Skip to main content

How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control, 3rd Edition

How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control, 3rd Edition

Michael J. Ramos

ISBN: 978-0-470-25922-1

Jun 2008

336 pages



Now fully revised and updated, the Third Edition of How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control is the perfect starting point for companies with no previous SOX experience. Packed with practice aids including forms, checklists, illustrations, diagrams, and tables, the new edition leads auditing professionals through every step of the audit processes associated with Section 404 compliance.


Chapter 1. The Evaluation Approach.

Chapter Summary.

Management’s Evaluation of Internal Control.

Overview of the Evaluation Process.

Risk-Based Judgments.

Why Understanding Risk is Important.

A Risk-Based, Top-Down Evaluation Approach.

Identification of Misstatement Risk.

Assessment of Misstatement Risk.

The Likelihood of Control Failure.

A ""Top-Down"" Approach to Identifying Relevant Controls.

The Independent Auditor's Reporting Responsibilities.

Overall Objective of the Auditor's Engagement.

Use of Work of Internal Auditors and Others.

Working with the Independent Auditors.

Chapter 2. Internal Control Criteria.

Chapter Summary.

The Need for Control Criteria.

The COSO Internal Control Integrated Framework.

Key Characteristics of the COSO Framework.

By Way of Analogy.

Five Components of Internal Control.

The Control Environment.

Risk Assessment.

Control Activities.

Information and Communication.


Internal Control for Small Businesses.

Controls Over Information Technology Systems.

COSO Guidance.

The COBIT Framework.

Chapter 3. Project Scoping.

Chapter Summary.


One Size Does Not Fit All.

Entity-Level Controls.

Applying the Top-Down, Risk Based Approach.

Corporate Culture.

Personnel Policies.

IT General Controls.

Risk Identification.


Anti-Fraud Programs and Controls.

Period-End Financial Reporting Processes.

Identifying Significant Activity-Level Control Objectives.

Appendix A. Action Plan: Identifying Significant Control Objectives.

Appendix B.Example Control Objectives.

Chapter 4. Project Planning.

Chapter Summary.

The Objective Of Planning.

Information Gathering For Decision Making.

Organize Your Project According to Business Process Activities.

Areas of Focus.

Defining Internal Control Deficiencies.

Project Scope and Existing Efforts to Assess Internal Control Effectiveness.

Other Scope Considerations.

Information Sources.

SEC Form 10K.

Other Information Sources.


Additional Guidance.

Structuring The Project Team.

Establishing Responsibilities and Lines of Reporting.

Project Team Members.

Coordinating With The Independent Auditors.

Reach Consensus on Planning Matters.

Documenting Your Planning Decisions.

Appendix 4A. Action Plan: Project Planning.

Appendix 4B. Summary of Planning Questions.

Chapter 5. Documentation of Internal Controls.

Chapter Summary.

The Importance of Documentation.

Assessing The Adequacy Of Existing Documentation.

What Should Be Documented.

How Much to Document.

Documentation Of Entity-Level Control Policies And Procedures.

Corporate Governance Documents.

Code of Conduct.

Other Documentation.

Documenting Activity-Level Controls.

Determine the Controls to Be Documented.

How to Design Internal Control Documentation.




Sarbanes-Oxley Automated Compliance Tools.

Functions of an Automated Sarbanes-Oxley Tool.

Implementation Is Critical.

Assessing the Control Warehouse Function.

Managing the Testing of Controls.

Automated Control Procedures.

The Value of an Automated Compliance Tool.

Coordinating With The Independent Auditors.

Appendix 5A. Action Plan: Documentation.

Appendix 5B. Linkage of Significant Control Objectives to Example Control Policies and Procedures.


Chapter 6. Testing and Evaluating Entity-Level Controls.

Chapter Summary.

Overall Objective Of Testing Entity-Level Controls.

Relationship between Entity-Level and Application-Level Controls.

Design Effectiveness versus Operational Effectiveness.

Testing Techniques.

The Nature of Available Evidence.

Survey and Inquiries of Employees.

Inquiries of Management.

IT General Controls.

Reading and Assessment of Key Documents.

Observation of Processes.


Evaluating The Effectiveness Of Entity-Level Controls.

Making the Assessment.

Five Levels of Reliability.

Responding to Identified Weaknesses.

Documenting Test Results.

Coordinating With The Independent Auditors.

Appendix 6A. Action Plan: Testing and Evaluating Entity-Level Controls.

Appendix 6B. Survey Tools.

Example Letter To Employees In Advance Of Employee Survey.


Example Employee Survey Of Corporate Culture And Personnel Policies.

Purpose of the Survey.




Evaluation Of Employee Survey Results.

Evaluating Results.

Appendix 6C. Example Inquiries of Management Regarding Entity-Level Controls.

Instructions For Use.

Chapter 7. Testing and Evaluating Activity-Level Controls.

Chapter Summary.


Confirm Your Understanding Of The Design Of Controls.

What’s a Walkthrough?

Suggestions for Performing a Walkthrough.

Assessing The Effectiveness Of Design.

Financial Statement Assertions and Controls.

Information-Processing Streams.

Operating Effectiveness.

Test Design Considerations.

A Risk-Based Approach to Designing Tests.

Sample Sizes and Extent of Tests.

Types of Tests.

Evaluating Test Results.

Documentation Of Test Procedures And Results.

Coordinating With The Independent Auditors.

Appendix 7A. Action Plan: Documentation.

Appendix 7B. Example Inquiries.

Chapter 8. Evaluating Control Deficiencies and Reporting on Internal Control Effectiveness.

Chapter Summary.

Control Deficiencies.

Evaluating Control Deficiencies.

Assessing the Likelihood and Significance of Misstatement.

Deficiencies that May be Material Weaknesses.

Compensating Controls.

The ""Prudent Official Test"".

Annual and Quarterly Reporting Requirements.

Management's Report When a Material Weakness Exists at Year-End.

""As Of"" Reporting Implications.

Expanded Reporting On Management's Responsibilities For Internal Control.

Responsibility for Financial Reporting.

Coordinating With The Independent Auditors And Legal Counsel.

Independent Auditors.

Legal Counsel.

Appendix 8A. Action Plan: Reporting.

2. Prepare Required Report.