oxley Act of 2002 § 302
Worksheet 3 Text of Required Certification With Respect to Internal Controls Over Financial Reporting Under Sarbanes-Oxley § 302 and Associated Regulations
Worksheet 4 Sarbanes-Oxley Act of 2002 § 906
Worksheet 5 Sarbanes-Oxley Act of 2002 § 103
Worksheet 6 PCAOB AUDITING STANDARD NO. 2 (Including Pertinent Developments Post-Issuance)
Worksheet 7 Sarbanes-Oxley Act of 2002 § 301
Worksheet 8 Sarbanes-Oxley Act of 2002 § 307
Worksheet 9 Sarbanes-Oxley Act of 2002 § 406
Worksheet 10 Sample Management Report on Internal Controls Over Financial Reporting Where Effective
Worksheet 11 PCAOB Flow-Chart for Determining Appropriate Testing for Multiple Locations and Business Units
Worksheet 12 Sample Management Report on Internal Control Over Financial Reporting Identifying Material Weakness(es)
Worksheet 13 [Reserved]
Worksheet 14 Mandated Elements of the Auditor's Report
Worksheet 15 Required Written Representations of Management to Support the Independent Auditor's Attestation Report
Worksheet 16 Sample of Companies Disclosing Remediation of a Material Weakness in Internal Controls
Worksheet 17 List of Significant Accounting Pronouncements Principally Discussed
Worksheet 18 PCAOB AUDITING STANDARD NO. 5
Bibliography
OFFICIAL
Statutes:
Regulations:
Congressional Materials:
Securities and Exchange Commission
Public Company Accounting Oversight Board
U.S. Supreme Court Cases:
Other Federal and State Cases:
Other U.S. Government Materials:
American Bar Association
UNOFFICIAL
AICPA
Financial Accounting Standards Board
Publications:
Periodicals:
1996
2003
2004
2005