I am working with a Company that really hasn't addressed the issue of formal internal controls, documentation and compliance. Does anyone have a Sarbanes Oxley checklist, advice, or a good reference to facilitate the process of organisation?
Most Sarbanes Oxley checklists were based on audit checklists which were based on AS-2 or AS-5 auditing standards. In general they do not work for the company assessment - but run up significant expense.
Proformative offers 400+ online business courses with free CPE, many on Sarbanes-Oxley.
Agree with J. Finn comment.
I have threatened to write a book on how to not implement SOX 404, it can be a huge waste of time and money if not done at the right process level and focused on the right risks.
The key here is to do a risk based approach and to look at financial reporting risk as an operational risk which means assessing PEOPLE, PROCESSES, and SYSTEMS.
You are taking the right approach. In fact focusing on just about anything other than a naive belief that there are "discrete" controls is appropriate. I have spent over 30 years doing workflows and am convinced "a control" is a continuous process performed by people - not a discrete activity.
I would take a look at the COSO publication, Internal Control over Financial Reporting – Guidance for Smaller Public Companies. Also, and it has been a couple of years since I looked, there are several applications with templates for developing internal controls from scratch. Last time I looked they were all offered by the AICPA.
Several years ago when we did our implementation we found it easier to just start from scratch on the documentation and fit best practices to our situation. If there were weaknesses, and there always are when you are working with a small staff, we documented the weakness along with our procedure for mitigating the risk.
Want to comment on and agree with posts by Scott Lane and Randy Rutledge, From my experience, both have hit on the issues.
From 2003 to 2007 I was consulting, largely on SOX404 projects. In the earlier days, it was not unusual to find clients that misgauged requirements resulting in "false starts" or they started late, creating a time crunch emergency.
SOX needs to be a risk based assessment. Companies need to undestand this, and evaluate the risks inherent to their business as it relates to their financial reporting. One of the challenges is to appropriately define and segregate what actually area financial reporting risks vs. operational and regulatory risks.
It is an effort to understand the alignment of people - processes - systems. I view this between how companies deal with transactional processing activites and events.
Typically companies capture most activities through daily transactional processing. Month-Quarter-Year End closings result in evaluating the transactions recorded, and adjusting estimates accordingly.
Events occur when significant changes occur. Typically are one-off, non-recurring issues. These could result in needing to change the underlying processes. Events are evaluated for their impact on the Balance Sheet valuation, adjustments likely result, or at least disclosure.
The referenced Small Company Internal Control document is a good listing of risks and areas to focus upon. I've recommended this before in this post.
Their is a logical process to complete the SOX 404 setup. Many of my clients thought they knew everything going on in their business, and learned things didn't necessarily happen the way they assumed or intended.
While Randel and Randy make some interesting points regarding the COSO framework, it is not intended as guidance for a companies actual SOX compliance. That is why the SEC produced the "interpretative guidance" for companies. The COSO framework makes interesting general reading on the five major components of an internal control environment, but it does not provide specifics on how a company can perform an assessment that will "legally" meet the SEC requirements for companies to comply with SOX assessments (Section 404).
The interpretative guidance is available in the Federal Register at SECURITIES AND EXCHANGE
17 CFR Part 241
[Release Nos. 33–8810; 34–55929; FR–77;
File No. S7–24–06] "
and contains the following declaration on the first page "SUMMARY: The SEC is publishing this
interpretive release to provide guidance
for management regarding its evaluation
and assessment of internal control over
financial reporting. The guidance sets
forth an approach by which
management can conduct a top-down,
risk-based evaluation of internal control
over financial reporting. An evaluation
that complies with this interpretive
guidance is one way to satisfy the
evaluation requirements of Rules 13a–
15(c) and 15d–15(c) under the Securities
Exchange Act of 1934.
DATES: Effective Date: June 27, 2007.
COSO is sort of like "Apple Pie", but the SEC document is a "Recipe"
After reading the comments and concerns of those interested in this issue, I wish to make a "Summarizing" comment based on my last seven years experience with over a dozen SOX programs at separate companies.
1. Prior to 2007 there was no recognized useful guidance for a companies management to address "SOX Compliance". As a result most companies got overwhelmed with auditing checklists and control minutia by chasing the elusive " assertions" required by AS-2. Many companies have not recovered or cleaned up their excess AS-2 documentation yet. Even today, only individuals who are working these issues on a daily basis are familiar with the value of the interpretative guidance from the SEC or the application of a similar risk based approach focused on viewing financial reporting as a "report production process" that needs managements evaluation for quality control, and an assessment for confirmation of their control effectiveness.
2. COSO is a framework not a specification and it is effective at the highest conceptual level of the control environment. It is an outline that needs to be filled in by the company, but it is not a specification for the SOX section 404 compliance assessment requirement. If your SOX section 404 concepts are "pre 2007" you should reevaluate them in light of the most recent authoritative developments
3. The first practical steps to create a foundation for section 404 compliance are adequate documentation of the financial reporting process (workflow) procedures, and a risk based analysis and assessment in accordance with the SEC interpretative guidance.
Anything else is of a lessor authoritative level for a companies management, and may be biased by outside financial interests. The SEC is the best authoritative source for managements ICFR assessment as required by SOX section 404.
The answers here were written in 2010 . With changes in the law, and the new COSO 2014 implementations, would you change your answers?
Simon before you build checklists I might suggest a solid understanding of the company. If the company has been ISO certified ask for the process mapping and start your control search there. Well mapped processes make those critical control points and the areas of risk almost jump off the diagrams. From the beginning one of GAPs in developing SOX checklists is a deep understanding of process and control points that may be present. A well executed process mapping, required in the ISO certification process, will serve you well as you look at the risks and what are the key controls. Once you understand the organization then look to these COSO sites and references for determining controls. The COSO 2010 changes provide for a great deal of tailoring compared to the original 2007 guidance.
Browse our extensive library of free white papers focused on the latest financial, technology and business issues.