ffirs.qxd 2/4/05 3:38 PM Page iii C1.jpg THE SARBANES ...€¦ · The Sarbanes-Oxley section 404 implementation toolkit: practice aids for managers and auditors / Michael J. Ramos

THE SARBANES-OXLEYSECTION 404IMPLEMENTATIONTOOLKIT

Practice Aids for Managers and Auditors

MICHAEL RAMOS

John Wiley & Sons, Inc.

ffirs.qxd 2/4/05 3:38 PM Page iii

C1.jpg

ffirs.qxd 2/4/05 3:38 PM Page ii


ffirs.qxd 2/4/05 3:38 PM Page i

ffirs.qxd 2/4/05 3:38 PM Page ii


Practice Aids for Managers and Auditors

MICHAEL RAMOS

John Wiley & Sons, Inc.

ffirs.qxd 2/4/05 3:38 PM Page iii

This book is printed on acid-free paper. �∞

Copyright © 2005 by Michael Ramos. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New JerseyPublished simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted underSection 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of thePublisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center,Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department,John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online athttp://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts inpreparing this book, they make no representations or warranties with respect to the accuracy or completeness ofthe contents of this book and specifically disclaim any implied warranties of merchantability or fitness for aparticular purpose. No warranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation. You should consult with aprofessional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any othercommercial damages, including but not limited to special, incidental, consequential, or other damages.

Designations used by companies to distinguish their products are often claimed as trademarks. In all instanceswhere John Wiley & Sons, Inc. is aware of a claim, the product names appear in initial capital or all capital letters.Readers, however, should contact the appropriate companies for more complete information regardingtrademarks and registration.

For general information on our other products and services, or technical support, please contact our CustomerCare Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not beavailable in electronic books.

Library of Congress Cataloging-in-Publication Data:

Ramos, Michael J.The Sarbanes-Oxley section 404 implementation toolkit: practice aids for managers and auditors / Michael J.

Ramos.p. cm.

Includes index.ISBN-13 978-0-471-71225-6 (cloth/cd-rom)ISBN-10 0-471-71225-6 (cloth/cd-rom)1. Corporations—Accounting—Corrupt practices—United States. 2. Corporations—Accounting—Law

and legislation—United States. 3. Disclosure of information—Law and legislation—United States. I. Title.HF5686.C7R3483 2005658.15'1—dc22

2004027094

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

ffirs.qxd 2/4/05 3:38 PM Page iv

v

Contents

About the Author ixPreface xiAcknowledgments xv

Part I Tools for Management 1

ADM-1 General Work Program 3ADM-2 Project Planning Summary 17ADM-2a Checklist for Summarizing Project Team Competence

and Objectivity 31ADM-2b.1 Worksheet for Determining and Documenting Significant

Accounts and Disclosures 34ADM-2b.2 Mapping of Business Processes to Significant Accounts

and Disclosures 40ADM-2c Example Inquiries to Identify Changes to Internal Control 48ADM-3 Summary of Control Deficiencies 50ADM-4 Senior Management Review Checklist 71ADM-5 Checklist for Preparation of Management’s Report

on Internal Control Effectiveness 76

Part II Documentation of Internal Control Design 81

DOC-1 Work Program for the Review of Documentation of Entity-Level Controls 83

DOC-1a Assessment of Internal Control Effectiveness:Overall Approach to Review of the Documentation of Entity-Level Controls 86

DOC-1b Assessment of Internal Control Effectiveness:Checklist for the Review of the Documentation of Entity-Level Controls 90

DOC-2 Work Program for the Review of Documentation of Activity-Level Controls 106

DOC-2a Assessment of Internal Control Effectiveness:Overall Approach to Review of the Documentation of Activity-Level Controls 108

DOC-2b Checklist for the Review of the Documentation of a Significant Transaction or Business Unit/Location 111

DOC-3 Documentation Techniques and Selected Examples for Routine Transactions 113

DOC-4 Checklist for Evaluating SOX 404 Software 136

ftoc.qxd 2/4/05 3:39 PM Page v

Part III Internal Control Testing Programs 139

Entity-Level Controls Testing Tools 141TST-ENT-1 Summary of Observations and Conclusions about

Entity-Level Control Effectiveness 145TST-ENT-2 Work Program for Testing Entity-Level Control

Effectiveness 163TST-ENT-3 Index to Tests of Entity-Level Controls: Inquiries

and Surveys 191TST-ENT-3a Entity-Level Tests of Operating Effectiveness: Inquiry

Note Sheets—Management 196TST-ENT-3b Entity-Level Tests of Operating Effectiveness: Inquiry

Note Sheets—Board Members 207TST-ENT-3c Entity-Level Tests of Operating Effectiveness: Inquiry

Note Sheets—Audit Committee Members 213TST-ENT-3d Entity-Level Tests of Operating Effectiveness: Inquiry

Note Sheets—Employees 220TST-ENT-3e Example Employee Survey 227TST-ENT-4 Index to Tests of Entity-Level Controls: Inspection

of Documentation 235TST-ENT-4a Worksheet to Document Inspection of Documentation

of Performance of Entity-Level Controls 237TST-ENT-5 Index to Tests of Entity-Level Controls: Observation

of Operations 240TST-ENT-5a Worksheet to Document Observation of Operation of

Entity-Level Controls 242TST-ENT-6 Index to Tests of Entity-Level Controls: Reperformance

of Controls 245TST-ENT-6a Worksheet to Document Reperformance of Entity-Level

Controls 247TST-ENT-7 Work Program for Reviewing a Report on IT General

Control Effectiveness 250TST-ENT-7a Planning and Review of Scope of Tests of IT General

Control Effectiveness 255Guidelines for Testing Level of Control Effectiveness 261

TST-ACT-1 Guidelines and Example Inquiries for Performing Walkthroughs 269

TST-ACT-2 Example Testing Program for Activity-Level Tests of Controls 277

TST-ACT-2a Example Testing Program for Control Operating Effectiveness: Revenue 278

TST-ACT-2b Example Testing Program for Control Operating Effectiveness: Purchases and Expenditures 283

TST-ACT-2c Example Testing Program for Control Operating Effectiveness: Cash Receipts and Disbursements 287

TST-ACT-2d Example Testing Program for Control Operating Effectiveness: Payroll 291

TST-ACT-3 Work Program for the Review of a Type 2 SAS No. 70 Report 295

vi Contents

ftoc.qxd 2/4/05 3:39 PM Page vi

TST-ACT-3a Type 2 SAS No. 70 Report Review Checklist 298TST-ACT-4 Process Owners’ Monitoring of Control Effectiveness 305

Part IV Example Letters and Other Communications 311

COM-1 Example Engagement Letter for Outside Consultants to Management 313

COM-2 Example Management Representation Letter 316COM-3 Example Management Reports on Effectiveness of

Internal Control over Financial Reporting 318COM-4 Example Subcertification 320

Part V Tools for External Auditors Performing an Audit of Internal Control 323

ADM-AUD-1 General Audit Program 325

About the CD-ROM 343Index 345

Contents vii

ftoc.qxd 2/4/05 3:39 PM Page vii

ftoc.qxd 2/4/05 3:39 PM Page viii

ix

About the Author

Michael Ramos was an auditor with KPMG and now works as an author and consultant.He is the author of How to Comply with Sarbanes-Oxley Section 404: Assessing the Effec-tiveness of Internal Control. This is his tenth book.

fbetw.qxd 2/4/05 3:37 PM Page ix

fbetw.qxd 2/4/05 3:37 PM Page x

xi

Preface

As I write this, companies are nearing the completion of their inaugural SOX 404 inter-nal control assessment. For many, this process has been a struggle. I’ve met more than afew people who say they’ll end up spending two years working to comply, their compa-nies having spent untold millions of dollars. Soon, their work will be complete, and allinvolved will feel the lifting of a heavy weight from their shoulders as well as a great senseof professional pride. They’ll take a much deserved rest.

And then . . .It starts all over. Spring ’05, SOX II. Then the next year and the year after, SOX III,

SOX IV, like a string of Hollywood B movies. While all the attention has focused on first-year implementation, very few have had the time or desire to acknowledge that SOX 404 iswith us now, a part of the way we do business.

The challenge in this first year has been compliance—understanding the ever-changing requirements and then committing all the resources necessary to get the jobdone. But now that you’ve made it through the first year, a new challenge awaits. Resourcesare finite. How do you now build on the process you created last year—cobbled together inresponse to the rapidly evolving rules—to create a methodology that is repeatable and ableto be taught to and understood by someone who was not part of the core project team?What can you do to make the assessment of internal control more effective and less of adrain on already limited resources?

This book started out to be a collection of forms and checklists. It turned out to besomething much different and, hopefully, more valuable. What I discovered was that creat-ing this book was not about the forms; it’s about the underlying process for SOX 404 com-pliance that the forms describe. Writing this book turned out to be an exercise in processengineering, not in form design. The critical questions asked during writing were always:“What should people do to comply?” “What’s the best way for them to do that? “How dothe results of this work tie in to other parts of the process?” Once I figured out those ques-tions, designing the checklist was fairly easy. All the practice aids in this book are just partsof a road map to lead you through a process that I’ve mapped out.

This process is still a bit fuzzy, but it is becoming increasingly more well-defined. Com-mon approaches and methodologies have begun to emerge, which are reflected in thesepractice aids. A good starting point for understanding this process I’ve laid out is the firstpractice aid, the General Work Program (form ADM-1). All the other practice aids are justfootnotes to this General Work Program, providing more structure and detail to the over-all process. The practice aids are integrated to provide a consistency of approach for all the main phases in the internal control assessment: planning, documentation, testing, andreporting.

As I worked on this project and started to define what I thought was an effective andefficient process for SOX 404 compliance, I made some choices about the process that shouldbe explained. First, at each phase of the project, the project team basically does two things:

1. They gather information, and then

2. They assess that information, pull it together to form a reasoned, supportable con-clusion.

fpref.qxd 2/4/05 3:38 PM Page xi

Most of these practice aids are designed to help in information gathering, and whatI’ve tried to do is find ways to structure the presentations of that information so you canunderstand what it means.

Second, in the area of testing, I believe that the most successful SOX projects havebeen the ones where project teams have been actively engaged with operating personnel todiscover “what really goes on” at the company. I’ve spoken with project team leaders andseen work programs that describe a testing approach that seems too hands-off to me. I’mconcerned about the quality of the conclusions reached by a project team that relies primarily on a discussion with a single individual, or the reading of a document, or theobservation that a code of conduct has been posted to the company intranet to draw con-clusions about control design or operation. You’ll see that the testing process I’ve laid outis much more involved and requires the project team to be more active—asking multiplequestions, making observations, corroborating single instances of control complianceuntil a clear pattern emerges.

To use these practice aids as they were intended, I think it might also be helpful if Ishared my basic principles for design. Over the years, I’ve worked with a number of certi-fied public accountants (CPAs) who perform the same types of tasks required of a SOX404 engagement. I’ve observed many, many instances where auditors have equated theirwork with the documentation of the work. If the subject matter of their tests is quantitative,this relationship holds true. For example, if an auditor is asked to test the accuracy ofrecorded interest expense, he or she would make a calculation of the expected expense(using average loan balance, the interest rate, etc.) and compare that expectation to therecorded amount. The auditor would then prepare a worksheet to show the calculationand the comparison. The process of doing the work—pushing around numbers to make acalculation—is the same as the documentation of the work.

This equality between work and work product is not true when dealing with subjectivesubject matters—such as internal control—where the primary tests are inquiry, observa-tion, and analysis. Under these circumstances, if we put a checklist in front of some-one, they too often believe their task is to complete the checklist. They focus their energyon filling out the checklist. This approach is misguided. The task is to gather and assessinformation and draw a supportable conclusion. The checklist is there to aid in their infor-mation gathering and assessment and to document conclusions. The checklist is only ameans to an end, not an end in itself.

These practice aids are designed to be work product, a culmination of the work per-formed. To reinforce that idea, you’ll see that the forms and checklists are addressed fromthe project team member to an audience of reviewers such as project team leaders, seniormanagement, or the external auditors. They are designed to have the project team mem-bers “fill in the blank” about

• The work they performed

• What they observed, or the results of their tests

• What they concluded based on their observations or the results of the tests

By writing the forms in this fashion, I hoped to remind the project team member that com-pleting the checklist is not the primary objective.

Preceding each form is a brief set of instructions on how to complete the form. Theseinstructions are addressed from me to the project team. These instructions are notintended to be included in your final work product. These instructions provide reference toSecurities and Exchange Commission (SEC) rules, Public Company Accounting Oversight

xii Preface

fpref.qxd 2/4/05 3:38 PM Page xii

Board (PCAOB) standards, and other guidance, but they do not summarize or explainthese requirements. These practice aids are intended to supplement the guidance youalready have on SOX 404, and to the extent that questions arise about the informationrequired to complete a form (e.g., “what is a material weakness?”), you should turn tothose other sources of guidance.

Working on this book has forced me to clarify my own thoughts on what projectteams should do to comply with SOX 404. By refining the 404 compliance process andcreating this integrated tool set, I hope I have helped to make the process repeatable andtherefore more efficient and effective. Postimplementation, this is the most immediatechallenge we face.

Other challenges are still to come. These are for another day, perhaps another book.Enjoy!

Michael RamosOctober 2004

Preface xiii

fpref.qxd 2/4/05 3:38 PM Page xiii

fpref.qxd 2/4/05 3:38 PM Page xiv

xv

Acknowledgments

TECHNICAL ADVISORY BOARD

This book was written with the assistance of several individuals and their firms, who pro-vided financial support, input, and feedback during the lengthy development of thesematerials. I am very grateful to the following individuals and their firms for their generoussupport and encouragement.

The members of the Technical Advisory Board are:

John Compton Michelle ThompsonPartner PartnerCherry Bekaert & Holland, LLP Cherry Bekaert & Holland, LLP

Krista M. Kaland Ronald P. PachuraPartner, Director of Assurance Services Business Risk Services Practice DirectorClifton Gunderson LLP Clifton Gunderson LLP

Michael C. Knowles Randy von FeldtPartner Senior ManagerFrank, Rimerman & Co. Frank, Rimerman & Co.

I would like to thank Ginny Carroll for her fine attention to detail and the significantimprovements she made to the overall readability of the book. A sincere thanks also to the staff at North Market Street Graphics for all their hard work during the productionprocess.

Finally, I would like to thank John DeRemigis and Judy Howarth for their encourage-ment and patience in the development of these materials.

flast.qxd 2/4/05 3:38 PM Page xv

flast.qxd 2/4/05 3:38 PM Page xvi


flast.qxd 2/4/05 3:38 PM Page xvii

flast.qxd 2/4/05 3:38 PM Page xviii

PART ITools for Management

p01.qxd 2/4/05 3:39 PM Page 1

p01.qxd 2/4/05 3:39 PM Page 2

3

ADM-1

General Work Program

PURPOSE

This form has been designed to

• Facilitate the organization of an efficient process for evaluating the effectiveness of thecompany’s internal control

• Help ensure that the company’s assessment of internal control effectiveness contains allelements required by paragraph 40 of PCAOB Auditing Standard No. 2

• Facilitate an external auditor’s understanding and evaluation of the company manage-ment’s process for assessing the effectiveness of the company’s internal control over fi-nancial reporting

INSTRUCTIONS

Use this form to guide the design and performance of the company’s project to assessinternal control effectiveness. As each step in the program is completed, the person respon-sible for performing that step should put his or her initials and the date in the indicated col-umn on the worksheet. If the step is not applicable, indicate that by noting “N/A.” Use the“Notes” column to cross-reference to where the performance of the procedure is docu-mented or to make other notations.

Notations in italics are additional instructions to the preparer of the form and should beremoved before the form is considered final.

ASSESSMENT OF INTERNAL CONTROL EFFECTIVENESSGENERAL WORK PROGRAM

Company: ______________________ Reporting Date: ______________________

Prepared by: ____________________ Date Prepared: _______________________

This form summarizes the procedures we performed to document, test, and report on theeffectiveness of the company’s internal control over financial reporting.

p01.qxd 2/4/05 3:39 PM Page 3

N/AProcedure PerformedPerformed by Date Notes

Project Planning

1. Form the project team. Considerboth internal and externalresources and the expertiseneeded to successfully completethe project, including IT expertise.a. Determine the extent to which

management intends to havethe external auditors rely onthe work of the project team intheir audit of the company’sinternal control. For each proj-ect team involved with thoseareasi. Assess its competency.ii. Assess its objectivity.

[Consider using form ADM-2, ProjectPlanning Summary, to document theperformance of this step.]

2. Determine the nature of the inter-nal control services, if any, that thecompany’s external auditors willprovide or have provided to thecompany during the current auditperiod.a. If the external auditors have

provided internal control ser-vices to the company, obtainapproval of the board anddetermine that this approvalhas been documented in theminutes.

3. Gather current information rele-vant to the internal control assess-ment and make this available tothe project team members to allowthem to better plan the project.

4 Tools for Management

p01.qxd 2/4/05 3:39 PM Page 4


Determine Project Scope

[For all steps listed in this subsection,related to project scope, considerusing form ADM-2, Project PlanningSummary, to document the perfor-mance of the step.]

4. Entity-level controlsa. Identify entity-level controls

required to be documented,evaluated, and tested accord-ing to PCAOB, SEC, or otherauthoritative standards.

b. Identify other entity-level con-trols designed to meet signifi-cant control objectives.

5. Centralized processing and controlsa. Identify all centralized

processes and controls, includ-ing shared service environ-ments, that affect the relevantassertions of significantaccounts and disclosures.

6. Activity-level controlsa. Identify the significant accounts

and disclosures within thefinancial statements.

b. For all significant accountsidentified in step 6a, identifythe relevant assertions.

c. For all significant accountsidentified in step 6a, identifythe major transactions affectingthese accounts. Separatelyidentifyi. Routine transactionsii. Nonroutine transactionsiii. Estimates

ADM-1 5

p01.qxd 2/4/05 3:39 PM Page 5


d. Routine transactions. For eachroutine transaction, identify thesignificant processing proce-dures.

e. Nonroutine transactions andestimates. Determine that non-routine transactions identifiedin step 6c are included in theconsideration of entity-levelcontrols in step 4.

7. Determine the locations or busi-ness units to be included in thescope of the project.

8. Identify the significant processingprocedures that are performed bythird-party organizations.a. Determine which of the ser-

vices performed by a thirdparty are part of the company’sinformation system.

b. Determine how the projectteam will obtain the informationnecessary to understand andevaluate the design and oper-ating effectiveness of controlsat the third party (for example,by obtaining a Type 2 SAS No.70 report).

9. Consider how unusual circum-stances will affect the scope of theproject, including• Business acquisitions made

since the last internal controlevaluation

• Variable-interest entities (VIEs)included in the company’s con-solidated financial statements

• Installation of a new accountingsystem


p01.qxd 2/4/05 3:39 PM Page 6


10. Determine which businessprocess owners will be required toprovide subcertifications.

Project Administration

11. Prepare a timeline of the sched-uled performance and completionof major project phases.

12. Document significant planningdecisions, for example by complet-ing form ADM-2, Project PlanningSummary.

Coordination with External Auditors—Project Planning

13. Communicate with the auditors,preferably in writing, to providethem with information that will helpthem plan their audit of internalcontrol over financial reporting,includinga. The extent of recent changes,

if any, in the company, its oper-ations, or its internal control

b. Preliminary judgments aboutfactors relating to the determi-nation of material weaknesses

c. Control deficiencies previouslycommunicated to the auditcommittee or management

d. Legal or regulatory matters ofwhich the company is aware

14. In order to help the external audi-tors understand management’sprocess for evaluating internalcontrol effectiveness, considerproviding the auditors with a copyof the documentation of significantplanning matters prepared in step 12.

ADM-1 7

p01.qxd 2/4/05 3:39 PM Page 7


a. If you provide a copy of thedocumentation of significantplanning matters, considerpreparing a written request forconsideration and feedback toclarify why management is pro-viding the documentation to theauditors.

Documentation of Internal Control

15. Documentation completeness. Forall locations, business segments,service organizations, or otherunits included within the projectscope (see steps 7, 8, and 9),determine that the company hasdocumented all significant controlsrelating toa. Entity-level controls identified in

step 4b. Centralized processes and

controls identified in step 5c. Activity-level controls identified

in step 6

16. Documentation currency. Deter-mine that the content of the inter-nal control documentation is up todate and reflects current practicesat the company.a. Identify all changes to internal

control procedures since thedocumentation was last pre-pared.

b. Determine that all changes tointernal control procedureshave been reflected in the doc-umentation.

c. Identify all changes to the inter-nal control documentationsince the last internal controlaudit and determine that thechanges


p01.qxd 2/4/05 3:39 PM Page 8


i. Were authorizedii. Are reflective of actual

changes to control proce-dures

17. Documentation content. Reviewthe content elements of the docu-mentation identified in step 15 todetermine that it contains all nec-essary elements.a. Entity-level and centralized

controls should be described insufficient detail to understandthe nature of the control proce-dure and• Its relationship to control

objectives• Who performs the procedure• How often it is performed• Whether and how perfor-

mance of the procedure isdocumented

• Other information necessaryto assess the design effec-tiveness of the control

b. Activity-level controls shouldinclude all items listed in step17a plus• Information about how signifi-

cant transactions are initi-ated, authorized, recorded,processed, and reported

• Sufficient information aboutthe flow of transactions toidentify the points at whichmaterial misstatements dueto error or fraud could occur

18. Assess the efficiency and effec-tiveness of the company’sprocesses for maintaining ade-quate documentation of internalcontrol and recommend improve-ments, if applicable.

ADM-1 9

p01.qxd 2/4/05 3:39 PM Page 9


[If the company is considering the useof an integrated computerized softwaredocumentation solution, consider formDOC-4, Checklist for Evaluating SOX404 Software.]

19. Confirm the design of internal con-trol by performing procedures tounderstand how and how consis-tently the documented control procedures are performed by company personnel. For example,consider performing walkthroughprocedures for the significantprocesses of major transactions.

[For suggestions on how to performwalkthrough procedures, see form TST-ACT-1.]

Coordination with External Auditors—Documentation

20. If this is the first year the currentexternal auditors will be perform-ing an audit of the company’sinternal control, consider providingthem with an example of the com-pany’s documentation of internalcontrol.a. If you provide a copy of exam-

ple documentation, considerpreparing a written request forconsideration and feedback toclarify why management is pro-viding the documentation to theauditors.


p01.qxd 2/4/05 3:39 PM Page 10

Documents

ffirs.qxd 2/4/05 3:38 PM Page iii C1.jpg THE SARBANES ...€¦ · The Sarbanes-Oxley section 404 implementation toolkit: practice aids for managers and auditors / Michael J. Ramos