A.Overview of Sarbanes-Oxley Act - Section 404:

The Sarbanes-Oxley Act (SOX), Section 404, mandates that the SEC adopt rules requiring each publicly held company to include an internal control report. The report must contain management’s assertions regarding the effectiveness of the company’s internal control structure and procedures over financial reporting. Section 404 also requires the company’s auditor to attest to, and report on, management’s assessment of the company’s internal control over financial reporting in accordance with standards established by the Public Companies Accounting Oversight Board (PCAOB).

The publicly held companies must articulate the following:

• That the management of the company is responsible for establishing and maintaining adequate internal controls and procedures for financial reports.
• The framework used by management as criteria for evaluating the effectiveness of the company’s internal control over financial reporting.
• Management’s assessment as to the effectiveness of the company’s internal control over financial reporting based on management’s evaluation of it, at year-end, including the disclosure of any material weakness in the company’s internal control over financial reporting identified by management.

B. Sarbanes Oxley and the Adopted Standards

Adopted frameworks used in rendering Sec. 404 compliance services include The Committee of Sponsoring Organizations’ (COSO) and Control Objectives for Information and Related Technologies (COBiT).

1. The COSO Report

The most commonly used and understood framework for evaluating internal controls over financial reporting is contained in COSO’s report, Internal Control–Integrated Framework, which established a broad definition of internal control extending to all objectives of an organization. The report established three categories of controls: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with laws and regulations.

COSO also identified five, inter-related components that must be present and functioning to have an effective internal control system. Moreover, it describes the criteria for effective internal control mechanisms.
The rules for reporting under Sec. 404 indicate that management’s assessment of internal controls and procedures for financial reporting should be based on current auditing standards relating to internal control, which are consistent with the definition contained in the COSO report.

2. The COBiT Standard

COBiT is a 1996 open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. It’s an IT control framework built, in part, upon the COSO framework and provides a comprehensive approach for managing risk and control of information technology. COBiT comprises four domains, 34 IT processes and 318 detailed control objectives.

The framework is considered a gold standard and has been adopted worldwide by leading companies, financial institutions and even governments as a consistent approach to complying with SOX.

The reason it is considered a gold standard is that COBiT indicates good practices for the management of IT processes in a manageable and logical structure. This structure bridges the gaps between business risks, technical issues, control needs and performance measurement requirements.

C. Practical Approach to SOX Compliance

A well-planned Sec. 404 project may be segmented into seven phases:

1. Project planning and orientation
2. Corporate level control assessment
3. Process documentation and narratives
4. Develop individual control matrix
5. Develop remediation plan
6. Develop test procedures and test performance
7. Identify and implement remediation, then re-test

To learn more of Sarbanes-Oxley Section 404 Compliance, please contact us.