Skip to main content

Complying with Sarbanes-Oxley Section 404: A Guide for Small Publicly Held Companies

Complying with Sarbanes-Oxley Section 404: A Guide for Small Publicly Held Companies

Lynford Graham

ISBN: 978-1-118-26908-4 December 2011 368 Pages


A step-by-step approach for planning and performing an assessment of internal controls

Filled with specific guidance for small-business compliance to SEC and PCAOB requirements relating to Sarbanes-Oxley 404, Complying with Sarbanes-Oxley Section 404: A Guide for Small Publicly Held Companies provides you with specific guidance on working with auditors to achieve benefits and cost reductions.

This practical guide helps you knowledgeably interpret and conform to Sarbanes-Oxley 404 compliance and features:

  • Clear, jargon-free coverage of the Sarbanes-Oxley Act and how it affects you

  • Links to current guidance online

  • Specific guidance to companies on how to work with auditors to achieve benefits and cost reductions

  • Coverage of IT and IT general controls

  • Examples and action plans providing blueprints for implementing requirements of the act

  • Easy-to-understand coverage of the requirements of the SEC and PCAOB

  • Discussion of the requirements for assessing internal control effectiveness

  • A look at how the new guidance will reduce your costs

  • In-depth explanations to help professionals understand how best to approach the internal control engagement

  • Practice aids, including forms, checklists, illustrations, diagrams, and tables

Continuing to evolve and bring about business and cultural change, this area of auditing and corporate governance is demystified in Complying with Sarbanes-Oxley Section 404: A Guide for Small Publicly Held Companies, your must-have, must-own guide to SOX 404 implementation and an effective tool and reference guide for every corporate manager.

Preface ix

Acknowledgments xi

About the Author xiii

CHAPTER 1 Introduction and Company Requirements 1

Chapter Summary 1

Lessons Learned 1

Management’s Evaluation of Internal Control 4

SEC Company Requirements 8

Working with the Independent Auditors 23

CHAPTER 2 The COSO Internal Control Framework 25

Chapter Summary 25

Need for Control Criteria 25

The Triangle of Efficiency 26

COSO Internal Control Integrated Framework 27

Information and Communication 50

Internal Control for Small Businesses 54

Information Technology Controls 58

Control Objectives and Assertions: The Building Blocks of Controls Documentation 64

Example Control Objectives by COSO Component 65

Appendix 2A: Understanding and Awareness of Control Responsibilities 71

Appendix 2B: Management Antifraud Programs and Controls: An Element of the Control Environment 73

Appendix 2C: Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees 95

CHAPTER 3 Project Scoping 97

Chapter Summary 97

Introduction 97

Does “In Scope” Imply Extensive Testing? 100

Review Obvious Information Sources 103

A Process for Risk Assessment 116

Appendix 3A: Summary of Scoping Inquiries 133

Appendix 3B: Understanding Fraud Risk Assessment 137

CHAPTER 4 Project Planning 143

Chapter Summary 143

Objective of Planning 143

Information Gathering for Decision Making 144

Structuring the Project Team 147

Consider Project Tools and Software 153

Consider a Pilot Project 163

Coordinating with the Independent Auditors 167

Documenting Your Planning Decisions 169

CHAPTER 5 Documentation of Internal Controls 173

Chapter Summary 173

Importance of Documentation 173

Assessing the Adequacy of Existing Documentation 175

Documentation Supporting the Control Environment 177

Documenting Activity-Level Controls 182

Finding Control Activity Control Objectives 208

Appendix 5A: Sample Control Objectives for Major Control Activities 210

Appendix 5B: Linkage of Significant Control Objectives to Example Control Policies and Procedures 223

CHAPTER 6 Testing and Evaluating Entity-Level Controls 231

Chapter Summary 231

Overall Objective of Testing Entity-Level Controls 231

Testing Techniques and Evidence 234

Evaluating the Effectiveness of Entity-Level Controls 252

Documenting Test Results 257

Appendix 6A: Conducting Interviews: Gathering Internal Control Information 259

Appendix 6B: Example Practice Aids Gathering Internal Control Information 267

Appendix 6C: Example Inquiries of Management Regarding Entity-Level Controls Gathering Internal Control Information 274

CHAPTER 7 Testing and Evaluating Activity-Level Controls 281

Chapter Summary 281

Introduction 281

Confirm Your Understanding of the Design of Controls First 281

Assessing the Effectiveness of Design 286

Assessing Operating Effectiveness 288

Evaluating Test Results 304

Documentation of Test Procedures and Results 305

Interactions with the Independent Auditors 305

Appendix 7A: Sample Size Tutorial 307

Appendix 7B: Example Inquiries 310

CHAPTER 8 Evaluating Control Deficiencies and Reporting on Internal Control Effectiveness 313

Chapter Summary 313

Control Deficiencies 313

Evaluating Control Deficiencies 314

Annual and Quarterly Reporting Requirements 326

Reporting on Management’s Responsibilities for Internal Control 332

Required Company and Auditor Communications 333

Reporting the Remediation of Weaknesses 337

Coordinating with the Independent Auditors and Legal Counsel 337

Appendix 8A: Action Plan: Reporting 339

Appendix 8B: Assessing the Potential Magnitude of a Control Deficiency 341


Final Rule: Management's Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports 345