CONTROL OBJECTIVES AND RISKS UNDER SECTION 404 Although due dates have changed several times and may change again as this book

goes to press, the current rule for Section 404 compliance is that all SEC-registered organizations with a financial year-ending date of July 1, 2004 or later are required to comply with SOA requirements. At the time of this book’s publication, many organizations have just gone through their first round of Section 404 compliance assessments. The rules for non-U.S. corporations have been eased, and overall due dates may be extended further. However, Section 404 reviews represent a law that all SEC registered corporations will be required to live with going forward. Once that first Section 404 review has been completed, it is easy to just say something along the lines of, “Wow, we’re done with that. Now let’s get back to business as usual.” However, it will not be that easy. Once an organization has gotten itself through its first Section 404 review, it should establish processes for a continuous monitoring, evaluation, and improvement process.

Going forward, the organization needs to monitor its key systems, deter-mine if there were any changes in subsequent periods, and design internal con-trol procedures to correct any concon-trol weaknesses or otherwise fill concon-trol gaps.

This is an ongoing periodic exercise, and the team that first implemented the Section 404 compliance work will almost certainly have returned to normal job duties. This is the time to look at the Section 404 review work that was com-pleted and make any necessary changes to improve the efficiency and value of these reviews. Given the time and resources expended in completing these reviews, an organization should use this material to improve its overall internal controls environment.

An organization’s Section 404 documentation standards and materials needs to be reviewed and updated on a regular basis. Systems and processes change and acquisitions or corporate reorganizations modify the environment. In the paragraphs following, we suggest two approaches to help document internal controls to support SOA Section 404 and to document internal accounting con-trols in general.

(a) Developing an Internal Controls Matrix

A tabular matrix that supports the graphical diagram is an effective way to pro-cess document controls as well as to justify the steps needed to classify and assess the controls associated with a process. This type of matrix chart works best when tied with this type of process chart. However, an organization can describe its controls just using a verbal matrix chart without the supporting dia-gram. Exhibit 6.6 is an example of the type of control matrix that should be con-structed for this type of a Section 404 review. It lists the controls within a process, the types of risks associated with each, the types of controls, the control

䡲 140 䡲 EXHIBIT 6.6 Control Matrix Example ControlRiskAssertionControl Type 1.Controller performs monthly income statement analysis comparing actual amounts to forecast and prior periods. All fluctuations or unanticipated balances are researched and documented.

Recurring entries are not posted or improperly posted.Measurement/ ValuationManual 2.Monthly reconciliations are performed for all balance sheet accounts. All fluctuations or unanticipated balances are researched and documented. Reconciliations are reviewed and approved by accounting, as evidenced by a manual signature.

Recurring entries are not posted or improperly posted.Measurement/ ValuationManual 3.Controller performs monthly income statement analysis comparing actual amounts to forecast and prior periods. All fluctuations or unanticipated balances are researched and documented.

Intercompany activity is not identified or recorded properly.Measurement/ ValuationManual 4.All invoices are reviewed and approved by the sales manager.Invoices are not created properly or are not created for all customers.Measurement/ ValuationManual 5.All invoices are reviewed and approved by the sales manager. Invoices are generated for fictitious customers.Measurement/ ValuationManual 6.Accounts receivable aging is reviewed by controller, independently of the invoice generation process.Invoices are generated for fictitious customers.Measurement/ ValuationManual 7.Monthly reconciliations are performed for all balance sheet accounts. All fluctuations or unanticipated balances are researched and documented.

Month-end entries are improperly posted or not posted at all.Measurement/ ValuationManual 8.Controller and accounting manager review entries for accounting and clerical accuracy.Financial statements may contain clerical or other errors.Existence/ CompletenessManual

fm Page 140 Thursday, November 18, 2004 2:05 PM

criticality, and the financial assertion that the control supports. Following an example from another accounting-related process, such a chart can be orga-nized on a column-by-column basis as follows:

• Summarized Control Points. A brief paragraph describes each control point. In the first control in the exhibit, the controller performs a monthly income statement analysis. The description for each should be brief, with only enough information to describe the overall control.

• Associated Risks. A column lists the risks associated with each control. In this example, even though the controller reviews the income statement analysis, there is a risk that an item will not be posted correctly. There can be multiple risks associated with each control point, but the idea should be to identify only the more significant risks.

• Related Assertions. Financial and internal controls assertions were dis-cussed previously. The ideal is to list one or more of the financial asser-tions that management can proclaim for each control to support the idea that it should be working. Under the Existence and Completeness asser-tions, management normally expects that all transactions in this example have been recorded for subsequent review.

• Control Type. For documentation and understanding purposes, the type of each control should be identified. In this example, they are all shown as manual, but other control types might include:

䡩 Manual. Controls are exercised manually by one or a group of indi-viduals, such as the monthly reconciliations and account analysis per-formed by the accounting staff.

䡩 Application. These controls may consist of specific programs to pro-cess or edit a transaction, including edit checks, validations, and calcu-lations, as well as nonprogrammed controls such as the manual balancing of computer-produced information.

䡩 Preventive. This type of control is usually applied to each transaction during the normal flow of processing to prevent errors from occurring.

䡩 Detective. This type of control is applied outside the normal flow of transactions processed or partially processed to detect and correct errors.

Detective controls can be either manual or automated application controls.

The definition of control type allows persons reviewing the control matrix to gain an overall understanding of the nature of each control point.

• Control criticality. Based on the nature of each control, the associated risks, and the type of control, each should be further classified by critical-ity as follows:

䡩 High. This is a significant control designed to prevent or detect the identified risk from going undetected. This control should be tested as part of regular Section 404 internal control testing as discussed below.

䡩 Medium. This control is not as significant and does not prevent the risk from going undetected. This control typically would not be tested in association with Section 404 testing.

A package of process flowcharts as well as internal control diagrams should be prepared for each key process. We have presented example formats, but some external auditors, who have overall responsibility for these Section 404 reviews may prefer slightly different approaches or formats. However, the formats pre-sented should allow an organization to complete its Section 404 review materials in a credible manner and in a format that should allow external audit attestation.

(b) Testing Section 404 Internal Controls

As an essential component of the Section 404 review process, critical internal con-trols must be tested. If using the process-by-process control matrix charts as out-lined earlier, the level of testing will depend on the criticality of a given control.

This testing will follow the same procedures as the other aspects of these Section 404 reviews. That is, the team doing the actual internal controls documentation—

and not external audit—would be responsible for appropriately testing the identi-fied internal controls. This emphasizes the importance of internal audit doing the actual testing work or at least supervising the results of those tests. Internal audi-tors have skills in designing test plans and developing testing procedures, an area where many members of the organization may not have that level of experience.

This is again another reason why internal audit may be the most appropriate group in the organization to design and perform an appropriate level of internal controls testing.

Internal controls testing, or what is also being called audit sampling, is dis-cussed in Chapter 16. Whether for SOA Section 404 internal controls testing or for other internal audit tasks, testing is an important internal audit skill! The results of that testing are necessary to confirm that internal controls are working effec-tively as described. Of course, if the results of that testing indicates material con-trol weaknesses, efforts should be initiated within the organization to improve control procedures as necessary or to design appropriate compensating controls.

6.5 DISCLOSURE COMMITTEE AND KEEPING