SOx Section 404 Rules
SOx Section 404 rules state that an enterprise is
responsible for reviewing, documenting, and testing its own internal accounting
controls, with those review results then passed on to the enterprise’s external
auditors, who are charged with reviewing and attesting to that work as part of
their review of the reported financial statements.
Section 404 Internal Controls Assessments
Management always has had the
overall responsibility for designing and implementing internal controls over their
enterprise’s operations. SOx Section 404 requires an annual internal controls
report, with the following information elements, as part of an SEC-mandated
Form 10K annual report:• A formal management statement acknowledging the enterprise’s responsibility
for establishing and maintaining an adequate internal control structure and
procedures for financial reporting; and• An assessment, as of the end of the most recent fiscal year, of the
effectiveness of the enterprise’s internal control structure and procedures for
financial reporting.
The external audit firm that
issued the supporting audit report is required to review and report on management’s
assessment of its internal financial controls. Management is required to report
on the quality of their internal controls, and their public accounting firm
must audit or attest that management developed an internal controls report in
addition to their normal financial statement audit. Management has always been
responsible for preparing their periodic financial reports, and the external
auditors then audited those financial numbers and certified that they were
fairly stated. With SOx Section 404, management is responsible for documenting
and testing their internal financial controls as well as to report on their
effectiveness. External auditors then review the supporting materials leading
up to that internal financial controls report to assert that the report is an
accurate description of the internal control environment.
Under SOx Section 404, management
is required to report on the adequacy of their internal controls, with their
external auditors attesting to the management-developed internal control
reports. Under Section 404 procedures, the enterprise builds and documents its
own internal control processes, then an independent party such as internal
audit reviews and tests those internal controls, and finally the external
auditors review and attest to the adequacy of this process.
Identifying Key Processes to Launch a Section 404 Compliance Review
Whether based on IT systems or
primarily manual procedures performed on a regular basis, every enterprise has
basic processes that are normally considered in terms of their basic accounting
cycles, including:
• Revenue cycle.
Processes dealing with sales or other enterprise revenue.
• Direct expenditures cycle. Expenditures for material or direct production costs.
• Indirect expenditures cycle. Operating costs that cannot be directly tied to production activities but are necessary for overall business operations.
• Payroll cycle. Covers all personnel compensation.
• Inventory cycle. Although inventory will eventually be applied as direct production expenditures, time-based processes are needed for holding inventory until applied to production.
• Fixed assets cycle. Property and equipment require separate accounting processes, such as periodic depreciation accounting over time.
• General controls IT cycle. This set of processes covers IT controls that are general or applicable to all IT operations.
• Direct expenditures cycle. Expenditures for material or direct production costs.
• Indirect expenditures cycle. Operating costs that cannot be directly tied to production activities but are necessary for overall business operations.
• Payroll cycle. Covers all personnel compensation.
• Inventory cycle. Although inventory will eventually be applied as direct production expenditures, time-based processes are needed for holding inventory until applied to production.
• Fixed assets cycle. Property and equipment require separate accounting processes, such as periodic depreciation accounting over time.
• General controls IT cycle. This set of processes covers IT controls that are general or applicable to all IT operations.
Internal Audit’s Role
Even though SOx does not give
specific responsibilities to internal audits, they are an important resource
for the completion of Section 404 internal control assessments. Under SOx, a
separate and independent function within the enterprise—often internal or IT
audit—reviews and documents the internal controls covering key processes,
identifies key control points, and then tests those identified controls.
External audit would then review that work and attest to their adequacy. For
many enterprises, IT audit can be a key resource for performing these internal
controls reviews for technology-based processes.
Section 404 Internal Control Review
Exhibit 2.2 outlines some
planning considerations for a Section 404 internal control review to be
performed by an enterprise’s internal auditors, who can play a major role in
helping senior management establish Section 404 compliance. Our objective is
not to provide internal audit guidance but to give a senior manager an idea of
these IT internal audit processes.
No comments:
Post a Comment