Internal Controls: Sarbanes-Oxley Act §404 and Beyond (Portfolio 5402)

Get More with the Full Portfolio Library

This Portfolio is part of the Accounting Policy and Practice Series, an essential resource including more than 70 accounting Portfolios and the latest news and developments.



Table of Contents

Detailed Analysis

I. The Concept of Internal Controls

Introductory Material

A. Definitions

1. Foreign Corrupt Practices Act

2. The Committee of Sponsoring Organizations of the Treadway Commission

3. Sarbanes-Oxley and Implementing Regulations

4. The PCAOB and the AICPA

5. A Proposed Conceptual Definition

B. Comparison of Definitions

1. Overview

2. Elements of the Definitions

a. Controls Do Not Create Business Success

b. Controls Are a Form of Risk Management

c. Controls Provide Only "Reasonable Assurance"

d. Actors Who Effectuate the Control System

e. Business Processes Affected by the Internal Control System

f. The Elements of Internal Controls

C. Internal Controls and Risk Management

D. Design of a System of Internal Controls

1. The Control Environment

a. The Linchpin of the Control Environment: Tone at the Top

b. Other Elements of the Control Environment

i. Organizational Structure

ii. Strength and Competence in Important Control Functions

iii. The Risk Appetite of the Enterprise

iv. Human Resources Practices

2. Specific Control Activities

3. Information and Communication

4. Monitoring

E. Case Study - Design of Controls for a New Industry

F. Case Study - Weak Controls at a Public Company?

II. Key Statutory Provisions of the Sarbanes-Oxley Act of 2002

Introductory Material

A. Summary of Key Statutory Provisions on Internal Controls

1. Section 404 - "Management Assessment of Internal Controls"

2. Section 302 - "Corporate Responsibility for Financial Reports"

3. Section 906 - "Corporate Responsibility for Financial Reports"

4. Section 103 - "Auditing, Quality Control, and Independence Standards and Rules"

5. Section 104 - "Inspections of Registered Public Accounting Firms"

6. Section 301 - "Public Company Audit Committees"

7. Section 307 - "Rules of Professional Responsibility for Lawyers"

8. Section 406 - "Code of Ethics for Senior Financial Officers"

9. Title II (Sections 201-209) - "Auditor Independence Rules"

B. New Tools for Detection, Deterrence, and Enforcement Under Sarbanes-Oxley

1. Detection: Protection of Whistleblowers From Retaliation Under Sections 806 and 1107

2. Deterrence: Certification of Financial Reports Under Sections 302 and 906

3. Enforcement

a. Civil Enforcement by the SEC: Forfeiture of Bonuses, Pay Freezes, and Remedies Under Sections 304, 1103, 305, and 1105

b. Criminal Penalties and Enforcement

i. Increased Penalties Applicable to Public or Private Companies

ii. Increased Penalties Applicable Only to Public Companies Under Sections 1104 and 906

iii. Increased Emphasis on Enforcement

c. Private Causes of Action by Employees and Investors Under Sections 806 and 306; Extension of Statute of Limitations Under Section 804

III. Sarbanes-Oxley Act Section 404 and Internal Controls Over Financial Reporting

Introductory Material

A. Management's Report on Internal Controls

1. Who is Subject to the Requirement?

2. When Does the Requirement Become Applicable?

3. What Must Management's Report Cover?

a. Definition of "Internal Controls"

b. Responsibility of Management

c. Conclusion on Effectiveness of Internal Control System

d. Framework for Evaluation

e. Auditor's Assessment

f. Location of Management's Report

g. Impact of Restatement on Management's Report

4. What Time Period Must Be Covered?

5. What Work Must Be Done to Support Management's Report?

a. Financial Reporting Risk Identification

(1) Identify Financial Reporting Risks

(2) Limit Evaluation to Significant Risk

b. Identification of Relevant Controls

(1) Documentation of Controls

(2) Type of Controls

(3) Entity-level Controls

(4) Technology Controls

c. Standards for the Evaluation of Controls

(1) Design and Operation

(2) Quality and Quantity

(3) Sufficiency of Evidence

(4) Evaluation of Operation

d. Evaluation and Disclosure of Deficiencies

(1) Evaluation of Deficiencies

(2) Disclosure of Material Weaknesses

e. Special Situations

(1) Consolidated Entities

(2) Equity Investments

(3) Acquisitions

(4) Use of Service Organizations

B. Section 302 Certification

C. Auditor's Attestation

1. Text of the Attestation

2. Work Underlying the Attestation

a. Planning the Audit

(1) Role of Risk Assessment

(2) Scaling the Audit

(3) Addressing the Risk of Fraud

(4) Using the Work of Others

(5) Materiality

b. Using a Top-Down Approach

(1) Identifying Entity-Level Controls

(a) Control Environment

(b) Period-end Financial Reporting Process

(2) Identifying Significant Accounts and Disclosures and Their Relevant Assertions

(a) Relevant Assertions

(b) Evaluate Quantitative and Qualitative Risk Factors

(c) Company With Multiple Locations or Business Units

(3) Understanding Likely Sources of Misstatement

(a) Objectives to Understanding Likely Sources of Misstatement

(b) Information Technology

(c) Performing Walkthroughs

(4) Selecting Controls to Test

c. Testing Controls

(1) Testing Design Effectiveness

(2) Testing Operating Effectiveness

(3) Relationship of Risk to the Evidence to Be Obtained

(a) In General

(b) Evidence Will Depend on Nature, Timing, and Extent of Testing

(1) In General

(2) Changes by Management Prior to As-of Date Affects Timing of Testing

(c) Roll-Forward Procedures

d. Evaluating Identified Control Deficiencies

(1) Evaluation of Severity of Deficiencies

(2) Indicators of Material Weaknesses

3. Wrapping-Up

a. Forming an Opinion

b. Obtaining Written Representations

4. Documentation

D. Required Communications Between Auditor and Management

E. Cost, Timing, Outsourcing, and the Concerns of Smaller Public Issuers

F. Disclosure of Negative Results

G. Conclusion

IV. Other Areas of Special Concern for Internal Controls

Introductory Material

A. Internal Audit

B. Corporate Counsel

C. Compliance With Laws

D. Disclosure Controls; Disclosure Committee Role

E. Information Technology Controls - General and Application Controls

F. Incentives for Employees

G. Agents Who Are Not Employees; Outsourcing - SAS 70

H. Disaster Preparedness; Business Continuity

V. Beyond Sarbanes-Oxley: The Legal Framework

VI. The Role of the Audit Committee in Overseeing Internal Controls

Introductory Material

A. Control Environment

B. Controls Over Financial Reporting and Disclosure

C. Controls Related to Compliance With Laws and Ethical Behavior

D. Controls Related to Business Performance

VII. Beyond Sarbanes-Oxley: Controls and Business Performance

Introductory Material

A. Operational Controls

B. Improving Controls and Performance

1. Improving the Design of Certain Controls

2. Centralizing Compliance Functions

3. Improving the Flow and Reliability of Information

Working Papers

Working Papers


Worksheet 1 Sample Template Used By A Major Accounting Firm for a Periodic Review of Select Internal Controls

Worksheet 2 Sarbanes-Oxley Act of 2002 § 302

Worksheet 3 Text of Required Certification With Respect to Internal Controls Over Financial Reporting Under Sarbanes-Oxley § 302 and Associated Regulations

Worksheet 4 Sarbanes-Oxley Act of 2002 § 906

Worksheet 5 Sarbanes-Oxley Act of 2002 § 103

Worksheet 6 PCAOB AUDITING STANDARD NO. 2 (Including Pertinent Developments Post-Issuance)

Worksheet 7 Sarbanes-Oxley Act of 2002 § 301

Worksheet 8 Sarbanes-Oxley Act of 2002 § 307

Worksheet 9 Sarbanes-Oxley Act of 2002 § 406

Worksheet 10 Sample Management Report on Internal Controls Over Financial Reporting Where Effective

Worksheet 11 PCAOB Flow-Chart for Determining Appropriate Testing for Multiple Locations and Business Units

Worksheet 12 Sample Management Report on Internal Control Over Financial Reporting Identifying Material Weakness(es)

Worksheet 13 [Reserved]

Worksheet 14 Mandated Elements of the Auditor's Report

Worksheet 15 Required Written Representations of Management to Support the Independent Auditor's Attestation Report

Worksheet 16 Sample of Companies Disclosing Remediation of a Material Weakness in Internal Controls

Worksheet 17 List of Significant Accounting Pronouncements Principally Discussed






Congressional Materials:

Securities and Exchange Commission

Public Company Accounting Oversight Board

U.S. Supreme Court Cases:

Other Federal and State Cases:

Other U.S. Government Materials:

American Bar Association



Financial Accounting Standards Board

Securities and Exchange Commission

Public Company Accounting Oversight Board