Us Assur TakingControlAug2004

A Guide to Compliance with Section 404 of theSarbanes-Oxley Act of 2002

Taking Control

As used in this document, the term "Deloitte" includes Deloitte & Touche LLP and Deloitte Consulting LLP

Although this publication contains information on compliance with Sarbanes-Oxley section 404, it is neither a comprehensive nor an exhaustive treatment of the topic. This publicationcontains general information only and should not be relied upon for accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not asubstitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect you or your business. Before making any decision or taking anyaction that may affect you or your business, you should consult a qualified professional advisor. The information contained in this publication likely will change in material respects; we areunder no obligation to update such information. Neither Deloitte & Touche LLP, Deloitte Touche Tohmatsu nor any of their affiliates or related entities shall have any liability to any personor entity who relies on this publication.

Table of Contents

Part One: Introduction1.1 Are You Ready For Taking Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 How to Read Taking Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Part Two: Executive Overview2.1 A Bridge to Excellence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.2 Start with the End in Mind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.3 The Independent Auditors’ Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.4 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Part Three: Implementation Guide3.1 The Practical Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2 Why You Should Read This Implementation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.3 Keep It Simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.4 Build the Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.5 Scope the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.6 Establish Objectives and Identify Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.7 Controls in Action (Part I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.8 Evaluate the Design of Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.9 Controls in Action (Part II) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.10 Test the Operating Effectiveness of Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.11 Controls in Action (Part III) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.12 Create an Effective Control Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.13 Communicate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.14 Monitor the System of Internal Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.15 Report on the Effectiveness of Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Part Four: AppendixAppendix A: What is Internal Control Over Financial Reporting? . . . . . . . . . . . . . . . . . . . i

Appendix B: Defining Deficiencies and Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

Appendix C: Sample Control Environment Objectives and Activities . . . . . . . . . . . . . . . . . ii

Appendix D: Sample Information and Communication Objectives and Activities . . . . . . v

Appendix E: Sample Monitoring Objectives and Activities . . . . . . . . . . . . . . . . . . . . . . . . . vi

Appendix F: COSO — The Sequel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Appendix G: Not Sure if You are an Accelerated Filer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

1

1.1 Are You Ready For TakingControl?

Establishing a robust system of internalcontrol — one that invokes the intent of theSarbanes-Oxley Act and all the relatedSecurities and Exchange Commission (SEC)rules and Public Company AccountingOversight Board (PCAOB) standards — is nota task for the uninformed. If you truly wantto “take control” of your Sarbanes-Oxleysection 404 compliance effort, educationmust precede implementation.

In order to get the most out of thispublication — and, more importantly, out ofyour section 404 compliance effort — youneed a base level of knowledge. TakingControl assumes a certain level ofunderstanding and sophistication on the partof the reader. “Sarbanes-Oxley 101” it's not.As a prerequisite to this document, youshould have familiarity with the following:• SEC's final rules on Sarbanes-Oxley

section 4041

• PCAOB's auditing standard onSarbanes-Oxley section 4042

• Committee of Sponsoring Organizations ofthe Treadway Commission’s (COSO)Internal Control — Integrated Frameworkpublication3

• Deloitte & Touche LLP’s point of view onSarbanes-Oxley compliance, A Bridge toExcellence4

• Deloitte's Moving Forward guide tocorporate governance and internal control5

1.2 How to Read Taking Control

Recognizing a diverse readership with varyingneeds, we have split this publication into fourmain sections:1. This Introduction2. The Executive Overview, which broadly

describes the rationale, objectives,methodology, and philosophy of a well-designed Sarbanes-Oxley section 404project. Also included are “lessonslearned,“ practical advice gleaned fromour field experience in hundreds ofSarbanes-Oxley section 404 projects. Hereyou'll gain insight into how to properlyalign and prioritize your project, and willbe warned of common pitfalls. Whoshould read this section? Anyone withresponsibility for any facet of a section404 project, from board members to theleadership team to the project team.

3. The Implementation Guide, whichprovides detailed, step-by-steprecommendations for implementing asystem of internal control to meet the

requirements of Sarbanes-Oxley section404. Readers of this section shouldinclude those directly involved in thesection 404 readiness and compliancework. Also, companies that have not yetbegun to develop their system of internalcontrol, such as non-accelerated filers andforeign private issuers, may benefit from acover-to-cover reading of this section.Organizations that are further along withtheir internal control project may opt topick and choose cafeteria-style from thematerial in this section, either to measuretheir progress or to ensure quality control.

4. The Appendix, which containssupplementary information, sample forms,glossary, and reference material.

Part One:IntroductionIf you truly want to “take control” of your section 404 project,education must precede implementation.

1 “Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” U.S. Securities and ExchangeCommission, 2003. Electronic copy can be viewed at: http://www.sec.gov/rules/final/33-8238.htm.

2 “Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,” Public CompanyAccounting Oversight Board, 2004. Electronic copy can be viewed at: http://www.pcaobus.org/rules/Release-20040308-1g.pdf.

3 “Internal Control — Integrated Framework,” Committee of Sponsoring Organizations of the Treadway Commission, copyright 1992, 1994. Executive summary and ordering informationfor full document available here: http://www.coso.org/publications/executive_summary_integrated_framework.htm.

4 “Deloitte's Point of View - Sarbanes-Oxley Compliance: A Bridge to Excellence,” Deloitte Development LLC, copyright 2004. Electronic copy can be viewed at:http://www.deloitte.com/us/pov. Hard copies also available from your Deloitte professional.

5 “Moving Forward: A Guide to Improving Corporate Governance Through Effective Internal Control,” Deloitte Development LLC, copyright 2003. Electronic copy can be viewed at:http://www.deloitte.com/us/movingforward. Hard copies also available from your Deloitte professional.

2

2.1 A Bridge to Excellence

As you scramble to address the mandates ofthe Sarbanes-Oxley Act, you may find yourselfenmeshed in a process that favors speed overdeliberation. The basic work gets done, but atthe cost of context and perspective.

Fortunately, while assisting with hundreds ofSarbanes-Oxley section 404 projects, we atDeloitte have gained valuable insights. Here’s the most important: Compliance is notthe endgame.

That’s not to say compliance isn’t critical,because quite obviously it is. But a muchgreater reward can be earned by usingSarbanes-Oxley as a bridge to excellence.Your approach holds the key: If you focus oncomplying only with the letter of the law —doing just enough to get by — you may findyourself in a quagmire of bloated controls,burgeoning expenses, and enduringheadaches. But if you embrace the spirit ofthe law — strong ethics, good governance,reliable reporting — you just may get a re-energized company, reassured investors, andmaybe even reduced costs.

That’s right — reduced costs. Now, we aren’tclaiming that your section 404 readiness andcompliance work won’t be expensive,because surely it will be. But at the sametime, if you leverage your compliance effortto include a hard look at business processesand systems, you will almost certainly findunnecessary complexities and redundancies incontrols that, if eliminated, can cut costs,sometimes dramatically.

Call it the Sarbanes-Oxley paradox:Wholeheartedly embracing the law can beless expensive than grudgingly accepting it.

2.2 Start with the End in Mind

Meeting the requirements of section 404 ofSarbanes-Oxley is akin to planning a businesstrip: You can’t book your flight until you’vechosen your destination. Similarly, you can’tplan for section 404 compliance until youknow where you’re heading. In both cases,you should start with the end in mind.

The “end” of the section 404 complianceprocess arrives when management and theindependent auditors issue their reports in thecompany’s annual report. (Of course, “end“ isa relative term in this context; in fact, section404 compliance must be maintained inperpetuity.)

Although the SEC has not scripted the preciselanguage for management’s internal controlreport, the commission has indicated that thereport should contain the following:• a statement acknowledging your

responsibility for establishing andmaintaining adequate “internal controlover financial reporting“ (for a definition,see Appendix A)

• a statement identifying the internal controlframework you used to conduct yourevaluation of the effectiveness of internalcontrol over financial reporting (which, inmost cases, will be the COSO6 framework)

• an assessment of the effectiveness of yourcompany's internal control over financialreporting as of the end of your mostrecent fiscal year. (Included here isprobably the most critical part of theassertion: a statement as to whether ornot your company's internal control overfinancial reporting is effective.)

• disclosure of any “material weaknesses“(see Appendix B for a definition) in yourcompany's internal control over financialreporting. (Note that if there are anydisclosed material weaknesses, then you arenot permitted to conclude that your internalcontrol over financial reporting is effective.)

• a statement that your independentauditors have issued a report on yourassessment of internal control overfinancial reporting

With the heightened need for good corporategovernance, financial reporting integrity andclarity, and information quality — and underthe current intense public market andregulatory scrutiny — false, incomplete, ormisleading statements may proveproblematic. In management’s internal controlreport, you are making representationsrequired and enforceable by law andregulation regarding the effectiveness of yourinternal control over financial reporting. Careshould be taken to get it right.

Part Two:Executive OverviewIf you embrace the spirit of the law — strong ethics, good governance,reliable reporting — you just may get a re-energized company, reassuredinvestors, and maybe even reduced costs.

6 “Internal Control — Integrated Framework,” Committee of Sponsoring Organizations of the Treadway Commission, copyright 1992, 1994. Executive Summary and ordering informationfor full document available here: http://www.coso.org/publications/executive_summary_integrated_framework.htm.

3

Part TwoExecutive Overview

2.3 The Independent Auditors’ Role

While you are busy assessing your internalcontrol over financial reporting, yourindependent auditors will be working inparallel fashion, evaluating and testing theeffectiveness of all five components of theCOSO framework. And just as you arerequired to assess your system of internalcontrol with due diligence, so too are yourindependent auditors. Thus, they will conducta vigorous audit of your internal control,encompassing both a telescopic andmicroscopic view, from the overall controlenvironment to the functioning of specificcontrols (and all of the other COSOcomponents).

If your independent auditors find everythingin order, you’ll receive an unqualified opinionon the effectiveness of your internal controlover financial reporting and the effectivenessof your assessment process over the same.

But what if your independent auditorsidentify a material weakness? In that case,instead of an unqualified opinion, you mayreceive an adverse opinion from yourindependent auditors. Such an outcomecould carry considerable negativeramifications.

2.4 Lessons Learned

Deloitte has assisted a variety of companieswith section 404 readiness and compliancework. Along the way, we’ve picked up awealth of Sarbanes-Oxley-related wisdom, themost important being that your complianceeffort must be well-thought-out andexecuted. We find that in their haste, manycompanies overlook the things that createdthe impetus for Sarbanes-Oxley in the firstplace. Here’s a summary of lessons learned:

Get Your Priorities Right

In the course of our Sarbanes-Oxley-relatedwork, we have observed the enthusiasm andeagerness of our clients. Unfortunately, thisspirit has sometimes fueled a “fire, ready,aim“ approach to section 404 work.Companies understandably want to dive rightinto documenting, evaluating, testing, andremediating their process-level controls.

While we concur that these tasks form acritical and time-consuming part of anysection 404 project, we contend that theyaren’t the first steps. What’s needed is not arush forward but rather a step back — onethat gives a broader view and permits carefulplanning of the project.

Don’t allow a “let’s-get-it-done“ attitude todrive your compliance effort. Conduct yourwork in a thoughtful way. Pay heed to howyou orient, prepare, and enable your teams.Focus on the things that could create amaterial weakness, such as an ineffectivecontrol environment or lack of controls overnon-systematic transactions.

As noted earlier, a thorough understanding ofSarbanes-Oxley and COSO is a prerequisite togetting your project done in a proper, timely,efficient, and economical fashion.

Encourage Audit CommitteeOversight

The audit committee should be a key player inany effective 404 compliance effort. Indeed,regulatory agencies see audit committeeparticipation as essential: Section 301 ofSarbanes-Oxley requires all exchange-listedcompanies to have an audit committee, andmany private companies have chosen toestablish audit committees as well. Inaddition, your independent auditors will seekevidence of audit committee oversight.

Beyond selecting and supervising thecompany’s independent auditors, the auditcommittee should review financial reports forcompleteness and accuracy, and shouldfacilitate discussions among management,the independent auditors, and internalauditors about issues of quality and integrity.

Therefore, you should make sure that thecommittee’s involvement is deep andcontinuous. Keep members periodicallyupdated. Seek input on areas of projectfocus. The committee can add real value tothe process through objective oversight andseasoned perspective.

Strengthen the Control Environment

Business scandals may have been the impetusfor Sarbanes-Oxley, but good governanceisn’t just about averting the next case ofcorporate fraud. Rather, it’s about leading anorganization in the right way: placing properemphasis on corporate ethics, trainingemployees on their responsibilities for internalcontrol, creating an ethical tone at the top,and providing suitable role models foremployees.

Not coincidentally, these are all componentsof the control environment, which forms thefoundation of internal control. The controlenvironment is the universe in which all theother elements exist; it encompasses everyaspect of internal control. The controlenvironment provides discipline and structure;encompasses the ethical values andcompetence of both management andemployees; and includes managementphilosophy and operating style. It embodiesthe delegation of authority and responsibility;is found in the way management organizesand develops its people; and is seen in theattention and direction provided by the boardof directors. The control environment ispresent in the overall culture of the company,and includes such concepts as attitude,awareness, competence, and style.

Don’t let the voluminous rules and standardsand the urge to focus on process-levelcontrols obscure the fact that everythingflows from the control environment. Quitesimply, if you haven’t established a corporateculture that supports “doing the right thing,“then you won’t attain good governance.

Across industries and geographies, incompanies large and small, certain elementsof an effective control environment remainconstant. Here are a few:• Integrity and ethical values

Management should demonstrate anunwavering commitment to character,integrity, and ethical values.

• Commitment to competence In addition to advancing your businessobjectives, a knowledgeable, well-trainedworkforce will also help maintain a strongcontrol environment. Ensure that allemployees are aware of the high ethicalstandards and are not afraid to speak upwhen something looks strange, unusual,or wrong.

• Active board of directors/audit committeeRevitalize your board with an eye towardhighly credentialed, scrupulously

Dry RunTo enhance their long-term success, somecompanies ask their independentauditors to audit the effectiveness oftheir internal control over financialreporting (or selected pieces of it) prior tothe official compliance date. Through thisdry run, previously overlooked orundiscovered internal control deficienciesmay be identified and remediated inadvance, thereby reducing the risk of anadverse opinion once the independentauditors’ “official” assessment begins.

4


independent members. Today’s boards areexpected to be active and diligent, to askthe tough questions, and to take swift andappropriate action. Boards should take anactive oversight role in the execution ofthe company’s section 404 complianceeffort.

• Management’s philosophy and operatingstyle Management’s approach toward financialreporting has a strong impact on thecontrol environment. For example, thechoice of liberal versus conservativeaccounting policies sends a message, asdoes the way non-financial disclosures arehandled.

• Organizational structure The loosely defined organizationalstructure that was a hallmark of the dot-com era has now been replaced, notnecessarily by rigidity and conformity, butrather by a structure that ensures thatcritical information flows unimpeded.

• Assignment of authority and responsibilityThose charged with maintaining aneffective system of internal control shouldhave: job descriptions that are clearlydelineated, a full understanding of theirresponsibilities relating to internal control,sufficient knowledge and experience tocarry out their internal control-relatedduties competently, and the resources andthe authority to get the job done.

• Human resource policies and practicesHiring and retaining quality employeesshould be a high priority. Provide abundantprofessional development opportunities.Include internal control and business ethicsin employee evaluations, and makecompensation and promotions contingentupon these evaluations.

Integrate Your IT Group

Few companies could operate in today’sbusiness environment without complexinformation systems. In addition to providingcritical support to your business, thesesystems also form a linchpin of yourcompany’s system of internal control. Indeed,IT controls are fundamental to compliancewith section 404.

Thus, it is critical to integrate your ITprofessionals in your section 404 complianceeffort. The complexity of the IT control issuesand the specialized expertise required todefine, develop, and implement effectivesolutions for identified deficiencies demandthe participation of your IT managers. Involve

them in the planning and execution phasesfrom the outset.

Consider IT Controls

Your section 404 project provides anopportunity to look at your manual controlswith a fresh eye to determine if they areoptimally appropriate, efficient, and effective.Manual controls are pervasive in manycompanies because they are easier tounderstand, implement, and test. Yetoftentimes, manual controls can be replacedwith IT controls that provide better efficiencyand results.

Consider the control areas of segregation ofduties and authorization. When invoicepayments are processed, access to thesoftware application can be configured sothat only authorized users are able to makepayments. Approvals of purchase orders andpayments can also be segregated through ITcontrols. Similarly, when journal entries areprocessed, user access can be configured sothat only authorized members of staff maypost journal entries for stipulated amounts,particular divisions, etc.

If you apply a similar critical analysis to allyour manual controls, you can simultaneouslyroot out inefficiencies and strengthen yoursystem of internal control.

Consult With Your IndependentAuditors

Your independent auditors are required bylaw to maintain independence andprofessional skepticism, but that does notimply an adversarial relationship. After all, youshare plenty of common ground — mostnotably the desire for reliable financialreporting!

Thus, you should be talking to yourindependent auditors at every step of yoursection 404 compliance effort. It is never tooearly to begin the dialogue. Conversationsduring the scoping and planning phase canease your tasks further along. You shouldagree on timeframes and milestones. Youshould ensure that your definitions ofmateriality are in alignment.

Make sure your independent auditorsunderstand the nature, scope, and timing ofyour control testing, as well as who isperforming the testing. Collaboration willenable your independent auditors to use yourwork to the fullest extent possible.

So talk early and often. Remember, yourindependent auditors have likely beenengaged in many more section 404 projectsthan you have. You are paying for thatexpertise — so make the most of it!

Don’t Neglect Other COSOComponents

Out of a desire to get their section 404compliance efforts moving forward rapidly,many companies focus heavily on process-level controls. This is understandable, as thesecontrols represent tangible, easy-to-understand components of internal control.

But section 404 calls for an assessment of allthe components of internal control. Underthe COSO framework, this includes not onlycontrol activities, but also controls over thecontrol environment, risk assessment,information and communication, andmonitoring.

Focusing exclusively on control activities willresult in an assessment that is only partiallycomplete, and that could create problems. Ifyou haven’t covered all the components ofCOSO, then your assessment will lacksufficient basis for determining that yourinternal control is effective.

Risk assessment, for example, is a criticalCOSO component that is sometimesneglected entirely or documented as anafterthought. Yet understanding anddocumenting risks to reliable financialreporting is essential to evaluating theadequacy of controls. So be sure to work riskassessment into your project plan, with specialattention paid to high-risk areas, includingcomplex transactions or those involvingsignificant judgment; also focus on risks relatedto fraud and safeguarding of assets.

Understand FraudNo system of internal control, however well-designed, can prevent all acts of fraud. Butthere is plenty you can do to deter, impede,discourage, and detect corporate misdeeds.

The first step involves understanding fraud.What, exactly, is financial statement fraud?The American Institute of Certified PublicAccountants (AICPA) refers to financialstatement fraud as “an intentional act thatresults in a material misstatement in financialstatements that are the subject of an audit.“7

However, others expand the definition toinclude the notion that financial statement

7 AICPA. (2002). Statement of Auditing Standards (SAS) No. 99. Consideration of fraud in a financial statement audit. New York.

5


fraud is usually conducted by management orwith their consent and knowledge. Thus,Elliott and Willingham describe financialstatement fraud as “the deliberate fraudcommitted by management that injuresinvestors and creditors through materiallymisleading financial statements.“8

After understanding comes analysis. Where isyour company most vulnerable? Does thepart-time assistant to the accounts payableclerk have the ability to bring down thecompany? Probably not. Instead, focus on thehigh-risk areas, such as the following:• management override• manual journal entries• estimates• rationale for significant transactions• disclosures in financial statements (and,

perhaps more importantly, disclosures notin the financial statements)

• selection and application of accountingprinciples

Exploit Technology

The more deeply you embed internal controlinto your corporate culture and into the dailyroutines of your business, the more effective,sustainable, and efficient your program willbecome. One of the best ways to attain thisintegration is through the intelligentdeployment of technology. While no panacea,information technology can play a critical rolein sustaining your compliance efforts.

For many companies, the early work ofcontrol documentation has typically beenperformed using existing simple applications(word processing, spreadsheets, or Web-based programs). However, more robusttechnology may be required to sustain acompany-wide rollout and the ongoingevaluating, testing, and reporting necessaryto support your section 404 assessmentprocedures. Many software vendors andconsulting companies have developedsoftware in this area.

Finding the right technology to support yourSarbanes-Oxley efforts will depend on anumber of factors, including:• your current functional requirements for

section 404• additional or future requirements (other

regulatory compliance, internal audit,enterprise risk management)

• your information technology infrastructure(i.e., the technology currently supported byyour IT organization). Your CIO should playan active part in the technology decision.

Be Smart About Testing

When it comes to testing your controls, thereare no specific standards for the number ofselections nor the types of tests to beconducted. Factors such as the role of thetester, the nature of the control, and thefrequency of the control’s use will all comeinto play. Controls that are executedinfrequently (annually or quarterly) mayrequire a limited number of transactions totest. Controls in frequent use may requiredozens of selections to verify theireffectiveness. But irrespective of how manyselections you make, you are responsible forobtaining at least the same level of assurance9

as your independent auditors, so consult withthem early in the process.

Define a Process for HandlingDeficiencies

Even the best-run companies will haveinternal control deficiencies. A properlydesigned section 404 project will attempt toidentify and remedy all internal controldeficiencies before the end of the fiscal year.(Nonetheless, some internal controldeficiencies may still exist at year end.)

But how do you deal with these internalcontrol deficiencies once you identify them?You handle them according to the protocolsoutlined in your internal control deficiencygovernance process.

Early in your project planning, you shoulddevelop and implement detailed steps forhandling internal control deficiencies. Thebenefits of this process will be many,including consistency in addressing andremediating internal control deficiencies;independent auditors’ concurrence oninternal control remediation methodology(which may avoid surprises later!); moreclearly defined responsibility for addressinginternal control deficiencies; improveddecision-making regarding internal control-related changes in the business; enhancedsustainability (an important element of agood control environment); and improvedcommunication to ensure that issues areconsidered and addressed.

Items to define in your internal controldeficiency governance process will includeresponsibility (by name or job title), timing(what is the timeframe for addressing theinternal control deficiency?), notification/communication (who needs to know aboutit?), and documentation (where and in whatform is the information recorded?).

You should also include criteria fordetermining the proper classification ofinternal control deficiencies (internal controldeficiency, significant deficiency, or materialweakness). See Appendix B for a definition ofthese terms — and discuss them with yourindependent auditors. Since yourindependent auditors will also be evaluatingyour internal control deficiencies, you need toreach an agreement on your internal controldeficiency classification process. Earlyattention to this issue will save you time later.

Consider the Impact of Changes toYour Business

Mergers and acquisitions represent animportant feature of the American businesslandscape. Yet before you consummate anydeal, you should be aware of the impact thatM&A activity — or any other significantchanges to your business structure oroperations — can have on compliance withSarbanes-Oxley. Essentially, once you acquireanother company, that entity’s system ofinternal control becomes your own, and youbecome responsible for its internal controlover financial reporting. Fortunately, the SEChas acknowledged that it may be difficult toconduct an assessment of an acquiredcompany’s internal control over financialreporting in the period between theacquisition date and the date ofmanagement’s assessment. In such cases, theacquired company may be excluded frommanagement’s report on internal control overfinancial reporting. However, this exclusionmust be noted in the report as well asdisclosed on Form 10-K or 10-KSB.Furthermore, you may only omit anassessment of an acquired company’s internalcontrol over financial reporting for a period ofno more than one year from the date ofacquisition, and from no more than oneannual management report on internalcontrol over financial reporting. Otherrestrictions and provisions apply. Consult yourindependent auditors for additional details.

8 Elliott, R.K., and Willingham, J.J. (1980). Management fraud: Detection and deterrence. New York: Petrocelli Books.9 As defined by the PCAOB, reasonable assurance “includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely

basis. Although not absolute assurance, reasonable assurance is, nevertheless, a high level of assurance.” Source: “Release No. 2004-001: An Audit of Internal Control Over FinancialReporting Performed in Conjunction with an Audit of Financial Statements,” Public Company Accounting Oversight Board, 2004.

6

The Cost of ComplianceA survey of 224 public companies, conducted by Financial Executives International in July 2004, showed that businesses with more than $5billion in revenue expected to spend over $8 million implementing Sarbanes-Oxley section 404 in the first year of compliance. Costs includedconsultants, lawyers, auditors, and new software.

FAQs from CXOs

The technical and logistical hurdles posed by Sarbanes-Oxley section 404 have raised anxiety levels in the business world. Many executives areuncertain that they are proceeding properly and are worried whether they are focusing and aligning their project appropriately with the law’srequirements. Our Deloitte professionals have fielded many queries in this regard. Here are some of the questions asked and answered mostfrequently:

Do we have the right competencies to get our section 404 project done?Chances are you have more internal talent at your disposal than you realize. While resource requirements will differ based on factors such ascompany size, industry, geography, and other variables, generally speaking, you will need to draw on individuals from tax, human resources,information technology, finance and accounting, internal audit, and operations. You should be aware that many of these people have neverconsidered themselves as part of the financial reporting infrastructure. But today, under Sarbanes-Oxley, virtually everyone is!

Section 404 compliance is a huge undertaking. How will I ever get it done on time?One of the most productive steps you can take is to get your independent auditors involved immediately. If you conduct your section 404 projectin consultation with your independent auditors, you should avoid surprises on either side. Also, the sooner your independent auditors start theassessment procedures, the more time you will have to remediate any internal control deficiencies they find. And finally, you should carefullyprioritize your activities; in essence, do a risk assessment of your section 404 project. Focus on the things that could create a material weakness,such as an ineffective control environment or lack of controls over non-systematic transactions.

How do we sustain this program so we remain in compliance?Compliance with Sarbanes-Oxley section 404 is not a “once-and-done” effort. Because the evaluation, testing, and reporting requirements recuron an annual basis, you must sustain your compliance indefinitely. Therefore, you should build an efficient and effective compliance infrastructurethat enables repeatable, reliable actions. Focus on educating your employees, optimizing your business processes, deploying informationtechnology, and communicating openly.

3.1 The Practical Pages

In contrast to the high-level perspectiveprovided in the Executive Overview, thisImplementation Guide section provides aground-level vantage point. Over the comingpages, you will receive straightforwardguidance for implementing a COSO-basedsystem of internal control.

Use this section in the manner that best suitsyour needs and purposes: either a completefront-to-back reading to become fully versedin the subject, or an a la carte sampling toselectively enhance your knowledge,jumpstart your work, benchmark yourprogress, or troubleshoot your project.

3.2 Why You Should Read ThisImplementation Guide

If you're feeling intimidated by the sheer bulkof this section, consider:

• Deploying COSO is a detailed process;there are simply no shortcuts orworkarounds. Hence the heft of thissection.

• Taking Control is not a rehash of the COSOpublication. Rather, it offers a step-by-stepapproach that draws upon the detailedknowledge, leading practices, andcumulative experience of our practitionersand clients — men and women who havespent thousands of hours in the fieldassisting with the implementation ofsystems of internal control based onCOSO.

• Building or strengthening a system ofinternal control sturdy enough to satisfythe requirements of Sarbanes-Oxleysection 404 is painstaking, time-consuming,

and expensive. Yet as distasteful as thatsounds, the alternative — coming up shortin your compliance efforts — could besignificantly worse.

3.3 Keep It Simple

To say that Sarbanes-Oxley section 404 hascreated a tumult in the business communitymay be an overstatement, but not by much.From the board room to the shipping dock,executives and workers are grappling withnew demands, more oversight, heightenedresponsibility, and increased pressure. Costsare mounting, deadlines are approaching, andsanctions are looming for those who don'tget it right.

But when things seem overwhelming, stopfor a moment. Take a deep breath. Relax.Remember: Your objective is simple. You areworking to attain reliable financial reportingfor your company.

With this goal in mind, you should be able toask yourself at any point in your section 404project, How does this particular task helpimprove the reliability of my financialreporting? If you can clearly trace the task athand back to your overriding objective —reliable financial reporting — then the entireproject will come into better focus, and itsdisparate elements will unite into anunderstandable whole.

3.4 Build the Foundation

Before you frame the first wall, you have toconstruct the foundation. Mucking around inthe trenches isn't the glamour work, butnothing else can be supported until you do.

The same principle applies to your section404 project. Here's a checklist of preliminaryactivities you'll need to address before youcan proceed to the more heady stuff. (If youneed more detail on any particular item, seeDeloitte's Moving Forward publication,referenced previously.)

The MiddleMarket DilemmaOf all businesses struggling withSarbanes-Oxley section 404implementation, perhaps the mostuntenable position is that of middle-market companies. Human resources arestretched thin, with most employeesalready working at capacity. A tougheconomy and ongoing financialconstraints preclude lavishing money onoutside consultants to shepherd theproject. Just attending to the day-to-daybusiness of the company is difficultenough, never mind taking on a new,labor-intensive, cost-prohibitive project.

How to cope? Well, this publicationprovides a good place to start. Take ouradvice to heart. Get your prioritiesstraight. Keep your project simple.Leverage existing technology, such aspre-populated templates. Identify aninternal control champion within yourfirm. Conduct training workshops. Re-read COSO. And communicate tirelesslyabout good governance and internalcontrol.

7

Part Three:Implementation GuideRemember: Your objective is simple. You are working to attain reliablefinancial reporting for your company.

8

Part ThreeImplementation Guide

• document your business operations(locations, units, and subsidiaries;partnerships, shared services, andextended enterprises; etc.)

• create a repository containing copies ofcorporate codes, procedures, policies,manuals, charts, and descriptions

• inventory and record pension plans, stockoption plans, compensation packages, andprofit-sharing plans

• establish a steering committee• deploy a disclosure committee• create an internal control project team• form a program management office• determine the role of internal audit• consult with your independent auditors• confer with senior management, disclosure

committee, audit committee, and theboard of directors

• determine the role of informationtechnology

• train the project team• develop your section 404 project work

plan and your project budget• select appropriate technology

3.5 Scope the Project

At this stage of your section 404 project,you'll be defining the parameters of yourwork, including identifying importantlocations, significant accounts, and keybusiness processes. Essentially, you'll bedetermining which parts of your businesshave a significant impact on internal controlover financial reporting, and which partsdon't. The former will be “scoped in“ to yoursection 404 internal control assessment; thelatter will be “scoped out.“

Determine Objectives to Include inthe Project

COSO is a principles-based framework that iscomposed of three objectives: effectivenessand efficiency of operations, reliability offinancial reporting, and compliance withapplicable laws and regulations. Any section404 project should, naturally, focus on thefinancial reporting objective. However, yourproject team may wish to consider includingthe other objectives — efficiency andeffectiveness of operations and compliancewith applicable laws and regulations — in itssection 404 readiness project. By focusing onall the objectives, your company can drivebetter business performance. And, as notedearlier, by treating the requirements of section404 as an opportunity, rather than a burden,your company may reap dividends far beyondcompliance alone.

In some cases, you will have no choice but toinclude elements of the two other COSOobjectives, because they sometimes overlapwith internal control over financial reporting.For example, in the realm of efficiency andeffectiveness of operations, consider atelephone company's switching operations. If these switches function to route and recordcustomer calls, which in turn provides thebasis for invoicing, then switching operationsshould be considered part of financialreporting and thus subject to section 404.

With respect to compliance with applicablelaws and regulations, it is clear that followingthe laws, rules, and standards related toSarbanes-Oxley section 404 is directly relatedto the preparation of reliable financialstatements. But other laws and regulationswill also come into play. For example, internalcontrol over financial reporting would includecontrols over the computation of taxes,because tax liability has a direct and, usually,material effect on the financial statements.(However, the processes and controls toprepare and file tax returns would not beincluded, as these activities don't have adirect bearing on the financial statements.)

Other examples of laws and regulations thatmay have a direct and material effect on thefinancial statements may include therecognition and/or disclosure of certainemployee benefit-related matters, such aspayroll taxes or retirement benefits, andindustry-specific laws and regulations, such asthose directly affecting financial reporting forgovernmental contractors, banks, or healthcare providers.

Internal Control Over FinancialReporting: A Primer

Before you can effect internal control overfinancial reporting, you must understand theterm itself, including its scope and limits. In itsfinal rule,10 the SEC provided a detaileddefinition, which may be found in Appendix A.

The gist of the definition is contained in theSEC's interpretation that internal control overfinancial reporting covers “the applicable lawsand regulations directly related to thepreparation of financial statements.“

The SEC's definition of internal control overfinancial reporting includes policies andprocedures that:

(1) pertain to the maintenance of records thatin reasonable detail accurately and fairlyreflect the transactions and dispositions of theassets of the registrant.

Although maintenance of records may bethought of as a state or condition as opposedto a control objective, there's another way tolook at it: The absence of appropriate recordsmay impair the effectiveness of the personsresponsible for performing control activities.Thus, you should ensure that adequaterecords are maintained not only for yourroutine transactions (e.g., payroll), but alsofor non-routine events and transactions (e.g.,support for estimates, journal entries, and theselection and application of new accountingprinciples).

Additionally, maintenance of records alsoincludes that portion of business continuity ordisaster recovery related to the controls overmaintaining back-up and data recovery.

Also, although your company’s recordretention policies (i.e., how long you retainyour financial records in storage) appear to bea legal consideration that falls outside thescope of section 404, it is advisable tomaintain such records in a manner similar tothe maintenance of records that support thefinancial statements.

(2) provide reasonable assurance that …receipts and expenditures of the registrant arebeing made only in accordance withauthorizations of management and directorsof the registrant.

Each of the five components of COSO willhave areas in need of controls related toauthorization, including the following:• Control Environment: assignment of

financial authority by the board ofdirectors to executive and middlemanagement; related party transactions;expense accounts and perquisitearrangements; executive managementcompensation arrangements (includingincentive-based arrangements)

• Risk Assessment: identifying any significantrisks involving the ability of an employee toinitiate and/or process unauthorizedtransactions

10 “Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” U.S. Securities And ExchangeCommission, 2003. Electronic copy can be viewed at: http://www.sec.gov/rules/final/33-8238.htm.

• Information and Communication:communication of authority across theorganization; controls in the IT systems toprevent unauthorized access

• Control Activities at the Process/SystemLevel: authority for specific types oftransactions within each process

• Monitoring: monitoring for unauthorizedtransactions (e.g., unauthorized journalentries)

(3) provide reasonable assurance regardingprevention or timely detection ofunauthorized acquisition, use, or dispositionof the registrant's assets that could have amaterial effect on the financial statements.

This means that controls over fraudulentactivity are intended to prevent or detectunauthorized expenditures or investments,unauthorized incurrence of liabilities, stoleninventory, the conversion of assets to personaluse, and other illegal activities.

Determine Materiality

“Materiality“ is a term used to describe thesignificance of financial statementinformation to decision-makers, such asshareholders. An item of information isconsidered material if it is probable that itsomission or misstatement would influence orchange a decision of these stakeholders.

In its Statement of Financial AccountingConcepts No. 2, the FASB stated that “theomission or misstatement of an item in afinancial report is material if, in the light ofsurrounding circumstances, the magnitude ofthe item is such that it is probable that thejudgment of a reasonable person relyingupon the report would have been changed orinfluenced by the inclusion or correction ofthe item.”11

But as Shakespeare might say, “Ay, there'sthe rub.“ Because determining exactly whatkind of information or how many dollars itwould take to sway an investor is a trickyprocess dependent on subjectiveinterpretation.

Yet materiality is critical to effective internalcontrol over financial reporting. Materiality iscalculated because it enables management toclassify internal control deficiencies into the

categories of material weaknesses, significantdeficiencies, or internal control deficiencies.(For a definition of these terms, see AppendixB). It is also used to determine whichaccounts and disclosures are significant(discussed in greater detail below).

So how does one determine materiality? TheAICPA suggests that financial impact on after-tax income may be one appropriate measure:“… it is generally recognized that after-taxincome from continuing operations is, in mostcircumstances, the measure of greatestsignificance to the financial statement usersof entities whose debt or equity securities arepublicly traded.“12

The group says that other significant accountsof the financial statements — current assets,net working capital, etc. — can be reasonablyselected as well. But regardless of what ischosen, “in all instances, the element orelements selected should reflect, in theauditor's judgment, the measures most likelyto be considered important by the financialstatement users.“13

But note, too, that materiality cannot bereduced to a simple numerical formula. Athorough assessment of materiality requiresthat the facts be considered in the context ofthe surrounding circumstances. Thus,qualitative factors, which also consider theneeds of a “reasonable person,“ should beweighed as well, including items that:• represent related-party balances and

transactions• change a loss into a profit or vice versa• mask a change in earnings or other trends• hide a failure to meet analyst expectations• affect compliance with loan and other

covenants• increase executive compensation

The SEC states that “The use of a percentageas a numerical threshold, such as five percent,may provide the basis for a preliminaryassumption that — without considering allrelevant circumstances — a deviation of lessthan the specified percentage with respect toa particular item on the registrant's financialstatements is unlikely to be material. The[SEC] has no objection to such a 'rule ofthumb' as an initial step in assessingmateriality. But quantifying, in percentage

terms, the magnitude of a misstatement isonly the beginning of an analysis ofmateriality; it cannot appropriately be used asa substitute for a full analysis of all relevantconsiderations.“14

Every company is unique, and the methods ofdetermining materiality and results of thatdetermination will vary accordingly. Asalways, discuss your conclusions and yourmethodology with your independent auditorsand audit committee. And be sure todocument your decisions.

9


More onMateriality• While you should not base your

materiality decisions on the materialitylevels set by your independentauditors for purposes of the internalcontrol audit, you should nonethelessdiscuss the matter with them inadvance. It would be unfortunate toset your own materiality at a levelhigher than what your independentauditors will use to conduct theirprocedures because they mayconclude that your assessment processis not effective because it was notsufficiently inclusive.

• The quantitative component of yourmateriality is a moving target. Youshould revisit your materialitycalculation at least on an annual basis,and more frequently if conditions andcircumstances dictate.

• Companies tend to focus on thefinancial statements when settingmateriality. They often forget thatnon-numerical disclosures (infootnotes to the financial statements)also play a large role in influencing a“reasonable person.”

11 FASB, Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information (“Concepts Statement No. 2”), 132 (1980).12 “Interpretations of SAS No. 47 (AU Section 312)." American Institute of Certified Public Accountants. Electronic copy can be viewed at:

www.aicpa.org/members/div/auditstd/announce/interpretations.htm.13 Ibid.14 “SEC Staff Accounting Bulletin: No. 99 - Materiality," U.S. Securities and Exchange Commission, 1999. Electronic copy can be viewed at: http://www.sec.gov/rules/acctrps/sab99.htm.

10


Identify Significant Locations orBusiness Units

In your preliminary activities, you took acomprehensive inventory of all your locationsand business units. Now, you will whittle thelist down to the most critical of these sites.Your objective is to separate the insignificant— those locations or businesses that couldnot create, either individually or in theaggregate, a material misstatement in thefinancial statements — from the significant.

Using the definitions of materiality that youhave developed, methodically examine eachlocation or business and evaluate the relativefinancial significance and the risk of materialmisstatement arising from it. Consider thatsome sites may have unique or specific risksthat, by themselves, could create a materialmisstatement. Also remember that somelocations or business units in isolation mayseem immaterial, but in combination mayattain a level of financial significance thatcould create a material misstatement in thefinancials.

In most cases, the business units andlocations identified should represent a largeportion of the company's total operations andfinancial position. Determining “largeportion” is a matter of judgment, whichshould be discussed with your independentauditors since the number of locationsselected by the company should be generallymore than that the number selected by yourindependent auditors.

As always, document your work and thecriteria you used.

Identify Significant Accounts

With significant business units identified, it'stime to examine the financial statements fromeach to determine significant accounts.

What constitutes a significant account?Perhaps a more appropriate question wouldbe, what doesn't? It's only slight hyperbole tostate that every account could be consideredsignificant.

Your materiality definition will be the ultimatedetermining factor. If the account balance orfinancial statement line item is sufficientlylarge — individually or in the aggregate —that an error or misstatement within it couldhave a material effect on the financialstatements, then it should be identified as asignificant account.

Of course, financial statement line items areoften comprised of multiple general ledgeraccounts. Within each of those financialstatement line items, account balances shouldbe determined by a two-step process: first,aggregate general ledger accounts that havesimilar risks and share common processes andcontrols; second, disaggregate intocomponents those financial statement lineitems and general ledger balances that have

differing risks and controls. Then, at thiscomponent level, account balances above themateriality level (considering the risk of bothoverstatement and understatement) shouldbe identified as a significant account.

Assuming that a $700,000 materiality levelhas been established for identifyingsignificant accounts, the charts belowillustrate the process:

Financial Statement Line Item Level(1)

Cash

Accounts Receivable

Inventory

Other Assets

Property, Plant & Equipment

Prepaid and Other Current Assets

Payables - Related Party

Derivative Liability

Accounts Payable

Accrued Liabilities

Long-Term Debt

Stockholders' Equity

$ 2,000,000

$ 6,000,000

$ 7,000,000

$ 1,000,000

$ 800,000

$ 400,000

$ (100,000)

$ (400,000)

$(3,000,000)

$(2,000,000)

$(5,000,000)

$(6,700,000)

Yes

Yes

Yes

Yes

Yes

No(2)

Yes(3)

Yes

Yes

Yes

Yes

Yes

Account Balance Significant?

(1) For this illustration, only the single-location balance sheet has been depicted to identify the significant accounts at thefinancial statement level. However, the income statement, cash flow statement, and footnote disclosures also should be included.

(2) The line item is less than the threshold and, for illustrative purposes, it does not contain qualitative factors that wouldcause the line item to be deemed significant. (3) Although less than the threshold, for illustrative purposes, the line item is identified as significant because of significantqualitative considerations.

Account Balance Level

Accounts Receivable:

Trade Accounts Receivable

Related Party Receivables

Miscellaneous (10 @ $100,000)

Total

$ 4,600,000

$ 400,000

$ 1,000,000

$ 6,000,000

Yes

Yes(4)

No(5)

Account Balance Significant Account?

(4) Although less than the threshold, for illustrative purposes, the account is identified as significant because of significant qualitative factors.

(5) For illustrative purposes, assume that the 10 miscellaneous accounts of $100,000 each are not subject to the same risks and controls andthat there are no significant qualitative factors. These accounts individually would not constitute significant accounts and, thus, these accountsare not considered significant accounts. Because they exceed the threshold in the aggregate, the key control(s) should be evaluated.

Figure 1.1

Figure 1.2

11


Additionally, other account balances that areless than the threshold also may be identifiedas a significant account taking into con-sideration qualitative factors, such as theexpectations of a reasonable user. For example,investors might be interested in a particularfinancial statement account even though itfalls below the threshold because it representsan important business performance yardstick.

The PCAOB offers this definition of accountsignificance:

An account is significant if there is more thana remote likelihood that the account couldcontain misstatements that individually, orwhen aggregated with others, could have amaterial effect on the financial statements,considering the risks of both overstatementand understatement. Other accounts may besignificant on a qualitative basis based on theexpectations of a reasonable user. Forexample, investors might be interested in aparticular financial statement account eventhough it is not quantitatively large because itrepresents an important performancemeasure.

Note: For purposes of determining significantaccounts, the assessment as to likelihoodshould be made without giving anyconsideration to the effectiveness of internalcontrol over financial reporting.15

Identify Relevant Assertions for EachAccount

Financial statement assertions arerepresentations by management regardingthe completeness, validity, and accuracy offinancial statements. Assertions can bebroadly classified as follows:16

• Existence or Occurrence — Assets,liabilities, and ownership interests exist at aspecific date, and recorded transactionsrepresent events that actually occurredduring a certain period.

• Completeness — All transactions and otherevents and circumstances that occurredduring a specific period, and should havebeen recognized in that period, have, infact, been recorded.

• Valuation or Allocation — Asset, liability,revenue, and expense components arerecorded at appropriate amounts inconformity with relevant and appropriateaccounting principles.

• Rights and Obligations — Assets are therights, and liabilities are the obligations, ofthe entity at a given date.

• Presentation and Disclosure — Items in thestatements are properly classified,described, and disclosed.

Note that assertions are not mutuallyexclusive; thus, more than one of theseassertions can be applied to the significantaccounts and disclosures. Take, for example,accounts receivable. Relevant assertionswould include “existence or occurrence“(recorded accounts receivable exist and arerecorded accurately); “completeness“ (allaccounts receivable have been recorded);“valuation“ (accounts receivable arecollectable); “rights and obligations“ (thecompany has legal claim to the accountsreceivable); and “presentation“ (accountsreceivable are properly displayed andclassified on the balance sheet withappropriate footnote disclosures).

Since you have already identified yoursignificant accounts and disclosures, workmethodically through them and assignrelevant assertions to each.

Identify Significant Processes

“Significant processes“ are the proceduresthat underlie your account balances, theactual real-world steps that employeesundertake to initiate, record, process, andreport transactions. Significant processes thataffect financial reporting may include takinginventory, processing payroll, reconciling bankaccounts, making journal entries, agingaccounts receivable, and myriad other day-to-day activities involved in running a business.

To identify significant business processes,follow these steps.

Identify the major classes of transactions foreach significant account.Major classes of transactions are identified byconsidering the account activity (e.g., thedebits and credits) within the significantaccount. Three types of transactions arepossible: routine, non-routine, and periodic.Routine transactions are those that occurfrequently and are expected in the ordinarycourse of business. For example, inmanufacturing environments, the routinetypes of transactions that may occur include(1) distributor sales, (2) direct customer sales,and (3) Internet sales.

Non-routine transactions are those that occurinfrequently. Examples of non-routinetransactions include transactions with specialterms; mergers, acquisitions, and divestitures;plant closings; extraordinary items; anddisposals of a segment of a business.

Periodic transactions are those that occur atpoints in time and generally as part of themonth-end, quarter-end, and annual closingprocesses. These may include the accrual ofaccounting estimates, the calculation ofincome taxes, and other accruals (e.g.,interest on investments and debt, andaccrued liabilities).

To illustrate, let's use accounts receivable as asample significant account. Within thisaccount, the major classes of transactionsmay include sales, sales returns, cash receipts,write-offs, and journal entries. These classesmay be determined to be “major“ due totheir financial significance (such as sales andreturns), importance to the closing process(journal entries), or levels of subjectivity(write-offs).

Scoped Out andForgotten?Caught in the whirlwind of identifyingimportant locations and significantaccounts, companies sometimes forgetabout those they have left behind — theitems that have been "scoped out" oftheir section 404 project. Manycompanies have the mindset that if thelocation or account doesn't have asignificant impact on internal control overfinancial reporting, then no controls areneeded. This, we contend, is aninadvisable stance. Indeed, companieswith a reputation for good governanceand strong internal control have longrealized the need for controls at all theirbusiness locations and for all theiraccounts. The benefits includestandardization and simplification; animproved overall control environment;and easier transitions due to expansion orother changes in the business. Scoped inor scoped out, internal control should beubiquitous. It's just good business.

15 “Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,” Public CompanyAccounting Oversight Board, 2004.

16 “Statement of Accounting Standard (SAS) No. 31,” American Institute of Certified Public Accountants.

12


Identify the significant processes supportingthe major classes of transactions.Processes may be categorized into two majortypes: transaction-level processes andcompany-level processes. Transaction-levelprocesses involve individual transactions.These may be systematic (automated)processes such as sales activity, billing,collection, and payroll. Or they may benonsystematic (manual) processes, such asintangible assets, allowance for sales returns,allowance for doubtful accounts, andlitigation reserves.

Company-level processes involve financialreporting and closing, including such activitiesas journal entries, reconciliations, andconsolidation. Company-level processesshould always be considered significant.

Thorough documentation of significantprocesses provides a better understanding ofthe company's system of internal control overfinancial reporting, which will aid both theinternal team and the independent auditorsin their work and will aid in the identificationof control objectives and risks (which will bediscussed later in this document).

Identify Significant ApplicationSystems

A significant software application system hasan important impact on financial reportingbecause, among other characteristics, itprocesses major classes of transactions.

Identifying significant software applicationsystems is a fairly straightforward process:Once you have identified the significantbusiness processes (as described above),match them to the software applications thatsupport those processes.

Identify the Computer ProcessingEnvironment

A computer processing environment is alocation that supports computer hardwareand software. It is possible to have multiplecomputer processing environments at onephysical location. A distinguishing feature ofthe computer processing environment is itsunique combination of operating proceduresand programmed controls. A computerprocessing environment also includes thoseindividuals who support the computerprocessing, but who may not be physicallylocated in the same location. For example, acompany might have a single data center (i.e.,

processing location) that includes both amainframe computer and one or moresmaller computers. Because the operatingprocedures and programmed controls differsignificantly between the mainframe and thesmaller computers, you should treat them asseparate computer processing environments.

Identify Service Organizations andOther Extended Relationships

Many companies outsource businessprocesses, including manufacturing, orderfulfillment, payroll, accounting, humanresources, shipping, tax reporting, couponand warranty processing, and other functions.As part of your scoping process, you shouldidentify all of these relationships because,depending on the nature of each, you may beresponsible for evaluating and testing thecontrols within some of these organizations.

In your assessment process, you shouldinclude any outside organization that is partof your information system. An outsideorganization is part of your informationsystem if the services it provides or thetransactions it performs affect any of thefollowing:

The classes of transactions in your operationsthat are significant to your financialstatements. Thus, only service organizations(including IT application and generalcomputer controls) that impact a company'smajor classes of transactions, significantaccounts, or processes need to be considered.

The procedures, both automated and manual,by which transactions are initiated, recorded,processed, and reported from theiroccurrence to their inclusion in the financialstatements. Procedures in any of these fourstages may be outsourced. Oftentimes theprocessing stage activities may be outsourced,while the company performs the initiation,recording, and reporting activities.

The related accounting records, supportinginformation, and specific accounts in yourfinancial statements involved in initiating,recording, processing, and reportingtransactions. For example, accountingrecords, such as payroll registers or healthcare claims disbursement records, may bemaintained by the service organization onbehalf of the company.

How your information system captures otherevents and conditions that are significant tothe financial statements. Examples include (1) data provided by an outsourcedmanufacturer to assist the company in theidentification of inventory adjustments orwrite-downs of inventory located at theoutsourced manufacturer, and (2) securitiespricing services used by financialorganizations to “mark-to-market“ itsinvestment portfolio.

The financial reporting process used toprepare your financial statements, includingsignificant accounting estimates anddisclosures. This may range from theinvolvement of third parties in assistingmanagement in the preparation of estimates(such as fair value, actuarial, orenvironmental) to the outsourcing of theentire financial reporting process, includingthe period-end closing and reportingprocesses.

It is important to distinguish between serviceorganizations and vendors because serviceorganizations are “scoped“ into thecompany's assessment of internal control overfinancial reporting while vendors are not. Onekey factor that can aid in the distinction: Ifyour company includes transactions or eventsthat are processed by a service provider inyour own financial statements, then it is likelythat the service provider represents a serviceorganization. Consult with your independentauditors if you have any questions.

3.6 Establish Objectives and IdentifyRisks

Your company faces continual risks. On thebroadest level, competitive risks can threatenthe very survival of your organization. On aless monumental scale, internal risks canaffect your petty cash balances or even yoursupply of mechanical pencils. The point is thatyour company faces risks from all quarters,some significant, some mundane.

Of course, risk management is a broad topic.In the context of Sarbanes-Oxley section 404,it is narrowed: Risk is an event or conditionthat can negatively affect the ability of theorganization to produce timely and reliablefinancial reporting.

Risk assessment is inextricably linked to thescoping process described above. As youdetermined materiality and then identified

13


significant locations, significant accounts,relevant assertions, significant processes, andsignificant application systems, you werelaying the groundwork for the risk assessmentprocess.

Despite its seeming complexity, riskassessment is a fairly straightforward processthat can be broken into three steps: (1) establish objectives, (2) identify risks, and (3) document the risk assessment process.

Establish Objectives

Setting objectives, according to the COSOframework, “is a precondition to riskassessment.“ That's because, quite simply,you have to set objectives before you canidentify the risks that might hinder you fromattaining those objectives.

Broadly, objectives fall into one of severalcategories, as follows:• operations objectives, which address high-

level issues such as profitability• compliance objectives, which relate to

conformance with applicable laws andregulations

But for the purposes of section 404 and thisdocument, we are focusing primarily on:• financial reporting objectives, which

concern the accurate, complete, andtimely preparation of financial reports

Objectives can be categorized as either“entity-level,“ which encompass the entireorganization, or “process-level,“ whichconcern smaller scale actions and procedures.

Entity-Level ObjectivesTo begin the process of establishing entity-level objectives, COSO suggests that you startwith broad statements that describe whatyou'd like the entire organization to achieve.Although objectives can address a widevariety of issues, such as market share (e.g.,become the No. 2 manufacturer of aglets bythe year 2005), revenue growth, or workforceexpansion, for the purpose of section 404,the focus can be much narrower and simpler.Sample language for the primary entity-levelobjectives is provided below:

Publish reliable financial statements inaccordance with generally acceptedaccounting principles that include thosepolicies and procedures that:

1) pertain to the maintenance of recordsthat in reasonable detail accurately andfairly reflect the transactions and;dispositions of the assets of the company

2) provide reasonable assurance thattransactions are recorded as necessary topermit preparation of financialstatements in accordance with generallyaccepted accounting principles, and thatreceipts and expenditures of theregistrant are being made only inaccordance with authorizations ofmanagement and directors of theregistrant; and

3) provide reasonable assurance regardingprevention or timely detection ofunauthorized acquisition, use ordisposition of the registrant's assets thatcould have a material effect on thefinancial statements.

Of course, the above-listed objectives are toogeneric and too broad for use in your section404 project. You should more clearly definethem for your particular circumstances,addressing each COSO component.

Focus on FraudSection 404 of Sarbanes-Oxley requires companies to include an assessment of fraud risk, which can arise from a variety of places and beattributable to a number of causes. For example, management override has been a significant factor in several highly publicized fraud cases.Revenue recognition can be another area ripe for abuse, since the rules governing revenue are often misapplied. Fraud risk can manifestitself in the control environment as well, if, for example, management applies strong pressure on employees to show short-term earnings.Executive incentives can also backfire: Management compensation that is contingent upon corporate performance can provide strongtemptation to “cook the books.”

Here are a few additional observations on fraud:• The benefits of an anti-fraud program to an organization are not limited only to reduced costs. Under the Federal Sentencing Guidelines,

there is up to a 95 percent reduction in penalties for companies that have implemented programs to prevent and detect any violations of law.

• The cornerstone of an anti-fraud environment is a culture founded on honesty and integrity, reflected by the formal and informalorganizational code of conduct and actual and perceived adherence to that code. Built on that foundation, an effective anti-fraudprogram includes a comprehensive assessment of the organization's fraud risks and an enterprise-wide risk monitoring programspecifically designed to determine the effectiveness of preventive and mitigating anti-fraud controls.

• The fraud risk assessment should include the individuals with day-to-day involvement in the significant processes being assessed. Forexample, an assessment of the risks inherent in a revenue process should include individuals from the sales department (deal directly withthe customers), the legal department (draft or review contracts and sales agreements), the order entry department (process the orders),the accounting department (invoice the customer and record the revenue), the shipping department (ship the goods to customers), andthe accounts receivable department (approve the credit limits and then collect the receivables). Based on the assessed risks, a response isdeveloped that may include preventive controls (reducing the opportunity to commit fraud) or mitigation controls (reducing the impact ofthe potential fraud).

Your organization should also develop otherentity-level objectives for the controlenvironment, information and communication,and monitoring. Here are some samples for each:

Sample Control Environment Objectives• management demonstrates character,

integrity, and ethical values• the company is committed to competence• the audit committee and/or the board of

directors are actively involved and havesignificant influence over the company'sinternal control over financial reporting

Sample Information and CommunicationObjectives• financial reporting and related application

and information systems are reliable• appropriate and necessary information is

obtained from, and provided to,management

• information is gathered from anddisseminated to the appropriate people ona timely basis

Sample Monitoring Objectives• internal audit's scope, responsibilities, and

audit plans are appropriate for thecompany

• internal audit adheres to professionalstandards, such as those issued by TheInstitute of Internal Auditors

• the entity is responsive to internal andexternal recommendations

See Appendices C, D, and E for further detailson these objectives.

Process-Level Control ObjectivesAfter developing your broadly worded entity-level objectives, you should incorporate moredetail in your process-level objectives. Whileyour entity-level objectives will likely berelatively few, your process-level objectivesmay number in the hundreds.

Process-level objectives should be created forall the significant accounts and disclosuresthat you identified earlier. To accomplish this,use the financial statement assertions thatyou developed for significant accounts anddisclosures.

For example, assume that the significantaccount you are setting objectives for is“sales.“ Because management should ensurethat all revenue is recognized in theappropriate period, one possible financialassertion would be “completeness.“ (Otherfinancial assertions may apply as well.) Oncethe financial assertion has been identified,relevant control objectives should beestablished. Under this example, one controlobjective for the sales account, derived fromthe financial assertion of completeness, maybe the following: “All orders received fromcustomers are input and processed.“

Identify Risks

Entity-Level RisksEntity-level risk affects what the overall entity— i.e., your entire company — wants toachieve. These risks typically impact “bigpicture“ concerns.

Entity-level risks should be developed for eachof the five components of COSO. Beespecially sure to address the areas of controlenvironment, information and communication,and monitoring, which are often overlookedin favor of the other COSO components.Begin with a “what-if?“ process to considereach of your entity-level control objectives ineach COSO area, and then create a detailedlisting of risks to attaining those objectives.You can start by simply inverting the controlobjectives. For example, in the controlenvironment area, if your objective is “thecompany is committed to competence,“ anassociated risk may be that “the company isnot committed to competence.“ However,that should be considered only a startingpoint, not an end point. You should then askyourself: “What are the underlying riskfactors that could hinder my company'scommitment to competence?“ You may findanswers to that question in the areas ofleadership, job descriptions, communication,hiring practices, performance reviews, andmore. Each of these risk areas should bedocumented.

Process-Level RisksOnce your objectives are documented, youshould identify any internal and externalfactors — risks — that may thwart or hinderyour company from attaining its financialreporting control objectives.

As described previously, you can approachthis process by creating “what if?“ scenarios.Take each control objective and then try toenvision what could go wrong. What are thesituations, circumstances, and problems thatcould arise that might thwart your objectives?

Document the Risk AssessmentProcess

As with most facets of your section 404project, full documentation is critical. Riskassessment is one of the five components ofCOSO that will require documentation tosupport compliance. Additionally, you willneed documentation to support your internalcontrol report, as well as for your independentauditors to perform testing and validation.

14


15


3.7 Controls in Action (Part I)

When companies strive to implement orstrengthen their system of internal control,most tend to take a predictable course: Theyfocus on the controls that address systematicallyprocessed transactions that flow throughmajor general ledger accounts; they concernthemselves with obvious business processes.

Yet, in our experience, far more errors occurelsewhere, in less familiar terrain. Somemistake-prone areas include application ofaccounting policies, non-routine events andtransactions, information technology, andfraud.

Starting here and continuing in the next twosections (Evaluate the Design of Controls andTest the Operating Effectiveness of Controls),we will provide illustrative examples of theseoft-overlooked controls and their associatedobjectives and risks.

The chart in Figure 2 is populated withsample data that lays out the criticalinformation in a hypothetical situation. Listedatop the four columns are the categories ofcontrols that often prove troublesome.Subsequent rows contain information similarto that which you will have gathered earlier inthis document:• sample business processes and significant

accounts identified during scopingactivities

• financial assertion associated with thebusiness processes and significantaccounts

• illustrative control objective for eachcategory of control

• the risk associated with the controlobjective

Consider, for example, controls over authorizationof non-routine events and transactions.Moving down the column, we find that abusiness process related to non-routine events

and transactions involve financial closing andreporting, and that the accounts that areimpacted by this activity are pervasive.

In the row labeled “illustrative objective,“ asample objective for each category of controlis provided. For example, in the “fraud“column, one possible objective is that“Recorded revenue represents validtransactions.“ Note that the objectiveprovided in each category is simply oneillustrative example. In actuality, you will havemany — perhaps dozens — of objectives foreach control category.

The next row addresses “risk.“ For eachobjective listed directly above it, ahypothetical risk has been assigned. Asbefore, although only a single risk is listedhere, any number of risks may actually existfor each objective.

Accounting Policies Non-Routine Events andTransactions

Business Process

Information Technology Fraud

Account

Financial Assertion

Illustrative Objective

Risk

Financial Closing and

Reporting

All

Existence or occurrence,

completeness, valuation or

allocation, rights and

obligations, and presentation

and disclosure

The company's accounting

policies reflect the most recent

and applicable authoritative

guidance and are properly

documented, communicated,

and applied consistently to

events and transactions across

business units and accounting

periods.

The company does not

properly apply authoritative

literature (e.g., generally

accepted accounting

principles) to its financial

transactions.

Information Systems

Management

N/A

N/A

Logical security tools and

techniques are implemented

and configured to enable

restriction of access to

programs, data, and other

information resources.

Unauthorized individuals can

access the company's financial

accounting systems and make

changes to the underlying

financial data.

Revenue

Accounts Receivable, Sales

Existence or occurrence and

rights and obligations

Recorded revenue represents

valid transactions

Revenue is recorded without

having a properly completed

sales transaction.

Financial Closing and

Reporting

All

Existence or occurrence and

presentation and disclosure

Non-routine events and

transactions are valid and

properly recorded in the

appropriate accounting period.

Significant non-routine events

and transactions are not

reviewed by individuals with

the requisite technical

expertise and are improperly

recorded by the company.

Figure 2: Controls in Action - Part I

Note: The examples above are intended to be illustrative, not comprehensive. In practice you will have significantly more business processes, accounts, financial assertions, controlobjectives, risks, and control activities. Additionally, procedures to evaluate and test the design and operating effectiveness of control activities will be more comprehensive and requireextensive documentation including reports reviewed, individuals interviewed, number and details of transactions selected, and more.

16


3.8 Evaluate the Design of Controls

Once control objectives are summarized andrisks that may hinder those objectives areidentified, astute managers might reasonablyask: “What can we do to minimize these risks?“

That's where control activities come in.Control activities are policies and proceduresthat help your company mitigate risk andmeet its objectives. In the case of section 404,control activities will help you attain yourentity-level objective of producing timely andreliable financial reports, and your multipleprocess-level objectives designed to effect thesame.

Control activities can be seen as part of acontinuum: First you developed yourobjectives; next you identified risks for eachobjective; now you associate control activitieswith each risk.

Getting a Handle on ControlActivities

In the broadest sense, controls can be dividedinto two main categories: company-levelcontrols and process-level controls.

Company-level controls typically exist andoperate across an organization (both singlelocation and multiple location companies).These controls are designed to monitor theappropriateness and reasonableness of theinformation provided by the underlyingprocesses (and locations), and to monitor theeffectiveness of the controls that operatewithin a process (and across multiplelocations). Examples of company-levelcontrols include corporate-level controls overcommon processes and systems, centralizedfinancial processing, and consistent period-end financial reporting procedures andprocesses.

Process-level control activities generallyoperate at a number of levels:• At senior levels of management, the control

activities are more likely to be high-levelprocedures performed by management andare likely to involve greater aggregation ofdata and less consideration of detail.

• At lower levels, the control activities arelikely to be focused on distinct sets of dataand at a much greater level of detail.

• At the lowest level, detailed controlactivities are likely to relate to specifictransactions.

Major control types include preventive,detective, manual, and informationtechnology. Here's a primer:

Preventive: Preventive controls are designedto avert problems rather than identify them.Some examples include the use of passwordsto gain access to computer applicationsystems, or required approval for all purchaseorders over a certain dollar threshold.

Detective: Detective controls are meant toidentify errors or irregularities after the fact.These may take the form of reviews,reconciliations, and analyses.

Manual: Manual controls are carried out bypeople, as opposed to automated controls(i.e., application controls) that take placewithout direct human intervention. Anemployee manually reconciling a bankstatement or a manager reviewing salesbased on budgeted amounts are examples ofmanual controls.

Information Technology: Informationtechnology (IT) controls are controls overcomputer processing of information,consisting of general controls (includingcontrols over data center operations, systemsoftware acquisition and maintenance, accesssecurity, and application system developmentand maintenance) and application controls(designed to ensure completeness, accuracy,authorization, and validity of data input andtransaction processing).

Examples of commonly performed controlactivities include the following:

Reviews: Reviews are usually one of threetypes: analytical (evaluating summaryinformation by comparing it with expectedresults), transactional (checking the accuracyof output by comparing it, in detail, withexpected results), or performance (examiningdocumentation to determine that controlactivities were performed as intended). Eachtype can be found in both IT systems andmanual processes. However, all reviewstypically include some manual elements. Forexample, management may conduct amanual review in follow-up to an IT-generated report of large or unusualtransactions. To be effective, reviews shouldbe performed by personnel who have theknowledge and experience to identifyrelevant exceptions and errors.

Reconciliations and Comparisons: Recordedassets should be reconciled and comparedwith independent records. Reconciling a bankstatement to its associated general ledgeraccount is one example of this type of controlactivity.

Safeguarding of Assets: To ensure theintegrity of your financial reporting, youshould safeguard your company's assetsagainst misappropriation, errors, andirregularities. In its auditing standard, thePCAOB provided a definition that companiesshould refer to when identifying controls oversafeguarding of assets:

Safeguarding of assets are those policies andprocedures that “provide reasonableassurance regarding prevention or timelydetection of unauthorized acquisition, use ordisposition of the company's assets that couldhave a material effect on the financialstatements.“17

Interestingly, your company could sustain aloss of assets through misappropriation andstill be deemed to have effective internalcontrol — if the loss is detected and properlyrepresented in the financial statements.According to COSO, “to the extent that suchlosses might occur, controls over financialreporting are effective if they providereasonable assurance that those losses areproperly reflected in the financial statements,thereby alerting financial statement users toconsider the need for action.“18

That element of the rule notwithstanding, werecommend instituting sufficient preventivecontrols to properly safeguard companyassets.

Information Technology Controls: In manycompanies, the use of computers is pervasive,the computer processing environments arecomplex, and the application systems are vitalto the business. In such instances, it is likelythat the effectiveness of control activities(manual and application) are dependent onwhether the computer processingenvironment supports the reliable processingof financial information.

17 “Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,” PublicCompany Accounting Oversight Board, 2004. Electronic copy can be viewed at: http://www.pcaobus.org/rules/Release-20040308-1g.pdf.

18 Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s Addendum, Reporting to External Parties, 1994.

17


Information technology controls can bebroken down into two types:1. General Controls: According to COSO,

general controls, which are designed toensure that the financial information that isgenerated from a company's applicationsystems can be relied upon, include thefollowing types of controls:• Data center operation controls —

controls such as job set-up andscheduling, operator actions, backup andrecovery procedures, overall systemsavailability, and contingency or disasterrecovery planning.

• System software controls — controlsover the effective acquisition,implementation, and maintenance ofsystem software, database management,telecommunications software, securitysoftware and utilities.

• Access security controls — controls thatprevent inappropriate and unauthorizeduse of the system.

• Application system development andmaintenance controls — controls overdevelopment methodology, whichincludes system design andimplementation, outlining specificphases, documentation requirements,approvals, and checkpoints to control the

development or maintenance of theproject and version control.

2. Application Controls: Application controlsare embedded within software programs toprevent or detect unauthorizedtransactions and allow the authorizationand processing of transactions. Whencombined with manual controls, asnecessary, application controls ensure thecompleteness, accuracy, authorization, andvalidity of processing transactions.

Some examples of application controlsinclude:• Balancing control activities — These

controls detect data entry errors byreconciling amounts captured eithermanually or automatically to a controltotal. For example, a companyautomatically balances the total numberof transactions processed and passedfrom its online order entry system to thenumber of transactions received in itsbilling system.

• Check digits — These controls usecalculations to validate data. Forexample, a company's part numbers maycontain a check digit to detect andcorrect inaccurate ordering from itssuppliers. Universal Product Codesinclude a check digit to verify theproduct and the vendor.

• Predefined data listings — These controlsprovide the user with predefined lists ofacceptable data. For example, acompany's Intranet site might includedrop-down lists of products available forpurchase.

• Data reasonableness tests — Thesecontrols compare data captured to apresent or learned pattern ofreasonableness. For example, an order toa supplier by a home renovation retailstore for an unusually large number ofboard feet of lumber may trigger areview.

• Logic tests — These controls include theuse of ranges limits or value oralphanumeric tests. For example, agovernment agency detects potentialerrors in social security numbers bychecking that all entered numbers arenine digits in length.

• Authorization controls — These controlsestablish accountability for the initiationand approving of transactions thatimpact the financial reporting process.

• Tolerance levels — These controls specifywho can initiate or authorize certaintransactions over dollar limits withoutapproval. Similar provisions may be madefor journal entries.

Which Controls Should Be Evaluated?

Basically, you need to evaluate the controlsthat meet the control objectives for each ofthe relevant assertions for the significantaccounts and disclosures that you previouslyidentified. But it's not entirely up to yourdiscretion. In its rulemaking, the SEC hasidentified certain controls as significant bydefault. Any controls that fall under thesecategories should be evaluated:• controls related to the initiation, recording,

processing and reconciling of accountbalances, classes of transactions,disclosures, and related assertions includedin the financial statements

• controls related to the initiation andprocessing of non-routine and non-systematic transactions

• controls related to the selection andapplication of accounting policies

• controls related to the prevention,identification, and detection of fraud20

In addition to the controls listed above, thePCAOB has identified in its auditing standardadditional controls that warrant attention.• controls, including information technology

general controls, on which other controlsare dependent. General controls include:– data center operation controls– system software controls– access security controls– application system development and

maintenance controls• controls over significant non-routine and

nonsystematic transactions, such asaccounts involving judgments andestimates

• company-level controls, including thecontrol environment and controls over theperiod-end financial reporting process,including controls over procedures used toenter transaction totals into the generalledger; to initiate, authorize, record, andprocess journal entries in the generalledger; and to record recurring andnonrecurring adjustments to the financialstatements (for example, consolidatingadjustments, report combinations, andreclassifications)21

The Complex Worldof InformationTechnology ControlsThe requirements and procedures forestablishing internal control overinformation systems are technical andextensive. For detailed guidance, see ITControl Objectives for Sarbanes-Oxley:The Importance of IT in the Design,Implementation, and Sustainability ofInternal Control Over Disclosure andFinancial Reporting, a recent publicationfrom The Information Systems Audit andControl Association. This publication,which draws upon the CobiT19

framework, provides specific controlobjectives and control activities that maybe considered when designinginformation technology controls basedon the COSO internal control framework.For a copy, visit http://www.isaca.org.

19 “Control Objectives for Information and Related Technology,” IT Governance Institute, 2000. Electronic download available here: www.isaca.org/cobit.htm.20 “Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” U.S. Securities and Exchange

Commission, 2003. Electronic copy can be viewed at: http://www.sec.gov/rules/final/33-8238.htm.21 “Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,” Public

Company Accounting Oversight Board, 2004. Electronic copy can be viewed at: http://www.pcaobus.org/rules/Release-20040308-1g.pdf.

Map Control Activities to ControlObjectives

Every control objective that you identifiedearlier should have one or morecorresponding control activities. To ensurethat you have not overlooked any objectivesor controls, perform a systematic analysis.Examine your master list of control objectivesand map the corresponding control activitiesagainst them.

For example, if one of your control objectivesis, “Invoices are recorded in the appropriateperiod,“ you should determine if you have acontrol activity in place to meet thatobjective. One such control activity might be,“Goods shipped at, before, or after the endof an accounting period are examined and

reconciled to ensure complete and consistentrecording in the appropriate accountingperiod, including the raising and recording ofthe related invoices.“

Evaluate Design Effectiveness

With your control activities neatly mapped toyour objectives, you should now assess thedesign effectiveness of your controls.Basically, you (and, soon, your independentauditors) will be seeking evidence that yourcontrols are properly constructed to achievethe related control objectives. In compilingthis evidence, make note of the following:• owner of control: identification of

person(s) responsible for executing thecontrol

• description of process flow: detailed

explanation of how the control operates• properly designed? Is the control built

correctly? In other words, if the control isused as directed, will it accomplish theobjective?

• details of the internal control deficiency: Ifthe control is deemed deficient, what areits specific shortcomings?

• remediation plan: How will the faultydesign be corrected?

The specific methods you use to evaluate thedesign of controls will depend on severalfactors:• the types of control activities you are

evaluating, including whether manual orprogrammed

• competence of the individuals whoperform the relevant control activities

• the period of intended reliance• the use of a service organization• regulatory and governmental requirements

Classify Design Deficiencies

If the efforts outlined above reveal that thedesign of certain control activities is less thanoptimal, then you'll need to determine thelevel of severity of the failure. The internalcontrol design deficiencies will fall into one ofthree categories: (1) material weaknesses, (2) significant deficiencies, or (3) internalcontrol deficiencies considered to beinsignificant or deficiencies for whichmitigating controls exist. In general, if thedesign of the control is insufficient to achieveits related control objective, then this shouldbe considered at least a significant deficiency.(For more information on the classification ofmaterial weaknesses and significantdeficiencies, see Appendix B.)

Don't Miss Missing Controls

Once the above-listed processes arecomplete, you will likely have identifiedcontrol objectives for which no correspondingcontrol activities exist. Document thesemissing controls and remediate as outlined inthe following section.

Develop and Implement RemediationPlan

Your final task in the control design phase isto fix the internal control deficiencies that youhave uncovered. This may involve strengtheningcontrols that have “fixable“ designweaknesses; overhauling controls with moresignificant problems; discarding old andimplementing new controls when the internal

18


Internal Control - A Taxing Problem?In our discussions with hundreds of tax professionals, we've learned that relatively few taxdepartments have had well-documented controls, and independent auditors have seldomplaced heavy reliance on any controls they found. Instead, independent auditors havetypically conducted extended substantive testing to evaluate complex tax computationsand analyses. Consequently, unlike other departments, tax departments have seldom beenput through the rigors of an internal control review. That, of course, has all changed as aresult of Sarbanes-Oxley.

Tax-specific controls are crucial because:• Tax can represent one of the largest line-item expenses on a company's income

statement; and taxes paid, tax assets and liabilities, and tax-related disclosures representmaterial, integral components of a company's statement of cash flows, balance sheet,and footnotes.

• Pressure to meet earnings goals and present steady effective tax rates may temptindividuals within a company to implement overly-aggressive tax planning strategies orunderestimate the appropriate reserves for its tax contingencies.

• The proper identification and classification of tax assets and liabilities can affect whethera company's ratios satisfy its debt covenants.

• Stories of corporate tax avoidance, tax shelters, and sham transactions continue toappear in the media, and audit committees are demanding a much higher level ofunderstanding of the process each company takes when determining its tax-planningactivities.

• In many companies, the likelihood of spotting tax errors outside the tax department isvery low, so the importance of tax controls is even more critical to help protect theintegrity of the financial statements.

The fundamental steps for ensuring tax function readiness are no different than those forany other internal control process. They include:• identifying financial reporting and disclosure risks related to significant tax processes

(management, reporting, and planning) and tax types (including multi-state,international, and employee benefits taxes), regardless of whether those taxes areincluded under the tax department's jurisdiction

• identifying relevant control activities• documenting, evaluating, and testing the design and operating effectiveness of

significant tax controls

control design deficiency is too substantial tobe repaired through tinkering; and institutingnew controls wherever they have been foundto be entirely missing.

3.9 Controls in Action (Part II)

The chart that we introduced in section 3.7(Figure 2) has now been expanded to includecontrol activities as shown in Figure 3. That is,for each control objective listed in the chart, acontrol activity has been assigned to accomplish

that objective. New entries also include thefollowing: owner of control (identification ofperson(s) responsible for executing thecontrol); properly designed? (is the controlbuilt correctly?); details of design deficiency (ifnot, what are the problems with thecontrol?); and remediation plan (how will thefaulty design be corrected?). (Note that thechart is torn off at the top; only new entriesare included here.)

3.10 Test the Operating Effectivenessof Controls

All of the work you have performed up to thispoint leads to the task that many peopleconsider the crux of section 404: testing theoperating effectiveness of control activities.

19



Control Activity


Accounting policies and

procedures, standard charts of

accounts, and related guidance

are updated annually.

Corporate Controller

No

Accounting policies and

procedures, standard charts of

accounts, and related guidance

are not updated frequently

enough. In addition, such

items are not distributed to

subsidiaries.

Update quarterly accounting

policies and procedures,

standard charts of accounts,

and related guidance and

distribute to subsidiaries.

Information about all

significant non-routine

events and transactions is

documented for analysis in a

timely manner.

Management reviews all


events and transactions

prior to recording.

CFO

Yes

N/A

N/A

The identity of users (both

local and remote) is

authenticated to the system

through passwords or other

authentication mechanisms.

The policies relating to use of

passwords require periodic

password change,

confidentiality requirements

and password format (e.g.,

password length,

alphanumeric content).

IT Manager

Yes

N/A

N/A

The completeness of key

terms in the underlying sales

contract is confirmed with

the signatory of the contract.

Sales Manager

Yes

N/A

N/A

Owner of Control

Properly Designed?

Details of

Design Deficiency

Remediation Plan

Figure 3: Controls in Action - Part II


20


Plan Tests of Controls

Who should perform these tests? Anynumber of people may do so, includinginternal audit, company management, certainoutside consultants under the direction ofcompany management or the auditcommittee, and even the employeesresponsible for enacting the controls.However, by regulation, your independentauditors are prohibited from performing these

tests on behalf of management. That'sbecause at the end of the process, yourindependent auditors issue their report on theeffectiveness of your internal control overfinancial reporting and whether management’sassessment of the effectiveness of internalcontrol over financial reporting is fairly stated.If your independent auditors conducted thetests and then opined on the effectiveness ofthose tests, they would, essentially, be testingtheir own work.

What are these tests supposed toaccomplish? A couple of things: For one, thetests are designed to ensure that controlactivities are functioning properly. Foranother, the tests will support that vitalsection 404 report — Management's Reporton Internal Control Over Financial Reporting.

Your independent auditors are permitted torely to a certain extent on your testingactivities. But your independent auditors willrely on this evidence only if they are assuredof the competence (based on experience andtraining) and objectivity (based onindependence from management and lack ofday-to-day responsibility for the controlactivity) of your people who perform thework. The higher the objectivity andcompetence levels, the more yourindependent auditors may use your work.

If your company deploys a self-assessmentprocess (a description of self-assessment isprovided in section 3.14, Monitor the Systemof Internal Control), which is a practicalmethod of obtaining timely evidence,particularly in large, multiple-location entities,the amount of testing you conduct willdepend on your organizational structure. Oneapproach might be that each personresponsible for performing a control also isresponsible for self-assessing the performanceof the control. In that case, the person wouldlikely have firsthand knowledge as to whetherthe control was operating. Your independentauditors will not be able to rely on your self-assessment testing when conducting theirevaluation and testing procedures, yet theexistence of a comprehensive self-assessmentprocess may provide evidence of a strongsystem of internal control.

Certain testing activities, most notably thoseinvolving the control environment, must beconducted solely by the independent auditorswithout any reliance on testing by otherparties.

As you plan your tests of controls, keep thesepoints in mind:• Inquiry alone is not adequate; extensive

testing procedures should be carried out.For example, telephoning the payroll clerkand asking if employee timesheets arereconciled with accrued vacation time isinsufficient. The actual written recordsshould be reviewed and the actiondocumented.

• Management should not rely solely on self-assessment procedures. Althoughemployees can be deployed to testcontrols under a self-assessment process,there should be some independentmonitoring of their procedures. That is, theperson who performs the control cannotsimply verify that the control is operatingeffectively. There should be someindependent evaluation. (This will bediscussed in further detail in section 3.14,Monitor the System of Internal Control.)

• If your company uses an outside serviceprovider for certain business functions, youshould request from the provider a SAS 70report, which reports on the effectivenessof internal control at the outside company.Note that this should be a “Type 2“ report.(Type 1 reports only address the design ofthe controls, while Type 2 covers both theoperating effectiveness and design.) (Toidentify service organizations for which thisrequirement applies, see Identify ServiceOrganizations and Other ExtendedRelationships, in section 3.5.)

Perform Tests of Controls

Which controls should be tested for operatingeffectiveness? Simple: the same controls thatyou selected earlier for evaluating designeffectiveness.

Tests of controls are usually performed usingthe following techniques, often incombination:

Corroborative Inquiry: This procedure,consisting of detailed interviews to obtainevidence about the effectiveness of controls,is performed in tandem with other procedures(e.g., examination of documentary evidence)to corroborate the information derived fromthe inquiry.

The detailed interviews may include directand/or indirect inquiries:• Direct inquiry involves asking questions of

the individual who performs the controlactivity being tested.

Control LimitsEven the best-designed and best-operating controls are not fail-safe. Anumber of factors can weaken orcircumvent internal control, including thefollowing:

• Breakdowns: Even if controls are well-designed, they can break down due tocarelessness, distraction, or fatigue.For example, an accountingdepartment supervisor responsible forinvestigating exceptions might simplyforget or fail to pursue theinvestigation far enough to be able tomake appropriate corrections.Temporary personnel executingcontrol duties for vacationing or sickemployees might not perform themcorrectly.

• Management override: A system ofinternal control can only be aseffective as the people who areresponsible for its functioning. Even ineffectively controlled entities — thosewith high levels of integrity andcontrol consciousness — a managermight have the ability to overridecertain control activities.

• Collusion: Individuals actingcollectively to perpetuate and concealan action from detection often canalter financial data or othermanagement information in a mannerthat cannot be identified by thecontrol system. For example, theremay be collusion between anemployee performing an importantcontrol function and a customer,supplier, or another employee. On adifferent level, several layers of salesor divisional management mightcollude in circumventing controls sothat reported results meet budget orincentive targets.

21


• Indirect inquiry involves asking questions ofother individuals who do not perform thecontrol activity themselves but are in aposition to know whether the controlactivity is operating effectively.

Observation: Observing the performance of acontrol activity often provides substantialevidence of its effectiveness. For example, youmay test controls over inventory by observingthat employees who perform and record thecounts follow management's writteninstructions.

But observation of a control activity in actionordinarily does not, in itself, provide sufficientevidence of the effectiveness of the controlactivity, mainly because observations may notbe representative of the usual performance ofa control activity because management andstaff may perform their tasks more diligentlyif they know they are being observed. Con-sequently, you should perform supplementaryprocedures, such as inquiries or re-performance,to augment your results.

Examination of Documentation: Ifperformance of a control activity isdocumented, you can obtain evidence of itsperformance by examining thedocumentation, both electronic and written.The level of assurance you can obtain fromsuch evidence will depend on the nature ofthe control activity. For example, if theperformance of the control activity isdocumented by the initials of the performer,examination of the initials provides littleevidence of the effectiveness of the controlactivity. On the other hand, documentation ofreconciliations, including follow-up andresolution of unusual items, may containinformation that provides evidence of theeffectiveness of the control activity.

Re-Performance: Although re-performance ofa control activity sometimes provides evidenceof its effectiveness, such evidence is rarelypersuasive by itself because the mere absenceof errors in the items tested does not provideconclusive evidence that the control activityhas historically been performed effectively.This is particularly true of manual controlactivities.

Re-performance may be effective for testingapplication controls, because the computerprocesses transactions systematically. Forexample, a tester may attempt to enterflawed transactions into a computer

application. If the computer applicationcontrols cause the faulty transactions to berejected, you will have evidence that thesecontrols are operating effectively. (Note thatyou should take precautions with these typesof tests to ensure that the tests do notthemselves cause misstatements!)

Remember, your testing procedures need tobe as thoroughly documented as the testresults. Otherwise your independent auditorswill be forced to replicate your work ratherthan relying on it to the greatest extentpossible.

Document Test Results

Your evaluation of control activities will likelyyield a mixed bag of results — some controlswill function as designed; others will not.

If the control is operating effectively,document the successful control test. Successis great, but insufficient. If you deem yourcontrols effective, you should providedocumentary evidence. (Remember that youare responsible for obtaining at least thesame level of assurance as your independentauditors, so be sure to consult with themearly in the process.)

Maintained in a database, spreadsheet, oryour permanent files, and available forinspection by your independent auditors,regulatory personnel, and other authorizedparties, should be complete descriptions ofthe following:• tests performed and evidence obtained• results of the tests• conclusion as to the effectiveness of each

control tested

If the control is not operating effectively,document the internal control deficiency. Invirtually every organization, internal controldeficiencies will be uncovered through thetesting process. You should now determinethe cause and significance of each internalcontrol deficiency you've identified. Start byanalyzing the particular circumstances andreasons for the deficiency. Document thedetails of the individual control deficiencies.Then aggregate and summarize all thedeficiencies you've identified.

Classify Internal Control Deficiencies

Next, you should determine whether theinternal control deficiency should be classifiedmerely as an “internal control deficiency“ or

if it is more serious and represents a“significant deficiency“ or a “materialweakness.“ (For additional information on thecharacteristics of an internal controldeficiency, significant deficiency, and materialweakness, see Appendix B.)

To determine whether an internal controldeficiency is a significant deficiency or amaterial weakness generally requiressubstantial analysis and judgment.

Pay Attention toPeriod-End FinancialReporting ProcessesAs you identify significant processes, takecare to include those that support period-end financial reporting. According to thePCAOB, the period-end financialreporting process is always significantbecause of its importance both tofinancial reporting itself, as well as to theindependent auditors' opinions oninternal control over financial reportingand the financial statements.

The period-end financial reportingprocess includes (but may not be limitedto) the following:

• procedures used to enter transactiontotals into the general ledger

• procedures used to initiate, authorize,record, and process journal entries inthe general ledger

• other procedures to record recurringand nonrecurring adjustments to theannual and quarterly financialstatements, such as consolidatingadjustments, report combinations, andclassifications

• procedures for drafting annual andquarterly financial statements andrelated disclosures

Note that timing is critical here: Yourcompany needs to document thisprocess. You and your independentauditors will also need to evaluate andtest the related control activities at leastfor one interim quarterly closing processand the annual year-end closing process.

Further complicating the issue, internalcontrol deficiencies cannot just be consideredin isolation; their potential impact on thefinancial statements should also beconsidered in the aggregate.

Fundamentally, classification of an internalcontrol deficiency is predicated on the:• likelihood that an internal control

deficiency, or a combination of internalcontrol deficiencies, could result in amisstatement of an account balance ordisclosure

• magnitude of the potential misstatementresulting from the internal controldeficiency or internal control deficiencies

To assist in classifying internal controldeficiencies, use the table shown in Figure 4.

Using the table, first determine whether thelikelihood that the internal control deficiencycould result in a misstatement of an accountbalance or disclosure is remote or more thanremote. (The Financial Accounting StandardsBoard defines remote as “the chance of thefuture event or events occurring is slight.“)22

Next, calculate the magnitude of themisstatement that could result in the financialstatements because of this internal controldeficiency. For example, if the deferred taxcalculation was prepared by an individual thatlacks knowledge of tax-related accountingmatters and if it was not appropriatelyreviewed and approved by someone who ismore experienced than the preparer and hasthe relevant tax-related knowledge,determine what the possible misstatementcould be. In many circumstances, this errorcould be material and the lack of a controlcould thus be determined to be a materialweakness.

When prioritizing which internal controldeficiencies to remediate first, start withmaterial weaknesses, work through

significant deficiencies, and finish with theremaining internal control deficiencies wherethe benefit exceeds the cost and risk of notremediating.

Develop Remediation Plan

Once the internal control deficiencies havebeen categorized and prioritized, you areready to develop your internal controlremediation plan. As you design the specificinternal control remediation process orsolution, make sure that the necessaryinternal control objectives are met and thatidentified risks are addressed. You shoulddesignate a process owner or champion foreach plan, develop a remediation timeframe,and provide detailed cost estimates andestimated work effort.

If your plan includes the remediation ofmaterial weaknesses and significantdeficiencies, ensure that your remediationefforts commence immediately. Otherwiseyou may not have sufficient time to ensurethat the remediated control activity isoperating effectively prior to your first internalcontrol audit. And, as you probably nowknow, a material weakness would precludeyour independent auditors from issuing anunqualified opinion on the effectiveness ofyour internal control over financial reporting.

Implement Remediation Plan

Before putting your remediation plan intoaction, you'll want to get the proverbial “buy-in“ from all the various parties who will beinvolved in and affected by the project. Beespecially diligent about communicating theplan to your independent auditors, topexecutives, and the audit committee.

As a means of staying on track, it will beimportant to identify steps and key milestonesin achieving resolution within the requiredtimeframes. You'll want to monitor your

progress against established milestones, andreport progress and issues to the internalcontrol steering committee.

You'll need to perform additional testing oncecontrol activities have been updated to besure that remediation is complete andcontrols are operating effectively. Check toensure that documentation has been updatedto reflect each resolved internal controldeficiency and new control activities.

3.11 Controls in Action (Part III)

The final version of our expanding chart(Figure 5) includes several new rows. The newentries include the following: test of control(what steps will be taken to test the control?);operating effectively? (does the control workas designed?); details of operating deficiency(detailed description of operation flaws);remediation plan (how will the faulty controlbe fixed?). (Note that the chart is torn off atthe top; only new entries are included here.)

22


Type of Deficiency Likelihood of Occurrence Magnitude of Misstatement

Internal control deficiency

Significant deficiency

Material weakness

Remote

More than remote

More than remote

and/or

and

and

Inconsequential

More than inconsequential

Material

Figure 4

22 “FAS 5: Accounting for Contingencies,” Financial Accounting Standards Board, 1975.

23


Test of Control

Operating Effectively?

Details of

Operating Deficiency

Remediation Plan

Because the control was not

designed effectively, it cannot

operate effectively.

No

Because the control was not

designed effectively, it cannot

operate effectively.

Corrected design deficiencies;

tested operating effectiveness

in the next period.

Member of the project team

interviewed the individual

that prepared the analysis of


events and transactions to

understand the steps

involved in preparing the

report.


tested a sample of


events and transactions by

reviewing documentation

that supports the CFO's

review. In addition, member

of the project team

interviewed the CFO to

understand the nature of

his/her review and steps that

were taken to address

transactions, which do not

appear to be valid.

No

The CFO did not review

three of the journal entries

selected for review.

Emphasized to the CFO the

need to review all journal

entries related to estimates;

test operating effectiveness

in the next period.


observed that the system is

configured to force user

authentication in accordance

with company policies, the

system does not allow blank

or simplistic passwords and

that the application encrypts

passwords when entered into

the system. In addition,

member of the project team

attempted to gain unauthor-

ized access to the system by

using different combinations

of user IDs and passwords.

Yes

N/A

N/A


understood and

documented the policies

and procedures related to

the confirmation of key

terms in the sales contract.


interviewed individuals who

prepare the confirmations

to understand the steps

involved in preparing and

mailing the confirmations,

the reports or other

information used, any

exceptions or unusual items

noted, disposition of

exceptions identified, and

any instances where the

control activity operated in

a way contrary to their

understanding of how it

should operate.


tested a sample of contracts

to ensure that the selections

made by the company were

in accordance with their

policies and procedures. In

addition, member of the

project team reviewed a

selection of responses

received from the signatory

to ensure appropriate

treatment.

Yes

N/A

N/A



Figure 5: Controls in Action - Part 3


3.12 Create an Effective ControlEnvironment

The control environment represents a uniquecomponent of your system of internal control.Composed of hard-to-measure elements suchas tone at the top, ethical values, integrity,philosophy, and operating style, the controlenvironment demands a unique approach toevaluating, testing, remediating, andmonitoring.

Evaluate the Design Effectiveness ofthe Control Environment

To establish an effective control environment,each of the control environment objectivesyou developed earlier (section 3.6, EstablishObjectives and Identify Risks) should beassociated with properly designed activities.Start by identifying and documentingactivities currently in place that support theachievement of the control environmentobjectives.

Sample activities for various controlenvironment objectives are included in Figure6. (See Appendix C for an expanded list ofobjectives and activities.)

Test the Operating Effectiveness ofthe Control Environment

How shipshape is your control environment?You won't know until you test it!

The unique characteristics of the controlenvironment call for testing activities that candiffer markedly from those of othercomponents of internal control. Severaltesting approaches are possible, including thefollowing:

Interviews: Identify employees to interview atcorporate and business units of the company.This list should include individuals frommanagement, operations, finance, ethics andcompliance, internal audit, and HRmanagement. Focus your interviews onassessing the control activities that addressthe control objectives within the controlenvironment.

Cultural Assessment: The operatingeffectiveness of many of the controlenvironment activities can be ascertainedrelatively quickly through a culturalassessment, which is a comprehensive

analysis of the elements that make up thecontrol environment. Your objectives shouldbe:• to test the operating effectiveness of the

activities supporting the controlenvironment objectives

• to understand whether your corporatecompliance and ethics program is effective

Some planning work is required prior toconducting the assessment. You should:• define the use of surveys and self-

assessments• integrate the use of the survey into the

everyday responsibilities of the individualswho are asked to complete it

• set parameters for ongoing and finaldocumentation

• identify document reviewers• determine a process for handling the

results of the assessment• identify control environments to assess

24


Objective Sample Activity

Integrity and ethical values

Commitment to competence

Board of directors /

audit committee

Management's philosophy

and operating style

Organizational structure

Assignment of authority

and responsibility

Human resource policies

and procedures

Management maintains a code of conduct and other policies regarding acceptable business

practices, conflicts of interest, and expected standards of ethical behavior.

Formal job descriptions are in place that consider the degree to which individuals must exercise

judgment and are subject to supervision.

A process exists for the audit committee to be informed promptly and anonymously, when

appropriate, of significant issues.

Management adopts accounting policies that best reflect the economic realities of the business.

Management periodically evaluates the entity's organizational structure and makes changes

as necessary based upon changes in the business or industry.

Management determines and clearly communicates the responsibilities and expectations of the

finance and accounting departments.

Management establishes and enforces standards for hiring the most qualified individuals, with

emphasis on educational background, prior work experience, past accomplishments, and evidence

of integrity and ethical behavior.

Figure 6

25

Regarding the final bullet, your company mayhave multiple control environments thatshould be assessed, including extendedgeographies (especially for multinationalorganizations) and business units.

Sample Control Environment Survey: In Figure7 there are sample questions from a surveythat Deloitte provides to its clients to helpthem evaluate the design and test theoperating effectiveness of their controlenvironment.

Regardless of your methodology, your controlenvironment assessment should measure thefollowing:• employee awareness and perceived

effectiveness of the company's system ofinternal control

• success at fostering an ethical culture anddeveloping a sustainable controlenvironment

• internal best practices for improving thecontrol environment and ethical culture

• employee awareness and perceivedeffectiveness of the company's ethics andcompliance program

The results of the interviews and surveysshould be combined with other documentaryevidence (e.g., reading of existing ethics andcompliance policies and procedures). Asummary of the assessment, along withpreliminary conclusions and expectedremediation actions, should be documented.To facilitate this process, consider using theControl Environment Assessment Templatefound in Appendix C.

Remediate the Control Environment

Once you have evaluated the design andtested the operating effectiveness of yourcontrol environment, you should set aboutcorrecting any problems that you'veuncovered.

Prioritize Identified DeficienciesMoving through each identified internalcontrol deficiency, determine whether it is adesign deficiency or an operating deficiency.

For example, an employee's failure to abideby the company code of ethics may beattributable to various factors, such as:• the code is not distributed to all employees

(design deficiency)

• the employee neglected to read theexisting code of ethics (operatingdeficiency)

• the employee did not use components ofthe ethics program (such as thewhistleblower hotline) because theemployee feared retaliation (operatingdeficiency)

Once you have categorized internal controldeficiencies in this manner, you shouldprioritize the deficiencies based on theperceived level of risk to the company. Inmost cases, that risk level will be high. ThePCAOB has indicated that an ineffectivecontrol environment “should be regarded asat least a significant deficiency and as astrong indicator that a material weakness ininternal control over financial reportingexists.“23

Develop Remediation PlanDepending on the flaws uncovered in thecontrol environment, remediation may bemanual (e.g., a policy, procedure,communication, monitoring, or culturalchange) or system-related (e.g., systemmodification, reporting). For each internal



Figure 7

26


control deficiency noted, management shouldidentify the following:• business units and locations responsible• priority (high, medium, low)• responsible party• remediation plan• key milestones (including timeframe and

estimated work effort)

Obtain Agreement From All PartiesNext you should ensure that members of thesteering committee, executive management,finance function, ethics and compliance,internal audit, and communications are inagreement with all aspects of the remediationplan. Share the plan (and the assessment)with your independent auditors and the auditcommittee.

Implement Remediation PlanDepending on the nature of the internalcontrol deficiencies uncovered, remedial stepsmay include the following:• Leadership: Set the “tone at the top“;

ensure consistency of support, visibility,and message; reduce conflicting views atsenior levels.

• Communications: Communicate theimportance of internal control; reinforce

the company's code of ethics; increaseawareness; establish multiple channels foropen, two-way communication, includinganonymous reporting mechanisms.

• Training: Ensure employees understand theimpact and importance of Sarbanes-Oxleyand internal control; develop appropriateskills for compliance; educate employeeson new policies or processes; conducttraining and awareness programs.

• Organizational governance: Refine rolesand responsibilities of the board ofdirectors, leadership, and key businessfunctions; ensure governance modelmaintains necessary controls.

• Metrics development: Work with thebusiness to define measures of complianceand improvement.

• Personnel: Create new positions; modifyexisting roles and responsibilities; orremove existing personnel from theirposition, as required.

• Follow-up: Report to management and theaudit committee the steps taken to correctthe control deficiencies.

Clearly, a deficient control environment is notsomething that can be transformed overnight.Although the steps outlined in this section

cover only a few pages, your activities may infact span several months.

3.13 Communicate Information

In this age of razor-thin margins, hypercompetition, and aggressive regulation,information and communication takes onheightened importance. The manner in whichyour company receives, analyzes, anddisseminates information not only has abottom-line impact, but also represents a keyelement of an effective system of internalcontrol. According to COSO, “… having theright information, on time, at the right placeis essential to effecting control …“.

Financial information serves external needs:Investors, analysts, and regulators judge youby it. Yet it also serves an important internalpurpose: It tells you how the company isdoing; helps you make decisions; and aids inbudgeting, evaluating, and planning.

Information and Communication:A Primer

Information and communication, as it relatesto internal control over financial reporting, issimply identifying, capturing, and communicatinginformation relevant to the preparation of

Wanted: Code of EthicsA comprehensive code of ethics is considered obligatory when it comes to creating a strong control environment. As you develop your code,consider the following suggestions:• Keep language simple and concise. Avoid jargon and legalese.• Don't write in a "thou shalt not" format, but rather state expected behaviors.• Apply the code evenly to all employees and board members across divisions and geographies. (Some companies take this a step further

and apply their code to all stakeholders, including vendors and suppliers.)• Convene a team that draws from a cross-section of departments, titles, and locations.• Revise and update the code as needed to reflect business changes, regulatory changes, etc.• Simply having a good code is not enough — you need to make sure people actually understand it, comply with it, and are not afraid to

use it.

A code of ethics should include the following:• an introductory letter from management that sets the tone at the top and defines the importance of ethics and compliance to each

employee and the company• the company's mission statement, vision, values, and/or guiding principles, which should reflect the company's commitment to ethics,

integrity and quality• guidance to assist employees in making the sound choices• a listing of resources for obtaining guidance and for reporting of suspected misconduct:

- anonymous reporting mechanism; employee help-line; whistleblower line- ethics and compliance officer/office- reporting chain of command (e.g., supervisor, department head)- ethics and compliance Intranet site

• enforcement and implementation mechanisms (e.g., unethical behavior will be subject to disciplinary action, which includes termination)• examples of acceptable and unacceptable behavior

27


reliable financial statements and themaintenance of internal control.

But effective information and communicationgoes beyond simply generating reports;embedded in the system should be a processfor identifying and responding to thechanging information and needs. Effectivecommunication also should occur in abroader sense, flowing vertically andhorizontally through the organization.

As you take a preliminary look at the state ofyour information and communication,consider these questions:• How do you ensure version control on

documents so that an older version is notreleased to the public?

• How long is the closing process for yourorganization, and will it allow you to meetthe SEC's accelerated filing requirements?(See Appendix G for relevant dates.)

• Is there adequate time for evaluation andreview of the information before it isreleased to the public?

• How will the shortening of public filingrequirements affect your organization'sability to process information accurately?

• How will the new Form 8-K requirements(filing of significant events within fourdays) affect your company? A number ofitems now need to be disclosed, includingentry into a material non-ordinary courseagreement; termination of a material non-ordinary course agreement; creation of amaterial direct financial obligation or amaterial obligation under an off-balancesheet arrangement; notice of delisting orfailure to satisfy a continued listing rule orstandard; and more.

• Are there specific people who have theauthority to disclose information to thepublic?

InformationInformation forms the backbone of yourcompany. Without it, you simply can'tcompete. Information is identified, captured,processed, and reported by informationsystems.

Information systems can be:• computerized, manual, or a combination• external, including market- or industry-

specific economic data that signal changesin demand for the company's productsand services; or data on goods and servicesthe entity needs for its production process

• tailored, wherein special actions areundertaken to obtain information (e.g.,questionnaires, interviews, or targetedfocus groups)

• formal, delivered through periodic reports,briefings, and data

• informal, obtained through conversationswith customers, suppliers, regulators, andemployees, or through attendance atprofessional seminars

CommunicationCommunication can be divided into twosubsets: external (i.e., the face you show tothe world), and internal (i.e., your in-housemeans of distributing information).

Effective external communication should:• provide external parties with an under-

standing of the company's policies andstandards

• provide feedback to external parties as towhether internal control is effective

• enable the organization to communicatewith its shareholders

In relation to internal control over financialreporting, effective internal communicationshould include a clear message frommanagement that internal controlresponsibilities (including proper communi-cation) are important. Up, down, and laterally,internal communication should flowunimpeded. Certain communications shouldnot only be encouraged, but formalized. Forexample, there should be regular, directcommunication between management andthe audit committee.

Sarbanes-Oxley is also clear in its requirementthat “whistleblower“ provisions must beadopted. Under the law, employees musthave the ability to make anonymous reports,and there can be no reprisals from communi-cating information that may cast the companyin a negative light.

Many means of communication are availableto your company, and most should be utilizedin some form to provide employees withmultiple options:• policy manuals• memoranda• email• voice mail• bulletin board notices• video messages• group meetings

Evaluate the Design Effectiveness ofInformation and CommunicationPracticesAs with other aspects of internal control, youshould gain an understanding of your currentstate of control over information andcommunication before you evaluate, test, andremediate. Be aware that every company is aunique entity whose characteristics have beenformed by a variety of factors, including size,industry, geography, competition, leadership,and more. Thus, what works in a Fortune 500company may be wholly inappropriate for asmall, niche company.

As part of the process, the project teamshould evaluate the activities that yourcompany currently has in place to address theinformation and communication objectivesyou established earlier. From a designperspective, you need to ascertain whetherthe activity addresses the objective. Forexample, to determine whether yourcompany communicates effectively withemployees regarding their responsibilitiesrelated to internal control, look for thefollowing activities:• New employees that are responsible for

controls that affect financial reportingreceive training on the company's overallinternal control processes and their specificevaluation and reporting responsibilities.

• The CFO meets at least annually withcorporate controllers to discuss their role inmeeting the company's objectives relatedto financial reporting.

• Policies, organizational charts, andoperating instructions are documentedand distributed to employees.

To determine whether your company'sfinancial reporting and related applicationand information systems are reliable, seekevidence of the following activities:• Procedures are in place to provide

assurance that relevant information isidentified, captured, processed, andreported by information systems.

• Management adequately staffs ITdepartments and designs the ITdepartment to support the entity's overallbusiness objectives.

Refer to Appendix D for a list of sampleactivities that address critical objectives in theinformation and communication componentof COSO.

28


Test the Operating Effectiveness ofInformation and CommunicationPractices

Evidence that controls over information andcommunication are operating effectively maybe obtained through various means:• interviews• self-assessment• surveys• inquiry• observation• inspection• service organization reports

Here are a few examples of how to test theoperating effectiveness of activities to addressthe critical information and communicationobjectives:• To test the effectiveness of training

programs to educate new employees whoare responsible for controls that affect thefinancials, have a member of the projectteam observe a training session. Thisindividual could also read training recordsto corroborate that all new employeeswho are responsible for controls that affectfinancial reporting have attended thetraining.

• To test the effectiveness of management'sstaffing of the IT department, send asurvey to all IT employees asking them torate the importance of accurate financialreporting and the department's ability tosupport the process of identifying,capturing, and processing financialinformation reported by its financialsystems.

• To test the effectiveness of the company'swhistleblower process, read incomingreports and the resolution of issuesidentified. Read presentations ofinformation reported to the auditcommittee for accuracy and timeliness.Interview company employees todetermine whether they are aware of thewhistleblower process and whether theywould use it.

Classify Design and OperatingDeficiencies and Remediate

After the project team has evaluated thedesign and tested operating effectiveness ofthe company's information and communicationpractices, a process of prioritizing the internalcontrol deficiencies should be conducted in amanner similar to other COSO components.

For each internal control deficiency noted,develop a remediation plan and identify thefollowing:

• priority (high, medium, low)• business units and locations responsible• responsible party/function• recommended remediation• implementation timeframe• estimated work effort

Communicate and obtain agreement with allparties (executive management, IT, financefunction, internal audit) on the remediationplan, responsible parties, and timeframes forimplementation. Remember, if the internalcontrol deficiency is deemed a materialweakness, it is imperative that the projectteam focus all of its efforts remediating priorto the company's assessment date and theindependent auditors’ internal control audit.Otherwise, it is likely that the company willreceive an adverse opinion on the effectivenessof internal control over financial reporting.

3.14 Monitor the System of InternalControl

Sarbanes-Oxley requires an ongoingassessment of internal control to support your annual report on internal control. Toaccomplish this, you should design anddeploy a process that recognizes changes inyour business that impact internal controlover financial reporting and each of the fivecomponents of COSO: control environment,risk assessment, control activities, informationand communication, and monitoring.

Monitoring: A Primer

Monitoring essentially consists of internalcontrol testing activities conducted over anextended timeframe. Monitoring ensures thatall components of internal control operateeffectively over the long haul, and makescertain that your controls keep up with theevolution of your company.

Monitoring activities can be broken into twobroad categories: ongoing monitoring andseparate evaluations.

Ongoing monitoring: Ongoing monitoringactivities are built into the normal, recurringoperating procedures of your organization.Here's an example:

Assume that, quarterly and annually, the taxmanager is responsible for reviewing thedeferred tax calculation and approving thejournal entries to record the provision. In sodoing, the tax manager has performed acontrol activity.

This control activity can then be integratedinto a self-assessment process, wherein thetax manager's review and approval wouldalso incorporate an evaluation of compliancewith this control (i.e., was the reviewperformed as required). This self-assessmentmonitoring would include, among otherthings, testing the effectiveness of the controland the documentation that was prepared.

In turn, this monitoring activity could beperiodically validated by internal audit oranother independent function.

Examples of ongoing activities include:• routine self-assessments• regular management and supervisory

activities• comparisons• reconciliations• inventory counts• internal audit activities• other routine actions

Separate evaluations: Separate evaluationsgenerally take place within a limited, specifiedtimeframe, as opposed to ongoing monitoring,which takes place continuously.

Examples of separate evaluations include:• specific review of the controls around a

process or transaction, such as“purchasing“ or a significant capitalexpenditure

• testing a newly designed system orapplication

• assessment of the internal control of abusiness acquisition

Ongoing monitoring holds certain advantagesover separate evaluations. Because it takesplace in “real time,“ ongoing monitoringrepresents a proactive, rather than reactive,approach to monitoring. This allows yourcompany to respond more rapidly tochanging conditions and to detect andremediate deficiencies before they causesignificant damage.

The more extensive and effective yourongoing monitoring program, the less needyou will have for separate evaluations.Nonetheless, any effective monitoring systemwill include both types of monitoringprocedures.

Also, depending on who is doing themonitoring, it may be necessary to haveinternal audit review the work as well.

29


Identify Monitoring Roles andResponsibilities

Just as with evaluating, testing, andremediating controls, monitoring can becarried out by a number of people. Divisionalheads and other managers have monitoringresponsibilities through continuous oversightand review. If your company has an internalaudit function, it should be engaged inseparate evaluations through its reviewactivities. And internal audit itself should beevaluated periodically. The Institute of InternalAuditors recently mandated that its membersundergo external quality assurance reviewsevery five years.

And some of the burden can be carried byemployees themselves. Testing andmonitoring activities can be integrated intothe day-to-day job descriptions of individualsresponsible for internal control. Making theseactivities part of the daily routine providesmultiple benefits, including raising culturalawareness (control environment) of theimportance of internal control; improving thelikelihood of long-term sustainability;reducing the overall cost of compliance; andenhancing the deployment of companyresources. Refer to Appendix E for a list ofsample activities that address critical objectivesin the monitoring component of COSO.

Leverage Technology for Monitoring

Monitoring can also be enhanced through theuse of technology. For example, manualcontrols can be replaced with automatedcontrols that are less prone to error ormanipulation. And, of course, technologysolutions are less susceptible or evenimpervious to fatigue, distraction,absenteeism, and associated problems.

3.15 Report on the Effectiveness ofControls

Ending with the End in Mind

If you started “with the end in mind,“ as werecommended at the beginning of thisdocument, you are now nearing that “end“that you had in mind. It's time to prepareyour internal control report.

Compile and summarize the results of yourmonitoring activities. If you diligently carriedout the evaluation, testing, and remediationphases described earlier, then you will likelyreach an inescapable conclusion:“Management believes that the companymaintains effective internal control overfinancial reporting.“

From here, your independent auditors willfinalize their procedures on your controls (notjust control activities, but all components ofthe COSO internal control framework). All ofthe documentation of your internal controlactivities that you've been assiduouslycompiling throughout this process should beprovided to the independent auditors. Beprepared to work closely with the audit teamas it works through its evaluation and testingprocedures. This process will substantiallydiffer from a financial statement audit, sinceit will address all five components of COSO.

Once the audit is complete, your independentauditors will issue their report. And hopefully,your efforts will come to an end and you willreceive an unqualified opinion on management’sassessment of internal control over financialreporting and on the effectiveness of yourcompany’s internal control over financialreporting.

Ticking Clock?The clock is ticking. Deadlines are quickly approaching. Whether you are an early filer or a late filer, you can't afford any delay in addressingthis situation.

Your company's accounting calendar will determine how much time you have left for compliance. Many companies will be required to filetheir initial internal control report with their first annual report on Form 10-K on or after November 15, 2004.

Accelerated 10-K and 10-Q filing schedules will exacerbate the situation. Not only does Sarbanes-Oxley impose new reportingrequirements on your company, but the SEC's accelerated filing schedules for forms 10-Q and 10-K mean you will be working under acompressed timeframe. More work plus less time will equal administrative headaches for the ill-prepared.

For accelerated filers, the new 10-Q and 10-K deadlines will be phased over three fiscal years.

To view the full text of the accelerated filing requirements, visit the SEC web site at http://www.sec.gov/rules/final/33-8128.htm.

Fiscal Years Ending On or After Form 10-K Deadline Form 10-Q Deadline

December 15, 2003

December 15, 2004

December 15, 2005

75 days after fiscal year end



45 days after fiscal quarter end



i

Appendix A

What is Internal Control Over Financial Reporting?

In the SEC's Final Rule on Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange ActPeriodic Reports, the SEC has defined internal control over financial reporting as "a process designed by, or under the supervision of, theregistrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board ofdirectors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparationof financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies andprocedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets ofthe registrant;

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance withgenerally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance withauthorizations of management and directors of the registrant; and

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant'sassets that could have a material effect on the financial statements."24

Appendix B

Defining Deficiencies and Weaknesses

One of the most detailed and technical areas of internal control concerns the classification of internal control deficiencies. Getting it right iscritical. Confer with your independent auditors.

The PCAOB offers the following definitions:25

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course ofperforming their assigned functions, to prevent or detect misstatements on a timely basis. A deficiency in design exists when (a) a controlnecessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates asdesigned, the control objective is not always met. A deficiency in operation exists when a properly designed control does not operate asdesigned, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate,authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there ismore than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential willnot be prevented or detected.

Part Four:Appendix

24 “Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” U.S. Securities and ExchangeCommission, 2003. Electronic copy can be viewed at: http://www.sec.gov/rules/final/33-8238.htm.


ii

Part FourAppendix

A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that amaterial misstatement of the annual or interim financial statements will not be prevented or detected.

Note that management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one ormore material weaknesses in the company's internal control over financial reporting. As demonstrated by this chart, the severity of the deficiencyincreases in direct proportion to increases in the likelihood and the magnitude of a financial misstatement.

Appendix C

Sample Control Environment Objectives and Activities

Sample Objective: Through its Attitudes and Actions, Management Demonstrates Character, Integrity, and Ethical Values

Sample Activities:• Management maintains a code of conduct and other policies regarding acceptable business practices, conflicts of interest, and expected

standards of ethical behavior.• Employees are aware of and understand the policies regarding acceptable behavior and what to do when they encounter improper behavior.• The importance of high ethics and controls is discussed with newly hired employees through orientations or interviews.• Management follows ethical guidelines in dealing with employees, suppliers, investors, creditors, insurers, competitors, and auditors.• Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts.• Rewards, such as bonuses and stock ownership, foster an appropriate ethical tone (e.g., bonuses are not granted to those who circumvent

established policies, procedures, or controls).• When management becomes aware of departures from policies and procedures, they respond to such violations in an appropriate and timely

manner.• Any changes to established relationships with external parties (e.g., attorneys, auditors, bankers) are approved by an appropriate level of

management.• Relationships with professional third parties are periodically reviewed to establish that the entity maintains associations only with reputable

third parties.

Sample Objective: The Company is Committed to Competence

Sample Activities:• Company personnel have the competence and training necessary for their assigned duties.• Personnel are cross-trained to understand other functions and the impact of their specific duties on other areas of the company.• Management possesses broad functional experience (e.g., management comes from several functional areas rather than just a few, such as

production and sales).• Management consults with professionals, internal and external, in addressing significant matters relating to internal control, accounting, and

financial reporting issues.

Control Deficiency

Reportable in writingto management byindependent auditors

Like

liho

od More than

Remote

Remote

Magnitude (Impact)

Inconsequential Material

Significant Deficiency

Reportable in writing to managementand the audit committee by independent auditors

Material Weakness

Reportable in writing to managementand the audit committee byindependent auditors

Source: The Proposed Auditing Standard: An Audit of Internal Control Over Financial Reporting Performed In Conjunction With An Audit of Financial Statements

iii

Part FourAppendix

• Management provides personnel with access to training programs on new accounting and financial reporting issues relevant to the company.• Formal job descriptions are in place that consider the degree to which individuals must exercise judgment and are subject to supervision.• When an error or deficiency is detected, the cause is evaluated, and appropriate remedial actions, including training, reassignment, additional

resources, or appropriate consultation, are taken on a timely basis.• When significant changes in the business occur, the company considers the competence of the accounting and financial reporting personnel

to appropriately address new issues resulting from the changes.

Sample Objective: The Audit Committee and/or the Board of Directors are Actively Involved and Have Significant Influence Over theCompany’s Internal Control Over Financial Reporting

Sample Activities:• The audit committee's responsibilities are clearly articulated (e.g., in an audit committee charter), and management and the audit committee

understand those responsibilities.• The audit committee meets directly with key members of financial management, including the chief financial officer and chief accounting

officer, on a periodic basis.• The audit committee raises challenging questions with management, including questions that indicate an understanding of critical accounting

policies and judgmental accounting estimates.• The audit committee constructively challenges management's decisions, major transactions, and explanations of past results.• The audit committee members demonstrate a willingness to call unscheduled meetings when necessary to address significant financial

reporting issues.• The audit committee members have sufficient knowledge of accounting and regulatory requirements, industry experience, and the company's

business operations.• The audit committee is independent of management and meets privately with the internal and independent auditors to discuss and challenge

the reasonableness of the financial reporting and internal control process and systems.• The audit committee reviews and approves the scope of activities of the internal and independent auditors.• The audit committee is responsive to issues raised by the independent auditors.• The audit committee regularly receives information from management related to key developments that may impact financial reporting.• A process exists for the audit committee to be informed promptly and anonymously, when appropriate, of significant issues.• The audit committee (or other committee) reviews and approves all compensation programs and considers the risks associated with various

types of compensation programs (e.g., incentive-based programs may motivate management to manipulate short-term results).• The audit committee (or other committee) specifically addresses management's adherence to the company's established code of conduct.• The audit committee issues directives to management detailing specific actions to be taken as a result of its findings and follows up on all

directives to determine that they have been properly addressed.• The performance and effectiveness of the audit committee is periodically evaluated.

Company Documentation

Objective Describe

activities,

programs, or

controls in place

that are

intended to

satisfy the

objective

Properly

designed?

Describe

evidence of the

effectiveness of

controls

Conclusion on

the operating

effectiveness

Deficiencies

noted

Changes

made during

the period

Planned

changes,

if any

Sign off

(Re-use this template for subsequent sections.)

iv

Part FourAppendix

Sample Objective: Management’s Philosophy and Operating Style are Consistent with a Sound Control Environment

Sample Activities:• Management analyzes the risks and potential benefits of ventures.• Turnover in management or supervisory personnel is monitored and the reasons for significant turnover are evaluated.• Management regards the accounting function as a means for monitoring and exercising control over the entity's various activities.• The central accounting and financial reporting functions have appropriate authority over decentralized accounting personnel.• Senior management maintains contact with and consistently emphasizes appropriate behavior to subsidiary or divisional operations.• The responsibilities and expectations for the entity's business activities and the entity's philosophy about identification and acceptance of

business risk are clearly communicated to the executives in charge of those functions.• Management exemplifies attitudes and actions reflecting a sound control environment and commitment to ethical values.• When improper practices are reported to management, they are communicated to all appropriate parties and addressed in a thorough and

timely manner.• Management openly encourages and acknowledges the practices of employees or departments that promote a sound control environment

and ethical behavior, even when the practice may be controversial.• Management adopts accounting policies that best reflect the economic realities of the business.

Sample Objective: The Organizational Structure of the Entity is Appropriately Designed to Promote a Sound Control Environment

Sample Activities:• The entity has defined key areas of authority and responsibility.• The entity establishes appropriate lines of reporting, giving consideration to its size and the nature of its activities.• The structure of the entity facilitates the flow of information across all business activities.• Executives clearly understand their responsibility for business activities and how those business activities affect the entity as a whole.• Reporting relationships are established to facilitate the flow of information to appropriate people in a timely manner.• Management periodically evaluates the entity's organizational structure and makes changes as necessary based upon changes in the entity's

business or industry.• The organizational structure is not overly complex and does not include numerous or unusual legal entities.• The business purpose of separate legal entities is evident and reasonable.• Incompatible activities are segregated (e.g., separation of accounting for and access to assets).• The entity has established procedures to identify related parties.• Individuals with no apparent ownership interest in or executive position with the entity do not exercise substantial influence over the entity's

affairs.

Sample Objective: The Entity Assigns Authority and Responsibility

Sample Activities:• Employees throughout the entity are assigned authority and responsibility related to their specific job functions.• Job descriptions contain specific references to control-related responsibilities.• Employees are empowered, when appropriate, to correct problems or implement improvements.• There is a structure for assigning ownership of information, including who is authorized to initiate or change transactions.• There are policies and procedures for authorization and approval of transactions.• Management determines and clearly communicates the responsibilities and expectations of the finance and accounting departments.

Sample Objective: Human Resource Policies and Procedures

Sample Activities:• Management establishes and enforces standards for hiring the most qualified individuals, with emphasis on educational background, prior

work experience, past accomplishments, and evidence of integrity and ethical behavior.• Recruiting practices that include formal, in-depth employment interviews and informative, insightful presentations on the entity's history,

culture, and operating style demonstrate the entity's commitment to its employees and its attitude toward a sound control environment.• Training policies communicate prospective roles and responsibilities and illustrate expected levels of performance and behavior.• Rotation of personnel and promotions that are driven by periodic performance appraisals demonstrate the entity's commitment to the

advancement of qualified personnel to higher levels of responsibility.• Disciplinary actions send a message that violations of expected behavior will not be tolerated.• An ongoing education process enables people to deal effectively with evolving business environments.

v

Part FourAppendix

Appendix D

Sample Information and Communication Objectives and Activities

Sample Objective: Financial Reporting and Related Application and Information Systems are Reliable

Sample Activities:• Management has a strategic plan for information systems that is linked to the entity's overall strategies. The objectives of the IT plan include

the preparation of high-quality financial reports for external use and consideration of the accounting department's needs.• Procedures are in place to provide assurance that relevant information is identified, captured, processed, and reported by information systems

in an appropriate and timely fashion.• Control activities are in place to ensure the accuracy and integrity of data forming the basis for reports.• Management adequately staffs the IT department and designs the IT department to support the entity's overall business objectives.• Management monitors user satisfaction with information provided (e.g., management monitors the frequency and nature of requests to

change information).

Sample Objective: Appropriate and Necessary Information is Obtained from, and Provided to, Management

Sample Activities:• Management monitors relevant external information.• Internal information regarding financial results is generated by the entity's financial information systems and that information is reported

regularly.• Entity-wide operating results are reviewed and compared against budgets at regular intervals.• The adequacy of the information technology structure is considered by senior management.• There is a process for decentralized operations or departments to request changes to reports either generated by the accounting function or

automatically generated by the system.• If a number of requests are received to change reports, the reasons for such requests are examined and the reports are changed as determined

necessary.• Managers and personnel at various levels are interviewed or surveyed to determine the information that is needed or desired throughout the

organization.• Management monitors the reasons that personnel create ad hoc reports.

Sample Objective: Information is Gathered from and Disseminated to the Appropriate People on a Timely Basis

Sample Activities:• Managers receive analytical information so they can identify necessary actions to be taken.• Financial controllers meet periodically with line management to discuss operational results.• Information is provided in sufficient detail, varying for the different levels of management.• Financial controllers receive an appropriate amount of detailed information when reviewing financial results.• Information is provided in a timely enough manner to allow for effective monitoring.• There are established and agreed upon deadlines for period-end reporting and the deadlines allow for an appropriate review by senior officers

and management.• Information provided is relevant and accurate.

Sample Objective: There is a Timely Process for Identifying and Responding to the Changing Information and Communication Needs

Sample Activities:• There is a mechanism for identifying emerging information needs.• The entity has a process to address information needs arising from new accounting standards.• Management devotes substantial time to the consideration of information systems needs for the accounting and controlling functions.• Management understands the information systems needs as they relate to financial reporting.• The entity-level resources devoted to information systems for financial reporting are appropriate in relation to resources devoted to other areas

of the entity.• Management establishes indicators to assess the appropriateness of the financial information systems.

Sample Objective: The Entity Effectively Communicates the Employees’ Responsibilities Related to Internal Control

Sample Activities:• Management communicates authorities across the organization.• Management uses training, meetings, or on-the-job supervision to communicate financial reporting and internal control matters.

vi

Part FourAppendix

• New employees in the corporate accounting department are required to attend training regarding their role in the internal control structureand how it affects others.

• Employees know the objectives of the company as related to financial reporting and how their activities affect those objectives.• The CFO or person in a similar position meets with corporate controllers, at least annually, to discuss their role in meeting the company's

objectives related to financial reporting.• Policies, organization charts, and operating instructions are documented and distributed to employees.• Employees know how their activities interact with the duties of other employees.• Employees responsible for financial reporting at the entity-level periodically discuss the company's objectives and each person's role in meeting

those objectives.

Sample Objective: A "Whistleblowing" Program Has Been Established, and Management’s Reaction is Monitored as it Relates toFinancial Reporting

Sample Activities:• There is a means for employees to communicate upstream, anonymously if so desired, other than through a direct supervisor.• There is a means for third parties to communicate financial reporting issues, anonymously if so desired.• The communication channels established by management or the audit committee have been used in the past.• Problems have been reported and resolved appropriately in the past.• Reported problems are investigated in a timely manner and disciplinary actions are taken when necessary.• All financial reporting improprieties are communicated to the audit committee.• Positive feedback is provided to employees that report suspected problems.• Management does not impose retribution on employees that report improprieties.• There are realistic mechanisms in place for employees to provide recommendations.• Management positively recognizes personnel who take an ethical stance.

Sample Objective: Management’s Communication Across and Outside the Company Reflects an Attitude Toward Sound Internal Control

Sample Activities:• There is communication throughout the organization about the company's entity-wide objectives regarding financial reporting.• The CFO or a person in a similar position meets regularly with divisional management to communicate expectations regarding financial

reporting objectives for the company as a whole.• Management communicates to personnel and other parties that a sound system of internal control is a priority of the company.

Appendix E

Sample Monitoring Objectives and Activities

Sample Objective: Internal Audit’s Scope, Responsibilities, and Audit Plans are Appropriate for the Company

Sample Activities:• The scope of internal audit's activities are reviewed in advance with management, the audit committee, and the independent auditors.• Internal audit has appropriate levels of staff to execute their plans.• Internal audit has the authority to review any aspect of the entity's operations.• The audit plan is responsive to the entity's risk assessment.• The internal audit personnel are experienced and competent.• Monitoring controls are reviewed to ensure that they are being applied as expected.

Sample Objective: Internal Audit Adheres to Professional Standards, Such as Those Issued by The Institute of Internal Auditors

Sample Activities:• Internal audit is independent of the activities that they audit.• Internal audit has direct access to the audit committee and the board of directors.• Internal auditors are prohibited from having an operating role in the activities that they monitor.• Internal audit is evaluated by an external party.• There is a defined reporting process for progress and results.

vii

Part FourAppendix

Sample Objective: The Entity is Responsive to Internal and External Recommendations

Sample Activities:• Executives with proper authority decide which of the internal and independent auditors' recommendations will be implemented.• Management takes appropriate action on exceptions to policies and procedures.• Action plans are implemented and there is follow-up to verify implementation.• Management is required to respond, on a timely basis, to the internal audit department's findings and recommendations, or questions on

financial results and variances from budget. Responses to internal or external audit findings are provided to the audit committee or board of directors.

• Corporate accounting personnel investigate and respond accordingly to financial reporting issues identified at subsidiary levels.• Management responds, in writing, to concerns raised in the management letter. The audit committee requires divisional or subsidiary

management letters to be provided to them, with written responses from divisional or subsidiary management.• Recommendations for improvements are adopted and deficiencies noted have been remediated.• Management responds timely to comments identified in the management letters.

Sample Objective: Communications from External Parties

Sample Activities:• Complaints of improper financial matters by external parties such as suppliers or regulators are fully investigated and documented

(e.g., disputes over inappropriate shipping charges or bill and hold practices by customers are investigated by management).• Reported improprieties from individuals other than employees are investigated and resolved.• Discrepancies that have been identified by customers are investigated and resolved.• Communications from vendors and monthly statements of accounts payable are used as a control monitoring technique.• Management utilizes proactive controls regarding third-party information (e.g., vendor confirmations).• Controls that should have prevented or detected problems are reassessed when problems occur.

Sample Objective: Internal Meetings are an Effective Means of Providing Feedback to Management on Whether Controls areOperating Effectively

Sample Activities:• Relevant issues and questions that are raised at training seminars are captured.• Employee suggestions are communicated upstream and acted on as appropriate.• Management uses surveys and focus groups to understand employee perceptions.

Sample Objective: Self-Assessments

Sample Activities:• Personnel are required to acknowledge compliance with the code of conduct.• Signatures are required to verify performance of significant control functions such as reconciliations.• The results of self-assessments regarding the company's code of conduct and significant control activities are independently verified.• The personnel that perform self-assessments regarding the control activities being performed by process owners complete the self-assessment

based on "first-hand knowledge" of control activities that they have observed.• Operating personnel are required to "sign off" on the accuracy of their unit's financial statements. Internal management reports are reviewed

and initialed by operating personnel to verify accuracy. In addition, these reports are reconciled to any external financial reports.• Policies and procedures ensure that appropriate personnel perform a detailed review of operating and financial information to ascertain the

integrity of the information (e.g., advertising personnel review the monthly advertising expenses to ensure that they are consistent with theauthorized payments).

Sample Objective: Separate Evaluations

Sample Activities:• Personnel with the requisite skills conduct evaluations of appropriate portions of the internal control system.• The scope, depth of coverage, and frequency of evaluations are adequate.• The frequency and scope of supervision and monitoring activities are appropriate to the size and nature of the entity.• Supervisory personnel perform various random and structured reviews over the functioning of control procedures.• Personnel with the requisite skills and independence of function periodically evaluate appropriate areas of the internal control structure.• An analysis is made using the evaluation results compared to established criteria.• The methodology for performing separate evaluations includes checklists, questionnaires, or programs.• The evaluation team is brought together to plan the evaluation process and ensure a coordinated effort.• An executive with requisite authority manages the evaluation process.• The results of the evaluation and action plans are documented.

viii

Part FourAppendix

Appendix F

COSO — The Sequel

In 2002, COSO announced that it had launched a study designed to provide guidance in helping organizations manage risk. The study resulted inthe release for public comment of Enterprise Risk Management Framework. The proposed framework details essential components and conceptsof enterprise risk management for all organizations, regardless of size.

Enterprise Risk Management Framework is not intended to replace COSO's Internal Control — Integrated Framework as a framework for internalcontrol. Enterprise risk management is broader than internal control and, therefore, the new publication expands on the concepts of the originalto focus more fully on the management of risk. Observers expect this new enterprise risk management framework to provide commonterminology and become the most widely adopted model for risk management.

A draft copy of Enterprise Risk Management Framework may be viewed at: http://www.erm.coso.org/Coso/coserm.nsf/frmWebCOSOHome?ReadForm.

Appendix G

Not Sure if You are an Accelerated Filer?

Any company that is an "accelerated filer" must comply with the provisions of section 404 as of the end of its first fiscal year ending on or afterNovember 15, 2004. Don't know if you're an accelerated filer? According to the SEC, accelerated filers are, generally, U.S. companies that haveequity market capitalization over $75 million as of the last business day of its most recently completed second fiscal quarter and have filed anannual report with the SEC. For purposes of determining whether a company meets the market value requirements of $75 million, the markettest must be conducted annually until the requirements are met. For example, a calendar year-end company that did not meet the market valuetest on June 30, 2003, will be required to conduct a market test on June 30, 2004. If it meets the market test and the other accelerated filerrequirements on that date, it will be classified as an accelerated filer and will be required to comply with the requirements of section 404 as ofDecember 31, 2004 (its first fiscal year ending after November 15, 2004).

Member of Deloitte Touche TohmatsuCopyright © 2004 Deloitte Development LLC. All rights reserved.

About DeloitteDeloitte, one of the nation’s leading professional services firms, provides audit, tax,consulting, and financial advisory services through nearly 30,000 people in more than 80U.S. cities. Known as an employer of choice for innovative human resources programs, the firm is dedicated to helping its clients and its people excel. “Deloitte” refers to theassociated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and DeloitteConsulting LLP) and subsidiaries. Deloitte is the U.S. member firm of Deloitte ToucheTohmatsu. For more information, please visit Deloitte’s Web site at www.deloitte.com/us.

Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence inproviding professional services and advice. We are focused on client service through aglobal strategy executed locally in nearly 150 countries. With access to the deep intellectualcapital of 120,000 people worldwide, our member firms, including their affiliates, deliverservices in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the world’s largest companies, as well aslarge national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies.

Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither DeloitteTouche Tohmatsu nor any of its member firms has any liability for each other’s acts oromissions. Each of the member firms is a separate and independent legal entity operatingunder the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other,related names. The services described herein are provided by the member firms and not bythe Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain memberfirms do not provide services in all four professional areas listed above.

#4139

Date post:	27-Dec-2015
Category:	Documents
Upload:	debanjan-dey
View:	10 times
Download:	0 times

Us Assur TakingControlAug2004

Documents