SOX 404(a) - It Can Apply To More Than You Think - Part 2

Posted by Bill Bockwoldt on April 29, 2011

In my previous post about SOX 404(a) and non-accelerated filers, I highlighted some of the requirements of the legislation. Below I have outlined a proven approach to dealing with those legislative requirements in a cost-effective, efficient way.

An Effective Approach for 404(a) Internal Controls System

To achieve a robust internal control system and satisfy any applicable financial reporting compliance requirements, companies should perform the steps outlined below.

Determine Audit Scope Through a Risk Assessment

The risk assessment, which underlies the entire audit process, is the first step in determining which areas of the business present the highest risk of material misstatement or fraud that could compromise your financial reporting. It involves evaluating significant accounts and disclosures as well as relevant financial statement assertions, and then quantifying materiality thresholds. A good risk assessment considers factors such as materiality, degree of subjectivity, susceptibility to errors and fraud, volume of transactions, and quarter-over-quarter volatility.

There are many approaches and tools available for performing a risk assessment. But the key to successfully managing any audit is for management to take the responsibility of driving this process because they understand their risks and business operations far better than their auditors do. The final step in this is process is to review the risk assessment with your auditors, defend your position, and use it to limit the scope of your audit. Companies who leave the performance of this important step to their auditors experience a more expensive, resource-intensive, and more broadly-scoped audit of your company.

Define and Document Effective Mitigating Controls

The documentation work should include creating and identifying process controls and supporting documentation to prove the existence and proper execution of controls within the high-risk areas identified during the risk assessment.

After the initial risk assessment highlights the areas of greatest concern, mitigating controls must be defined and implemented to address those risks. Internal controls are simply the rules that must be followed to ensure that each identified risk is being properly mitigated for the purposes of producing accurate and timely financial reports. Examples can include rules that require multiple signatures on checks over a specified amount; routine testing of system backup tapes; or limits imposed on who can add/modify vendors in the GL system. If in-house expertise is not available, outside resources, services, and tools can be employed to successfully define the control points as dictated by the risk assessment.

Provide Adequate Supporting Documentation

Each control points must have relevant supporting documentation such as policies that must be approved and followed, or checklists, procedures, and other documentary evidence (e.g. , signature sheets) used to show that the control was in place, was working (being followed), and was documented appropriately. This documentation will serve, in part, as the basis for testing and remediating controls on an ongoing basis. If no in-house expertise or resources are available to complete this work, it can be outsourced to qualified individuals. It is not necessary to create this documentation from scratch: most of these types of general business forms or policy descriptions are available for purchase or download and can be tailored and applied to your organization successfully.

Regularly Test and Remediate Deficiencies

Ongoing controls testing is required to ensure all controls are being executed as documented, consistently, and with sufficient sampling to ensure external audit acceptance. In the event controls are failing, exceptions should be noted for follow-up and remediation.

Once risks have been identified, controls have been mapped, training is in place, and documentation exists to show performance, the controls must be tested and any deficiencies remediated (fixed). This step is critical for attesting to the integrity and transparency of your financial reporting on an ongoing basis – but many companies often do not pay attention to this if it is not required as part of their formal external audit. In fact, roughly 90% of companies fail the first external audit of their internal controls due to a lack of proof that the internal controls were properly documented and were being followed consistently. This is arguably the most important area to potentially outsource to a neutral 3rd party provider because it solves the issue of independence and objectivity, and will reduce the amount of audit scrutiny (e.g., cost and effort) of management’s self-reporting activities.

Remediation efforts result from deficiencies found through a lack of process availability, insufficient execution of documented procedures, execution of undocumented procedures, or insufficient segregation of duties. These issues are exposed through walkthroughs and controls testing once the in-scope areas have been established and documented. 

How to Bring Efficiency to this Process

Finally, when considering an initial implementation of an internal control system, or addition of internal controls to an existing system, the following objectives should be considered:

· Standardization—A set of best-practice (minimum acceptable) audit risks and corresponding mitigating controls should be applied wherever possible (e.g., across locations or departments). This reduces the ongoing maintenance effort, creates greater efficiencies in performance and reporting across business areas, and makes the audit review process simpler and more cost-effective.

· Integration—Any software or tools employed should work together to provide a comprehensive top-down view on the implementation or testing status of the project. Ideally the same products or tools will be used to manage the controls/risks, work with the documentation, and provide easy access for testing, and be producible in an audit-ready format for review.

· Scalability—Any internal controls system should be designed as “building blocks” to support larger, more complex implementations involving multi-location and multi-subsidiary engagements. If a standardized approach is adopted, and any software/tools are well integrated, then the system should scale easily with company growth.

Following the steps outlined above should ensure an effective system of internal controls that will be the basis for providing management attestation as to the integrity and transparency of their financial reporting.

Vibato specializes in this area and we would be happy to speak with you about your needs. This information (including the original post) can also be provided in a .pdf document by contacting us at

Tags: Internal Controls, 404, Sarbanes-Oxley