COMPLYING WITH SARBANES- OXLEY SECTION 404 A Guide for Small Publicly Held Companies LYNFORD GRAHAM
Complying with Sarbanes-Oxley Section 404
Complying with Sarbanes-Oxley Section 404 A Guide for Small Publicly Held Companies LYNFORD GRAHAM John Wiley & Sons, Inc.
Copyright 2010 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at www.wiley.com. ISBN 978-0-470-57255-9 Printed in the United States of America. 10987654321
Contents Preface Acknowledgments About the Author ix xi xiii CHAPTER 1 Introduction and Company Requirements 1 Chapter Summary 1 Lessons Learned 1 Management s Evaluation of Internal Control 4 SEC Company Requirements 8 Working with the Independent Auditors 23 CHAPTER 2 The COSO Internal Control Framework 25 Chapter Summary 25 Need for Control Criteria 25 The Triangle of Efficiency 26 COSO Internal Control Integrated Framework 27 Information and Communication 50 Internal Control for Small Businesses 54 Information Technology Controls 58 Control Objectives and Assertions: The Building Blocks of Controls Documentation 64 Example Control Objectives by COSO Component 65 Appendix 2A: Understanding and Awareness of Control Responsibilities 71 v
vi Contents Appendix 2B: Management Antifraud Programs and Controls: An Element of the Control Environment 73 Appendix 2C: Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees 95 CHAPTER 3 Project Scoping 97 Chapter Summary 97 Introduction 97 Does In Scope Imply Extensive Testing? 100 Review Obvious Information Sources 103 A Process for Risk Assessment 116 Appendix 3A: Summary of Scoping Inquiries 133 Appendix 3B: Understanding Fraud Risk Assessment 137 CHAPTER 4 Project Planning 143 Chapter Summary 143 Objective of Planning 143 Information Gathering for Decision Making 144 Structuring the Project Team 147 Consider Project Tools and Software 153 Consider a Pilot Project 163 Coordinating with the Independent Auditors 167 Documenting Your Planning Decisions 169 CHAPTER 5 Documentation of Internal Controls 173 Chapter Summary 173 Importance of Documentation 173 Assessing the Adequacy of Existing Documentation 175 Documentation Supporting the Control Environment 177 Documenting Activity-Level Controls 182 Finding Control Activity Control Objectives 208 Appendix 5A: Sample Control Objectives for Major Control Activities 210 Appendix 5B: Linkage of Significant Control Objectives to Example Control Policies and Procedures 223
Contents vii CHAPTER 6 Testing and Evaluating Entity-Level Controls 231 Chapter Summary 231 Overall Objective of Testing Entity-Level Controls 231 Testing Techniques and Evidence 234 Evaluating the Effectiveness of Entity-Level Controls 252 Documenting Test Results 257 Appendix 6A: Conducting Interviews: Gathering Internal Control Information 259 Appendix 6B: Example Practice Aids Gathering Internal Control Information 267 Appendix 6C: Example Inquiries of Management Regarding Entity-Level Controls Gathering Internal Control Information 274 CHAPTER 7 Testing and Evaluating Activity-Level Controls 281 Chapter Summary 281 Introduction 281 Confirm Your Understanding of the Design of Controls First 281 Assessing the Effectiveness of Design 286 Assessing Operating Effectiveness 288 Evaluating Test Results 304 Documentation of Test Procedures and Results 305 Interactions with the Independent Auditors 305 Appendix 7A: Sample Size Tutorial 307 Appendix 7B: Example Inquiries 310 CHAPTER 8 Evaluating Control Deficiencies and Reporting on Internal Control Effectiveness 313 Chapter Summary 313 Control Deficiencies 313 Evaluating Control Deficiencies 314 Annual and Quarterly Reporting Requirements 326 Reporting on Management s Responsibilities for Internal Control 332 Required Company and Auditor Communications 333 Reporting the Remediation of Weaknesses 337
viii Contents Coordinating with the Independent Auditors and Legal Counsel 337 Appendix 8A: Action Plan: Reporting 339 Appendix 8B: Assessing the Potential Magnitude of a Control Deficiency 341 KEY RESOURCES 345 Final Rule: Management s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports 345 Index 349
Preface This edition marks the change in authorship of this popular work from Mike Ramos. It departs in some ways from the prior editions by providing additional in-depth guidance and more frequent citations from authoritative sources to provide the reader with a better distinction between the requirements and suggestions and guidance. In addition, it focuses on proven techniques to make the 404 implementation and annual compliance process more efficient. Some additional practice aids are provided and all practice aids of the previous editions have been edited. In that way, this edition can have value to entities that have already reported on internal controls and are still seeking approaches that achieve greater efficiencies for the longer term. The book retains the primary perspective of company performance and reporting on internal controls as its central focus, but with generous citations of the expectations of auditors based on SEC and PCAOB regulations. For companies, these citations are designed to help anticipate and bridge the differences in client-auditor perspectives that can be very costly to work out in real time. The book also has value to auditors seeking to relate company and auditor requirements and perform efficient and effective procedures that meet budget and regulatory requirements. In some places, guidance specifically directed to auditor-readers has been incorporated into the work. The book is not a substitute for reading the company and auditor requirements in their entirety, but it tries to make those readings more understandable in context. The implementation of revised SEC and PCAOB requirements seems to have created an impression of kinder and gentler standards, but make no mistake, the onus is on companies and auditors to support the judgments they make. This book will provide guidance on the potential landmines that can lie under the seemingly more smoothly paved roads to compliance. We have traveled far enough down the road to be able to assess some of the real implementation costs and benefits of the Sarbanes-Oxley Act (SOX). Companies have survived the initial implementation, and lessons ix
x Preface abound to help other companies comply in an efficient and effective manner. Frauds and misstatements continue to occur, but we do see evidence that more effective controls and antifraud procedures that are easy to implement dramatically reduce the losses due to fraud when it occurs. We also see an expansion of SEC interest in directly regulating industries that previously filed only information reports to the SEC. The Madoff and Stamford scandals remind all of us that the risks remain real when other people s money is the basis of a business model. Large dollars attract talented fraudsters. While no company wants additional regulation or added costs, the safety and reliability of our capital markets require that financial statements be reliable, and the rising incidence of restatements and fraud leading up to SOX legislation created a need for more effective financial reporting controls. This edition provides additional background on how the requirements for companies and auditors relate to the goal of reliable financial reporting. At the time of this writing, the implementation of the Section 404(b) auditor reporting requirement is scheduled to be implemented for audit reports issued after June 15, 2010. SEC Chairman Mary L. Shapiro stated that this will be the last extension granted by the Commission. Regardless of whether there is another auditor report deferral, the implication for companies regarding their reporting requirements are the same. If the company process and report are deficient, auditors will nevertheless have a reporting responsibility to point this out in their audit report, as discussed in the book. However, a complication is that if a further deferral is approved, some auditors with only a few public company engagements who choose to defer their education and training about the requirements may not be fully prepared to counsel with clients on their projects and reports early on, and thus may have additional (and potentially embarrassing or costly) comments later in the process or in the year of auditor reporting. The best strategy is for companies to be fully knowledgeable and prepared to comply with all aspects of the regulations in their first year of reporting under 404(a), and to set up their projects to minimize the future audit costs when the auditor reporting requirements are finally effective. This book is intended to provide that guidance to companies. Lynford Graham November 2009
Acknowledgments This new edition builds on the prior editions authored by Mike Ramos. His pioneering efforts to provide guidance on a brand new subject matter, the Section 404 requirements of the Sarbanes-Oxley Act of 2002, in a world of uncertainty and changing rules is a significant and timely accomplishment. He is owed a great debt for his willingness to commit to publication of guidance in such a fluid environment. Mike identified the important contributions of individuals as well as a Technical Advisory Board assembled to review and contribute to the prior editions in the third edition. They undoubtedly had an influence on this edition, and acknowledgment of their efforts continues. This edition departs from earlier additions and provides additional perspective and practical advice from the learning experiences of companies and auditors and from academic and practice research conducted on the early implementations of the Sarbanes-Oxley Act. Appreciation is extended to the members of the AICPA 404 Implementation Task Force (2003 2006) for their efforts to discern the implications of the SEC and PCAOB requirements, and the leadership provided to that effort by my friend and former colleague Gary Stauffer in working with the Task Force and opening dialogues with the regulators, companies, and audit firms. Thanks also need to be extended to my colleagues at BDO Seidman, LLP and especially Wayne Kolins for his support and deep interest in complying with the spirit of the act as well as the written requirements. It is through the open (sometimes spirited) dialogues and challenges of colleagues, clients, regulators, and academics that the important practical issues are clarified and issues resolved. Of course, the patience and support of my spouse, Barbara, and my sons, Chris and Geoff, are acknowledged for my absence during the dark days of the initial 404 implementation, the many years before that I spent in audit practice and in service to the profession, and the period of time spent in revising this work. xi
About the Author Lynford Graham is a Certified Public Accountant with more than 30 years of public accounting experience in audit practice and in various National Firm policy development groups. He is a Visiting Professor of Accountancy and Executive in Residence at Bentley University in Waltham, MA. He was a Partner and the National Director of Audit Policy for BDO Seidman LLP, responsible for the development and implementation of audit policy, sampling training, and audit software. Dr. Graham was responsible for BDO Seidman s implementation of audits of internal control under PCAOB AS 2, and participated with professional groups in developing industry-wide guidance on audits of internal control. Prior to joining BDO Seidman LLP, Dr. Graham was an Associate Professor of Accounting and Information Systems and a Graduate Faculty Fellow at Rutgers University in Newark, New Jersey. Prior to that, he was a National Accounting & SEC Consulting Partner for Coopers & Lybrand. Dr. Graham is a member of the American Institute of Certified Public Accountants (AICPA), and a past member of the AICPA s Auditing Standards Board. He chaired the AICPA s Audit Risk Guide Task Force (Assessing and Responding to Audit Risk in a Financial Statement Audit) and was the principal author and Chair of the Task Force clearing the 2008 revision of the AICPA audit guide Audit Sampling. Throughout his career he has maintained an active profile in the academic as well as the business community. In 2002 he received the Distinguished Service Award of the Auditing Section of the AAA. His numerous academic and business publications span a variety of topical areas, including information systems, internal controls, expert systems, audit risk, audit planning, fraud, sampling, analytical procedures, audit judgment, and international accounting and auditing. xiii