SOX 404 Documentation

1
Sarbanes-Oxley Section 404
June 29, 2005
2
Table of Contents

• SOX 404 Background 3
• SOX 404 Goals 4
• SOX 404 Requirements 5
• SOX 404 Assertions 6
• SOX 404 Compliance 7
• COSO Internal Controls 8
• COSO Internal Controls Framework 9
• Why Do You Really Care About SOX 404? 10
• Things You Can Do 11

3
SOX 404 Background

• Due to the scandals in corporate financial
  reporting, Congress enacted in 2002, the Sarbanes
  Oxley Act (SOX). The Security Exchange
  Commission oversees the compliance by publicly
  traded companies to the Act. The Public
  Companies Accounting Oversight Board (PCAOB)
  drives the compliance.
• SOX Section 404 rules require each annual report
  to contain an internal control report which shall
  state the responsibility of management for
  establishing and maintaining an adequate internal
  control structure and procedures for financial
  reporting, and contain an assessment of the
  effectiveness of the internal control structure
  and procedures of the issuer for financial
  reporting.
• Filing due dates

• Fiscal years ended on or after November 15, 2004
  for accelerated filers (ie., market
  capitalization in excess of 75mm)
• Fiscal years ended on or after July 15, 2006 for
  non-accelerated filers.

4
SOX 404 Goals
The goals of a SOX 404 program are to ensure that
enterprise internal controls are of such quality
that there will be

• no material weaknesses that must be reported at
  the registrant level by either management or the
  by external auditor
• no significant deficiencies that must be reported
  at the registrant level by either management or
  the external auditor to the Audit Committee of
  the Board of Directors and
• no material misstatements of the companys
  financial statements

5
SOX 404 Requirements

• Client management must
• Document and test the internal controls over
  financial reporting
• Issue an annual assertion on the effectiveness of
  internal control over financial reporting
• External Auditors must
• Determine nature, timing, and extent of testing
• Review work performed by management
• Perform some independent tests of controls
• Attest and report on
• Managements 404 assertion process
• Design and effectiveness of internal controls

6
SOX 404 Overview - Assertions

• In order to make the assertion, the client must
• Document and evaluate the design of controls
• Evaluate the operating effectiveness of
  significant controls
• Identify significant deficiencies or material
  weaknesses
• Document the results of the evaluation
• Communicate findings (e.g., significant
  deficiencies and material weaknesses) to the
  independent auditor

Note Absence of sufficient evidence to support
the Companys assessment may constitute a
significant deficiency that results in a report
qualification by the external auditors.
7
SOX 404 Compliance
8
COSO Internal Controls

• COSO provides the PCAOBs accepted basis for
  establishing internal control systems and
  determining their effectiveness.
• Stands for Committee of Sponsoring
  Organizations
• Originally formed in 1985 to sponsor the National
  Commission on Fraudulent Financial Reporting (aka
  The Treadway Commission)
• The sponsoring organizations include
• American Institute of Certified Public
  Accountants (AICPA)
• The Institute of Internal Auditors (IIA)
• Financial Executives International (FEI)
• Institute of Management Accountants (IMA)
• American Accounting Association (AAA)
• Published two documents and one pending
• 1992 Internal Controls Integrated Framework
• Mid 90s Internal Control on Derivative Issues
• Early 2004 Enterprise Risk Management Framework

9
COSO - Internal Control Framework
Objectives
The process to determine whether internal control
is adequately designed, executed, effective and
adaptive
The process which ensures that relevant
information is identified and communicated in a
timely manner
The policies and procedures that help ensure that
actions identified to manage risk are executed
and timely
Components
The evaluation of internal and external factors
that impact an organizations performance
The control conscience of an organization. The
tone at the top
10
Why Do You Really Care About SOX 404?

• Non-profit (country clubs) and non-publicly
  traded (hotels) companies are not required to
  comply with SOX 404 requirements.
• Reasons to care

• Board members, who are responsible for the
  establishment and maintenance of good corporate
  governance ALL
• Financing sources (banks and investors) want
  assurance that the financial statements are not
  misrepresented ALL
• Owners want assurance that the financial
  statements are not misrepresented Hotels
• Risk of membership loss due to fraudulent
  practices disclosed to the public Country Clubs
• If acquired by a publicly traded company, SOX 404
  compliance is required - Hotels

11
Things You Can Do

• Steps to take to enhance your internal controls

• Establishment of an audit committee to provide
  financial reporting and internal control
  expertise, along with oversight on such matters
• Establish a Whistle-Blower policy to provide
  the means and safeguards to those who identify
  fraudulent practices
• Assess the risk associated with the processes
  that make-up your organization (ie.,
  sales/revenue, cash, accounts receivable, fixed
  assets, accounts payable, payroll, etc.)
• For high risk areas and processes ask yourself,
  What Could Go Wrong and address the answers to
  the question (ie., segregation of duties)

Reference List

• http//www.aicpa.org/audcommctr/homepage.html
• http//www.pcaobus.org
• http//www.sec.gov/rules/pcaob.html