COMPLYING WITH. SECTION 404 A Guide for Small Publicly Held Companies SARBANES- OXLEY LYNFORD GRAHAM

Similar documents
Forensic Accounting and Fraud Investigation for Non-Experts

Sarbanes-Oxley Internal Controls

t e g y s t r a i m p l e m e n t a t i o n M E N TA L L A N G U A G M O D E L S S T O R Y M A P S S O C I A L M E D I A

INTERNATIONAL PROJECT MANAGEMENT:

CORPORATE FINANCE WORKBOOK

Commonsense Talent Management

OPERATIONAL REVIEW WORKBOOK Case Studies, Forms, and Exercises Rob Reider John Wiley & Sons, Inc. New York Chichester Weinheim Brisbane Toronto Singap

Sarbanes-Oxley. Guide for Finance and Information Technology Professionals SANJAY ANAND. John Wiley & Sons, Inc.

Sarbanes-Oxley and the New Internal Auditing Rules


GETTING STARTED IN PERSONAL AND EXECUTIVE COACHING

JOHN BASCHAB JON PIOT

The Procurement and Supply Manager s Desk Reference

THE SARBANES-OXLEY SECTION 404 IMPLEMENTATION TOOLKIT

Diagnosing and Changing Organizational Culture

John Wiley & Sons, Inc.

Executive Compensation Best Practices

The Executive Director s GUIDE

JOHN WILEY & SONS, INC.

Bridge Design and Evaluation

MANAGEMENT OF TECHNOLOGY

LIFE CYCLE RELIABILITY ENGINEERING

For more information on any of the above titles, please visit

How to Estimate with. RSMeans Data

STRUCTURAL STABILITY OF STEEL: CONCEPTS AND APPLICATIONS FOR STRUCTURAL ENGINEERS

Civil Engineer s Handbook of Professional Practice

Governance, Risk Management, and Compliance

MANAGEMENT ACCOUNTING BEST PRACTICES

Managing Exports Navigating the Complex Rules, Controls, Barriers, and Laws Frank Reynolds

About This Book. Why is this topic important? What can you achieve with this book? How is this book organized?

Credit Risk Scorecards

ECONOMICS FOR INVESTMENT DECISION MAKERS WORKBOOK

A Guide to Creating a Successful Algorithmic Trading Strategy

BEST PRACTICES IN PLANNING AND PERFORMANCE MANAGEMENT RADICALLY RETHINKING MANAGEMENT FOR A VOLATILE WORLD. Third Edition. David A. J.

Troubleshooting the Sequencing Batch Reactor

STRATEGIC MARKETING FOR HEALTH CARE ORGANIZATIONS

EDGAR H. SCHEIN A N D R E V I S E D E D I T I O N N E W

Scrivener Publishing 100 Cummings Center, Suite 541J Beverly, MA

Streetsmart Financial Basics for Nonprofit Managers

The. Rational. Project Manager A THINKING TEAM S GUIDE TO GETTING WORK DONE. Andrew Longman Jim Mullins KEPNER-TREGOE, INC. John Wiley & Sons, Inc.

marketing 3.0 PHILIP KOTLER From Products to Customers to the Human Spirit JOHN WILEY & SONS, INC.

Frequently Asked Questions

Enterprise Risk Management

ENTERPRISE PERFORMANCE MANAGEMENT DONE RIGHT

Project Management. Budgeting, Tracking, and Repor ting. Costs and Prof itability second edition

Business Intelligence Competency Centers A Team Approach to Maximizing Competitive Advantage

Becoming a Strategic Leader

Managing the Unexpected

STAGING TO SELL THE SECRET TO SELLING HOMES IN A DOWN MARKET BARB SCHWARZ SOLD SOLD SOLD THE INVENTOR OF HOME STAGING

Table of Contents. Preface xi. Acknowledgments xv. Chapter 1: What We All Share 1. Need for Control Criteria 1

SOFTWARE EVOLUTION AND MAINTENANCE

Organizational Consulting How to Be an Effective Internal Change Agent

MANAGING AND LEADING SOFTWARE PROJECTS RICHARD E. (DICK) FAIRLEY A JOHN WILEY & SONS, INC., PUBLICATION

How to Be an Investment Banker


Fraud and Fraud Detection

WELDING METALLURGY AND WELDABILITY OF NICKEL-BASE ALLOYS

Internal Control and Fraud Detection

ORGANIZATIONAL PSYCHOLOGY

INTEGRATION OF ALTERNATIVE SOURCES OF ENERGY

Leadership for the Common Good

DESIGN OF WATER SUPPLY PIPE NETWORKS

ERP: Making It Happen

A PROJECT MANAGER S BOOK OF FORMS. Second Edition

Speech by SEC Staff: Remarks before the 2007 AICPA National Conference on Current SEC and PCAOB Developments

DATA MINING AND BUSINESS ANALYTICS WITH R

Enterprise Risk Management

e m ot i o n a l i n t e l l i g e n c e skills assessment EISA Fr e q u e n t l y Steven J. Stein Derek Mann Peter Papadogiannis Wendy Gordon

Chapter 25 Other Assurance Services. Copyright 2014 Pearson Education

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

EFFECTIVE INTERPERSONAL AND TEAM COMMUNICATION SKILLS FOR ENGINEERS

ESSENTIALS of CRM A Guide to Customer Relationship Management Bryan Bergeron

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

Developing Analytic Talent

bridging the leadership divide

What Works ffirs 12 July 2012; 10:12:55

ESOP Workbook. Robert A. Frisch. The Ultimate Instrument in Succession Planning. Second Edition. John Wiley & Sons, Inc.

Join the p2p.wrox.com. Wrox Programmer to Programmer. Beginning. SharePoint Development. Steve Fox

STANDING ADVISORY GROUP MEETING


SUPPLY CHAIN MANAGEMENT. Best Practices. Second Edition. David Blanchard

KEN SCHWABER and JEFF SUTHERLAND

The Evaluation and Optimization of Trading Strategies

P1: OTA/XYZ P2: ABC JWBT502-fm JWBT502-Bern May 5, :14 Printer Name: To Come INVESTING IN ENERGY i

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

WHAT S THE SECRET? World-Class. To Providing a. Customer Experience. John R. DiJulius III. John Wiley & Sons, Inc.

THROUGHPUT ACCOUNTING

S TRUCTURAL W OOD D ESIGN

The Competitive Advantage

project management metrics, kpis, and dashboards

Pattern, Price & Time

AUDIT COMMITTEE CHARTER REINSURANCE GROUP OF AMERICA, INCORPORATED. the audits of the Company s financial statements;

51A Middle Street Newburyport MA Phone: Fax:

FRD hours "Financial Statement Fraud - 2nd Edition"

For Joan Abbott. and

Corporate Recruiting Reports. Strategic OUTSOURCING. Staffing.org

Audrey A. Gramling Kennesaw State University. Larry E. Rittenberg. University of Wisconsin Madison. Karla M. Johnstone

AUDIT RESPONSIBILITIES AND OBJECTIVES

COUPLED BIOLUMINESCENT ASSAYS

Auditing and Attestation (AUD) - Content Outline Effective January 2014

Transcription:

COMPLYING WITH SARBANES- OXLEY SECTION 404 A Guide for Small Publicly Held Companies LYNFORD GRAHAM

Complying with Sarbanes-Oxley Section 404

Complying with Sarbanes-Oxley Section 404 A Guide for Small Publicly Held Companies LYNFORD GRAHAM John Wiley & Sons, Inc.

Copyright 2010 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at www.wiley.com. ISBN 978-0-470-57255-9 Printed in the United States of America. 10987654321

Contents Preface Acknowledgments About the Author ix xi xiii CHAPTER 1 Introduction and Company Requirements 1 Chapter Summary 1 Lessons Learned 1 Management s Evaluation of Internal Control 4 SEC Company Requirements 8 Working with the Independent Auditors 23 CHAPTER 2 The COSO Internal Control Framework 25 Chapter Summary 25 Need for Control Criteria 25 The Triangle of Efficiency 26 COSO Internal Control Integrated Framework 27 Information and Communication 50 Internal Control for Small Businesses 54 Information Technology Controls 58 Control Objectives and Assertions: The Building Blocks of Controls Documentation 64 Example Control Objectives by COSO Component 65 Appendix 2A: Understanding and Awareness of Control Responsibilities 71 v

vi Contents Appendix 2B: Management Antifraud Programs and Controls: An Element of the Control Environment 73 Appendix 2C: Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees 95 CHAPTER 3 Project Scoping 97 Chapter Summary 97 Introduction 97 Does In Scope Imply Extensive Testing? 100 Review Obvious Information Sources 103 A Process for Risk Assessment 116 Appendix 3A: Summary of Scoping Inquiries 133 Appendix 3B: Understanding Fraud Risk Assessment 137 CHAPTER 4 Project Planning 143 Chapter Summary 143 Objective of Planning 143 Information Gathering for Decision Making 144 Structuring the Project Team 147 Consider Project Tools and Software 153 Consider a Pilot Project 163 Coordinating with the Independent Auditors 167 Documenting Your Planning Decisions 169 CHAPTER 5 Documentation of Internal Controls 173 Chapter Summary 173 Importance of Documentation 173 Assessing the Adequacy of Existing Documentation 175 Documentation Supporting the Control Environment 177 Documenting Activity-Level Controls 182 Finding Control Activity Control Objectives 208 Appendix 5A: Sample Control Objectives for Major Control Activities 210 Appendix 5B: Linkage of Significant Control Objectives to Example Control Policies and Procedures 223

Contents vii CHAPTER 6 Testing and Evaluating Entity-Level Controls 231 Chapter Summary 231 Overall Objective of Testing Entity-Level Controls 231 Testing Techniques and Evidence 234 Evaluating the Effectiveness of Entity-Level Controls 252 Documenting Test Results 257 Appendix 6A: Conducting Interviews: Gathering Internal Control Information 259 Appendix 6B: Example Practice Aids Gathering Internal Control Information 267 Appendix 6C: Example Inquiries of Management Regarding Entity-Level Controls Gathering Internal Control Information 274 CHAPTER 7 Testing and Evaluating Activity-Level Controls 281 Chapter Summary 281 Introduction 281 Confirm Your Understanding of the Design of Controls First 281 Assessing the Effectiveness of Design 286 Assessing Operating Effectiveness 288 Evaluating Test Results 304 Documentation of Test Procedures and Results 305 Interactions with the Independent Auditors 305 Appendix 7A: Sample Size Tutorial 307 Appendix 7B: Example Inquiries 310 CHAPTER 8 Evaluating Control Deficiencies and Reporting on Internal Control Effectiveness 313 Chapter Summary 313 Control Deficiencies 313 Evaluating Control Deficiencies 314 Annual and Quarterly Reporting Requirements 326 Reporting on Management s Responsibilities for Internal Control 332 Required Company and Auditor Communications 333 Reporting the Remediation of Weaknesses 337

viii Contents Coordinating with the Independent Auditors and Legal Counsel 337 Appendix 8A: Action Plan: Reporting 339 Appendix 8B: Assessing the Potential Magnitude of a Control Deficiency 341 KEY RESOURCES 345 Final Rule: Management s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports 345 Index 349

Preface This edition marks the change in authorship of this popular work from Mike Ramos. It departs in some ways from the prior editions by providing additional in-depth guidance and more frequent citations from authoritative sources to provide the reader with a better distinction between the requirements and suggestions and guidance. In addition, it focuses on proven techniques to make the 404 implementation and annual compliance process more efficient. Some additional practice aids are provided and all practice aids of the previous editions have been edited. In that way, this edition can have value to entities that have already reported on internal controls and are still seeking approaches that achieve greater efficiencies for the longer term. The book retains the primary perspective of company performance and reporting on internal controls as its central focus, but with generous citations of the expectations of auditors based on SEC and PCAOB regulations. For companies, these citations are designed to help anticipate and bridge the differences in client-auditor perspectives that can be very costly to work out in real time. The book also has value to auditors seeking to relate company and auditor requirements and perform efficient and effective procedures that meet budget and regulatory requirements. In some places, guidance specifically directed to auditor-readers has been incorporated into the work. The book is not a substitute for reading the company and auditor requirements in their entirety, but it tries to make those readings more understandable in context. The implementation of revised SEC and PCAOB requirements seems to have created an impression of kinder and gentler standards, but make no mistake, the onus is on companies and auditors to support the judgments they make. This book will provide guidance on the potential landmines that can lie under the seemingly more smoothly paved roads to compliance. We have traveled far enough down the road to be able to assess some of the real implementation costs and benefits of the Sarbanes-Oxley Act (SOX). Companies have survived the initial implementation, and lessons ix

x Preface abound to help other companies comply in an efficient and effective manner. Frauds and misstatements continue to occur, but we do see evidence that more effective controls and antifraud procedures that are easy to implement dramatically reduce the losses due to fraud when it occurs. We also see an expansion of SEC interest in directly regulating industries that previously filed only information reports to the SEC. The Madoff and Stamford scandals remind all of us that the risks remain real when other people s money is the basis of a business model. Large dollars attract talented fraudsters. While no company wants additional regulation or added costs, the safety and reliability of our capital markets require that financial statements be reliable, and the rising incidence of restatements and fraud leading up to SOX legislation created a need for more effective financial reporting controls. This edition provides additional background on how the requirements for companies and auditors relate to the goal of reliable financial reporting. At the time of this writing, the implementation of the Section 404(b) auditor reporting requirement is scheduled to be implemented for audit reports issued after June 15, 2010. SEC Chairman Mary L. Shapiro stated that this will be the last extension granted by the Commission. Regardless of whether there is another auditor report deferral, the implication for companies regarding their reporting requirements are the same. If the company process and report are deficient, auditors will nevertheless have a reporting responsibility to point this out in their audit report, as discussed in the book. However, a complication is that if a further deferral is approved, some auditors with only a few public company engagements who choose to defer their education and training about the requirements may not be fully prepared to counsel with clients on their projects and reports early on, and thus may have additional (and potentially embarrassing or costly) comments later in the process or in the year of auditor reporting. The best strategy is for companies to be fully knowledgeable and prepared to comply with all aspects of the regulations in their first year of reporting under 404(a), and to set up their projects to minimize the future audit costs when the auditor reporting requirements are finally effective. This book is intended to provide that guidance to companies. Lynford Graham November 2009

Acknowledgments This new edition builds on the prior editions authored by Mike Ramos. His pioneering efforts to provide guidance on a brand new subject matter, the Section 404 requirements of the Sarbanes-Oxley Act of 2002, in a world of uncertainty and changing rules is a significant and timely accomplishment. He is owed a great debt for his willingness to commit to publication of guidance in such a fluid environment. Mike identified the important contributions of individuals as well as a Technical Advisory Board assembled to review and contribute to the prior editions in the third edition. They undoubtedly had an influence on this edition, and acknowledgment of their efforts continues. This edition departs from earlier additions and provides additional perspective and practical advice from the learning experiences of companies and auditors and from academic and practice research conducted on the early implementations of the Sarbanes-Oxley Act. Appreciation is extended to the members of the AICPA 404 Implementation Task Force (2003 2006) for their efforts to discern the implications of the SEC and PCAOB requirements, and the leadership provided to that effort by my friend and former colleague Gary Stauffer in working with the Task Force and opening dialogues with the regulators, companies, and audit firms. Thanks also need to be extended to my colleagues at BDO Seidman, LLP and especially Wayne Kolins for his support and deep interest in complying with the spirit of the act as well as the written requirements. It is through the open (sometimes spirited) dialogues and challenges of colleagues, clients, regulators, and academics that the important practical issues are clarified and issues resolved. Of course, the patience and support of my spouse, Barbara, and my sons, Chris and Geoff, are acknowledged for my absence during the dark days of the initial 404 implementation, the many years before that I spent in audit practice and in service to the profession, and the period of time spent in revising this work. xi

About the Author Lynford Graham is a Certified Public Accountant with more than 30 years of public accounting experience in audit practice and in various National Firm policy development groups. He is a Visiting Professor of Accountancy and Executive in Residence at Bentley University in Waltham, MA. He was a Partner and the National Director of Audit Policy for BDO Seidman LLP, responsible for the development and implementation of audit policy, sampling training, and audit software. Dr. Graham was responsible for BDO Seidman s implementation of audits of internal control under PCAOB AS 2, and participated with professional groups in developing industry-wide guidance on audits of internal control. Prior to joining BDO Seidman LLP, Dr. Graham was an Associate Professor of Accounting and Information Systems and a Graduate Faculty Fellow at Rutgers University in Newark, New Jersey. Prior to that, he was a National Accounting & SEC Consulting Partner for Coopers & Lybrand. Dr. Graham is a member of the American Institute of Certified Public Accountants (AICPA), and a past member of the AICPA s Auditing Standards Board. He chaired the AICPA s Audit Risk Guide Task Force (Assessing and Responding to Audit Risk in a Financial Statement Audit) and was the principal author and Chair of the Task Force clearing the 2008 revision of the AICPA audit guide Audit Sampling. Throughout his career he has maintained an active profile in the academic as well as the business community. In 2002 he received the Distinguished Service Award of the Auditing Section of the AAA. His numerous academic and business publications span a variety of topical areas, including information systems, internal controls, expert systems, audit risk, audit planning, fraud, sampling, analytical procedures, audit judgment, and international accounting and auditing. xiii

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback