Sustaining SOX 404:

VOL.8 NO.2

Winter A Project
2007
Management
Approach
B Y S C O T T C . W I L K I N S , C PA , AND P A R V E E N P. G U P T A , P H . D .

COMPLYING WITH THE INTERNAL CONTROL CERTIFICATION REQUIREMENTS UNDER SOX

SECTION 404 CAN BE DIFFICULT FOR A COMPANY OF ANY SIZE. BY USING A

PROJECT MANAGEMENT APPROACH AND IMPLEMENTING SEVERAL BETTER PRACTICES,

COMPANIES CAN DEVISE A COMPLIANCE PROJECT THAT IS NOT ONLY COST EFFECTIVE

BUT THAT ALSO HELPS ACHIEVE BETTER BUSINESS RESULTS.

he Sarbanes-Oxley Act of 2002 (SOX) was the effectiveness of a company’s ICFR.

T enacted in the wake of many egregious cor-

porate scandals involving fraud, greed, and
breakdowns in internal controls. This land-
mark legislation has helped the United
States do what no other country in the world has yet
attempted to do: improve the standards for corporate
accountability from the very top (the board of directors
Large accelerated filers are in their third year of Sec-
tion 404 compliance. In spite of this, controllers, their
staffs, and many SOX compliance specialists admit that
it is still very easy to get lost in the maze of identifying,
testing, and continuously monitoring key controls,
maintaining relevant documentation, and rolling up the
individual process-level assessments being conducted
and senior management) to the lowest levels of the throughout the company to form an overall opinion on
company, where business transactions and related activ- the effectiveness of a company’s ICFR.
ities are performed. It is the new internal control Regardless of a company’s size, there is no doubt that
requirements of Section 404 of the Act where this law planning, executing, and sustaining an internal control
has its biggest impact on publicly traded corporations. assessment under Section 404 is a challenging and cost-
Specifically, Section 404 requires management to take ly project. Initiating and sustaining this project requires
ownership of internal controls over financial reporting massive coordination among a large number of employ-
(ICFR) by assessing and publicly reporting on their ees throughout the organization as well as ensuring that
effectiveness. To add more teeth to these requirements, appropriate documentation is maintained to support
this Section also requires external auditors to attest to management’s conclusions. Given the experiences of
management’s assessment by independently opining on large accelerated filers, smaller public companies and

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 1 WINTER 2007, VOL. 8, NO. 2

other temporarily exempted entities (foreign as well as its success. Without their explicit support, employees
domestic) are legitimately anxious because they will throughout the organization will continuously challenge
soon be required to comply with the internal control the value and relevance of this work and give it less
certification and assessment requirements under attention and due care than it requires. With the full
Section 404. support of the highest levels of management, SOX
Much has been written about the cost and difficulty of compliance teams can be formed across the organiza-
complying with the new internal control certification tion, and specific tasks can be delegated throughout the
requirements under Section 404, but very few articles company with a clear understanding that company man-
have focused on providing guidance on how to sustain agement truly believes in producing reliable financial
compliance with Section 404 requirements in a cost- reporting and disclosure for its stakeholders. Starting
effective manner. Although a majority of companies have with the right tone at the top also sends the message
followed the Public Company Accounting Oversight that senior leaders are committed to control excellence
Board’s (PCAOB) “infamous” Auditing Standard No. 2 by managing risks in a cost-effective manner and that
(AS2) to design and execute their internal control assess- good internal controls are everyone’s business. It fosters
ments, there is no single, cookie-cutter approach or a positive attitude that motivates employees to extract
methodology that a company can take to “walk through” value out of this compliance activity by either reengi-
this maze in real life. The previous two years of experi- neering the underlying business processes or identify-
ence suggest that there are some “better practices” that a ing and eliminating nonvalue-added controls.
company can employ to organize, document, and track
the SOX 404 compliance project in a cost-effective man- SCOPING DECISIONS
ner. Our experiences from working with many compa- Determining the scope of the SOX compliance project
nies suggest that a number of issuers are implementing year after year is one of the most important decisions
processes and putting appropriate structures in place that that a company makes because the scoping is what
are proving to be quite adept at handling the challenges drives the direction of the entire effort. Based on the
of Section 404 compliance. The purpose of this article is feedback received through two roundtable meetings
to share some of these better practices to help other com- and hundreds of comment letters, both the Securities
panies manage this project cost effectively. & Exchange Commission (SEC) and the PCAOB
made it very clear that companies—as well as their
G E T T I N G S TA R T E D external auditors—should take a top-down, risk-based
While the biggest challenge for accelerated filers is to approach to assessing and certifying internal controls.
sustain this huge effort in a cost-effective manner, the During the first two years of Section 404 compliance,
biggest compliance challenge for smaller public compa- neither the companies nor their external auditors fol-
nies is deciding where to begin. We recommend that all lowed this approach. Instead, the external auditors
companies focus on the following three aspects as they drove the process, and the majority of internal control
work to initiate and sustain compliance with Section assessments were conducted in a nonintegrated, check-
404: tone at the top, scoping decisions, and establishing list manner. Excessive focus was placed on document-
a SOX steering committee. ing and testing as many controls as possible. It is this
approach that led many critics of Section 404 imple-
TO N E AT T H E TO P mentation to conclude that internal control assess-
Regardless of a company’s size, the most important step ments under Section 404 will not stop future Enrons
to starting and sustaining a SOX 404 compliance project and WorldComs from occurring. In light of the May
is setting the right “tone at the top.” A company’s board 2006 guidance issued by the SEC and PCAOB, it is
of directors, CEO, and CFO are the most influential critical that a company’s senior leadership insists on a
people in that company, and their buy-in and continued top-down, risk-based assessment approach. This is the
commitment for this endeavor is absolutely essential for only way that a company can sustain Section 404 com-

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 2 WINTER 2007, VOL. 8, NO. 2

 Table 1: PCAOB Top-Down Appproach

APPROACH EXAMPLE/APPLICATION
1 Identify, understand, and evaluate the design effectiveness of Tone at the top, HR policies, risk assessment process,
company-level controls. centralized processes, monitoring, and financial reporting.
2 Identify significant accounts at the financial statement or Financial statement accounts with potential for material
disclosure level. financial statement misstatement.
3 Identify assertions relevant to each significant account. Existence/Occurrence, Completeness, Valuation, Rights or
Obligations, Presentation/Disclosure.
4 Identify significant processes and major classes of transactions. The processes and classes of transactions that relate to each
significant account.
5 Identify the points at which errors or fraud could occur in the Risks to the internal control objectives.
process.
6 Identify controls to test that prevent or detect errors or fraud on a Build test plans around these controls.
timely basis.
7 Clearly link individual controls with the significant accounts and Each step in this process should build off and link to the
assertions to which they relate. previous step.
Source: PCAOB, “Staff Questions & Answers,” Auditing Internal Control Over Financial Reporting, May 16, 2005, Q38 1-4.

pliance in the future while remaining cost effective. equally exhaustively without due regard for the effec-
A top-down approach to designing a Section 404 tiveness of the company’s entity-level controls and
compliance program (and designing the actual internal underlying financial reporting risks. Inherent financial
control structure) forces senior management to start reporting risk based on the company’s unique business
with the entity-level controls that set the organization’s and reporting environment coupled with the residual
tone at the top. When designed robustly and imple- risk status of each financial statement account and note
mented properly, these entity-level controls can signifi- disclosure should determine the areas that require
cantly affect and even mitigate the need to extensively greater testing, documentation, and monitoring for both
test certain low-level transactional controls. The impact the company management and its external auditors. For
and influence of entity-level controls can be felt even example, a manual, subjective process for month-end
more in smaller public companies, where the majority revenue accruals contains considerably more inherent
of the organization is directly in the line of sight of the risk of a material financial misstatement than an auto-
senior management through its day-to-day involvement mated, routine, transaction-based process such as dis-
in operations. For medium- to large-size organizations, bursements. Similarly, an account with a history of
appropriate design and use of entity-level controls, frequent and materially large errors presents more
coupled with adequate monitoring controls, can lessen residual risk than an account with minimal history of
the amount of lower-level transactional or process past errors.
controls that are tested. Table 1 provides the PCAOB’s Approached in this manner, a top-down, risk-based
guidance on how to use the top-down approach. approach results in meaningful scoping decisions that
Though we find no clear articulation of what a “risk- promise to be efficient and effective in addressing real
based” approach entails, we believe that the essence of financial reporting risks facing the issuer’s financial
the top-down, risk-based approach to sustaining Section statements. Beyond the initial scoping decisions, this
404 compliance requires a clear understanding and approach also focuses on testing only those controls
recognition that not all individual accounts, note disclo- within a process that directly address the identified
sures, and related controls are created equal. Thus, they risks and that would lead to material misstatement in
should not be scoped in indiscriminately and tested the account balance if they failed.

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 3 WINTER 2007, VOL. 8, NO. 2

 Figure 1: SOX Steering Committees: Centralized Operating Environment

Executive Sponsors
CEO/CFO

Executive Project Lead &

Steering Committee
SOX
Project Mgt. Office

Process 1 Process 2 Process 3 Corp. Processes

(Revenue) (Expenses) (IT) (HR, Tax, Payroll, etc.)

S OX C O M P L I A N C E S T E E R I N G C O M M I T T E E troller. In the most effective models, the executive proj-

As managing compliance with the SOX 404 require- ect lead and team (SOX director, project management
ments can be a large task, having a SOX steering office) usually comprise the hub of all SOX documenta-
committee is a key to success for mid- to large-size tion, communication, results reporting, monitoring,
organizations. The composition and structure of a SOX remediation, and resource allocation decisions.
steering committee can vary depending on whether a The executive project lead generally functions as the
company’s management style and operations are cen- leader of the executive steering committee. Early in the
tralized or decentralized. Overall, our practical experi- planning process, it is not important to quibble about
ence suggests that how a SOX compliance steering the hierarchy of the structure within the steering com-
committee is set up depends on the way the company mittee. Decisions related to these issues should be
is organized and the unique business environment in made only after the project roles and responsibilities
which it operates. have been determined. In other words, it is better to let
In a centralized operating structure (see Figure 1), a the steering committee structure and hierarchies evolve
typical SOX steering committee is led by the CEO and to mirror the organization’s SOX compliance model
the CFO. They are in charge of the whole process and rather than let the steering committee structure dictate
work as executive sponsors of the entire project. Having the compliance model. In a centralized organization,
these two senior management members at the top of most, if not all, processes are able to be tested at the
the Section 404 certification process conveys a clear corporate level. Some divisional documentation and
message to the troops in the field that it is an important, testing may be required if key input and output con-
company-wide project that deserves everybody’s atten- trols exist outside the corporate level. In such a sce-
tion and time. Right beneath the executive sponsors is nario, a single steering committee should suffice unless
the executive project lead, who is usually responsible a division is so large or distant that it warrants its own
for the SOX company-wide direction and priority set- steering committee.
ting. Ideally, the role is filled by the corporate con- In a decentralized operating structure (see Figure 2),

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 4 WINTER 2007, VOL. 8, NO. 2

 Figure 2: SOX Steering Committees: Decentralized Operating Environment

Executive Sponsors
CEO/CFO

Executive Project Lead &

Steering Committee
SOX
Project Mgt. Office

DIVISION: DIVISION: DIVISION: DIVISION:

BU (1) Program BU (2) Program BU (3) Program Corporate Program
Steering Committee Steering Committee Steering Committee Steering Committee

Process Process Process Process

Process Process Process Process

Process Process Process Process

Process Process Process Process

SOX 404 compliance project work can still be relatively help ensure that proper visibility and resources are
centralized. The fact that the business is broken down attained. The more decentralized an organization is, the
into segments is usually a good indicator that there more important and difficult it is to push ownership
should be separate SOX programs for each division, down to the local operational level while still maintain-
with each program focusing on the unique nature of ing visibility and control at the executive project level.
that division and rolling up into the overall executive The creation of division-level steering committees—as
project team. It is advisable, therefore, to have unit- or well as divisional representation at the executive steer-
division-specific program steering committees that have ing committees—is a good way to accomplish this.
responsibility for the entire business unit and that The crucial decisions that determine how the overall
somewhat mirror the corporate-level SOX steering com- project is to proceed are made in the program-level
mittee. In this case, a program steering committee and steering committee meetings. Well-run steering
program lead are assigned for each major business unit committee meetings produce visibility and drive
and any functional areas that cut across all the business accountability—two very important ingredients in the
units, such as IT, HR, etc. If a particular business unit successful completion of a SOX 404 compliance project.
contains a significant or difficult area within it that has a These meetings usually include the corporate con-
different risk profile from the rest of the unit, creating a troller, members of the executive project team, internal
separate committee and project lead for that area might audit, external auditors, and the relevant members of

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 5 WINTER 2007, VOL. 8, NO. 2

the business-unit program. The program lead, various formed a steering committee with sponsorship from its
control leads, and other relevant control owners provide senior leadership and decided the initial scope of the
a report on the status of their Section 404 compliance project, the roles and responsibilities of the various
programs. Optimally, the program-level steering com- players become much clearer. Admittedly, these roles
mittees meet weekly. Meetings are intense and fast may vary from company to company depending on the
paced. Time management must be almost perfect so size and structure of the organization, but the intent
that all the necessary issues are presented and the team here is to build a visible SOX compliance leadership
can agree on resolutions immediately. team at the highest possible levels while, at the same
In a holding company environment, it may be more time, driving operational ownership of the underlying
cost effective to treat each piece of the company as a processes for testing, remediation, and continuous
separate entity with its own set of processes, documen- improvement. Within the management group, the fol-
tation, and testing. If it is impractical to establish steer- lowing people, functionalities, or departments assume a
ing committees for each entity, utilizing geographical significant role in the Section 404 compliance project.
regions might be a good way to oversee the SOX
project. Corporate Leadership Team Members: The first and most
For smaller public companies, it is equally important important part of a company’s management is the senior
to have the CEO and CFO as the executive sponsors of corporate leadership. These individuals are the key
the project. Because these companies generally have players in the Section 404 compliance effort. Typically,
flat organizational structures, tighter control, and exten- they include the CEO, CFO, CIO, and various opera-
sive senior management involvement in all business tional leaders. Besides the CEO and CFO being directly
processes, they might not need an elaborate steering responsible for signing the appropriate certifications for
committee structure. the company as a whole, the senior leadership team is
directly responsible for the following primary responsi-
S OX 4 0 4 C O M P L I A N C E bilities pertaining to the Section 404 compliance project:
G OV E R N A N C E M O D E L ◆ Set and communicate the appropriate tone for the
Once the basic structure has been put in place and SOX compliance project by “walking the walk”
well-informed, risk-based initial scoping decisions have rather than just “talking the talk.”
been made, it is important to lay out the SOX project ◆ Ensure sufficient resources—in terms of skills,
governance model that the company plans to follow. budget, and authority—are provided to the SOX
The only difference between this and any other project steering committee for agile decision making.
management decision is that the consequences of this ◆ Make quarterly representations on the design and
project’s failure or error-prone output are much more operating effectiveness of the internal controls
severe. Figure 3 provides a detailed illustration of a within their own functional areas.
SOX 404 project governance model that we have seen ◆ Take ultimate responsibility for SOX compliance
in practice. This model applies to a company with in their business unit or functional area.
decentralized or multidivisional operations. The key
roles and related accountabilities found in this gover- SOX Director: The executive project lead should
nance model are described briefly below. select a SOX director/coordinator to lead the daily
efforts of the SOX project. The SOX director directs
M A N AG E M E N T the efforts of the PMO (see next item) and provides all
While the term “management” generally refers to the necessary detailed guidance and coordination to every-
company as a whole (as opposed to third parties) when one involved in the project. This individual should be
discussing Section 404 compliance, there are several heavily experienced in internal control design and inter-
subgroups in a company’s management that are relevant nal or external auditing and should possess good com-
to a SOX compliance project. Once a company has munication and organizational skills.

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 6 WINTER 2007, VOL. 8, NO. 2

 Figure 3: SOX Project Governance Model

Executive Steering Committee

External
Corporate Leadership Team Auditor

CIO Internal Audit Financial Corp. Processes Operations

Leadership Leadership Leadership Leadership Leadership

SOX Project Mgt. Office

Corporate Leadership Team Members

Program Steering Committee Program Steering Committee Program Steering Committee

Control Executive Control Executive Control Executive

Process Leads Process Leads Process Leads

Control Control Control Control Control Control Control Control Control

Owner Owner Owner Owner Owner Owner Owner Owner Owner

Division 1 Division 2 Division 3

Project Management Office (PMO): It takes an enor- tion 404 compliance as a separate project administra-
mous amount of organizational skill and teamwork to tively to ensure that it does not get lost in daily
document, monitor, and communicate the progress of activities.
the compliance effort. In larger companies, an effective The PMO should be part of the controller’s execu-
SOX 404 compliance model involves the creation of a tive steering committee, reporting to the SOX
team of professional project managers to coordinate the director/coordinator. It includes a representative dedi-
administrative side of the project. Without successful cated to the administration of each subprogram. The
administration or project management, there is a high PMO can create value by performing the following
probability that the project could succumb to its sheer functions:
size and fail miserably. Though it is not necessary for ◆ Facilitate periodic steering committee meetings.
smaller companies to have an elaborate PMO infra- ◆ Develop, procure, and maintain the technology
structure, it is certainly important to approach the Sec- tools used for documentation and testing.

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 7 WINTER 2007, VOL. 8, NO. 2

 ◆ Provide guidance on the steps in the compliance Process Leads: Process leads, or process owners, are
process, technology tools, deadlines, etc. the central point of contact for SOX compliance activi-
◆ Maintain a change control process to ensure all ties. These individuals generally are responsible for one
tools and documentation are approved and up to or more processes within an organization. For example,
date. a process such as accounts payable has an “owner,” who
◆ Track progress, and report results to the process may be the accounts payable supervisor directly respon-
leads, control executives, and the steering sible for the complete and accurate processing and
committees. recording of transactions and maintenance of internal
◆ Escalate issues to the steering committee, such as controls within that process. Typical responsibilities of a
slow progress, test failures, significant changes in process lead include:
internal control structure, etc. ◆ Manage all aspects of SOX compliance for their
Smaller companies without an elaborate PMO still processes;
need to address the above functions to ensure the proj- ◆ Ensure all required documentation is complete,
ect is cost effective. There may not be a large team at accurate, and updated regularly; and
the company’s disposal, but it is realistic to expect a ◆ Ensure all control activities are being executed
small company to dedicate some resources to project and tested as agreed upon to provide reasonable
management, including an overall SOX compliance assurance.
lead, an administrative person to manage the documen-
tation requirements, and a technological person to help Control Owners: Control owners are the individuals
with the collection, storage, and reporting of all docu- who either perform the controls or directly oversee the
mentation and testing. Depending on the amount of execution of the controls. For example, in the accounts
time required in one of these areas, it is possible that payable process example, the employees that report
one person could fill all these roles in a small public directly to the accounts payable supervisor would be
company. considered the control owners because they are respon-
sible for executing AP transactions and performing
Control Executives: Typically, control executives are related internal controls. In a small company, it is likely
the leaders within the corporate leadership functional that a process owner may also be the control owner.
areas. In a centralized organization, these individuals The designation of the control owner is important
generally are executive vice presidents of operations, because it provides the executive team with visibility
human resources, finance, and accounting. In a decen- into who is actually performing key controls for the
tralized organization, these individuals might include company. One example of a better practice is having
the CEOs and CFOs of each business unit or subsidiary Human Resources notify the SOX PMO whenever an
of the company. Control executives are specifically employee vacates a position responsible for a key con-
responsible for: trol. Typical responsibilities of a control owner include:
◆ Setting direction of the SOX project within their ◆ Ensure the ongoing execution and effectiveness
area; of all controls within their span of control;
◆ Overseeing the development, documentation, and ◆ Ensure all required documentation is complete,
management of control activities; accurate, and updated;
◆ Ensuring proper and timely execution of test ◆ Identify control changes as necessary; and
plans; ◆ Support management and independent testing as
◆ Remedying control deficiencies; appropriate.
◆ Resolving problems related to their processes or
the SOX compliance project; and I N T E R N A L AU D I T
◆ Representing their unit at steering committee A company’s internal audit department acts as an inter-
meetings and monitoring progress. nal partner for the SOX compliance project. The most

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 8 WINTER 2007, VOL. 8, NO. 2

efficient functional model for the internal audit, how- to determine which controls to test:
ever, is to remain independent from management 1. The magnitude of the potential misstatement that
throughout this process. In this capacity, internal audi- could result from the failure of the control,
tors perform an “outside” advisory role to management 2. The likelihood that failure of the control could
as well as being an independent testing resource for the result in a misstatement, and
external auditors. Internal auditors can also perform 3. The degree to which other controls, if effective,
“quality assurance” services on the processes used by achieve the same control objective.
the control owners to test the design and operating Most financial restatements are the result of weak-
effectiveness of various controls. By doing so, they nesses such as the misapplication of accounting princi-
increase the probability that the external auditors may ples, poorly trained or inadequately qualified staff, poor
rely more on their work and reduce significant duplica- integration of business acquisitions, and ineffective
tive substantive testing. Within this mind-set, typical entity-level controls. Yet companies continue to docu-
internal audit responsibilities include: ment and test the routine, low-risk control activities. It
◆ Assisting organizations with the documentation is necessary to document the key controls over initiat-
process, ing, recording, processing, and reconciling transactions,
◆ Participating in quality assurance reviews of new but designating too many controls as “key” costs the
processes, organization a lot of time and money and prevents it
◆ Participating in key control reviews of newly doc- from focusing on controls that are more likely to lead to
umented controls, a material financial misstatement, such as:
◆ Reviewing test plan development and results, ◆ Controls over the selection and application of account-
◆ Performing independent testing of control ing policies: How does the organization learn about
activities, and communicate new accounting policies? What
◆ Evaluating the remediation progress, and procedures are in place to ensure all required
◆ Communicating issues to management and exter- accounting pronouncements are being followed,
nal auditors. such as a proper acquisition accounting, treatment
of leases, recognition of revenue, or international
M A N AG E M E N T T E ST I N G AND tax compliance?
D O C U M E N TAT I O N ◆ Controls over significant nonroutine transactions
The last step in the SOX 404 compliance process relates involving judgment: What type of review is required
to management’s testing of the key controls and related for manual journal entries? How are accruals and
documentation. Though this is the most time-consuming deferrals determined? What is the basis for calcu-
aspect of the entire process, it goes much smoother if all lating estimates? Logically, it makes sense that the
the previous steps have been carried out carefully. most qualified people perform and/or review such
types of transactions.
M A N AG E M E N T T E ST I N G ◆ Controls over the period-end financial reporting process:
There are three key aspects of management testing: How are significant balances analyzed and recon-
(1) identification of key controls; (2) the nature, timing, ciled? How does the organization ensure that all
and extent of these controls; and (3) independent test- transactions were accurately and completely
ing of the key controls to assess the effectiveness of recorded to the General Ledger? Are all of the
ICFR. required consolidating adjustments made?
These issues are relevant to companies of all sizes
Key Controls and complexity. It is less likely that a small company
Using the top-down, risk-based approach, companies has the resources to build teams of employees to tackle
are learning to be more efficient and economical in many of these accounting issues. Therefore, it is even
their testing. The following guidelines can be applied more important for small companies to address these

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 9 WINTER 2007, VOL. 8, NO. 2

issues head-on when developing controls and planning closer to the “as of” date, with year-end update testing
their SOX 404 compliance project. as necessary. Controls associated with low-risk areas can
When determining key controls, it is important to be tested anytime throughout the year, with minimal
recognize that the underlying risk profile can change update testing required.
over time. Consequently, previously identified key con-
trols may become irrelevant. Management must period- Extent
ically update its risk assessment and validate its The extent of testing generally refers to the number of
inventory of key controls throughout the year and samples that must be chosen. While there is no rule
adjust the focus of its testing strategy accordingly. here, the Big 4 audit firms have widely accepted guid-
ance on sample sizes and can provide assistance. It is
N AT U R E , T I M I N G , AND EXTENT OF TESTING prudent to apply the risk-based approach here as well.
The objective of management testing is to not only The higher the risk, the greater the number of items
demonstrate that the controls exist but that they are that should be in the sample, and vice versa. Table 2
operating effectively and that the control objectives are shows an example of a risk-based approach to choosing
being met. During testing, management must focus on sample size.
ensuring that the risk of material misstatement in the
account and note disclosure has been mitigated to the
extent where its likelihood of occurrence is less than
Table 2: Risk-Based Sample Size
remote and, if it does occur, the magnitude is less than Guidelines
inconsequential.
SAMPLE SIZE
HIGH MEDIUM LOW
Nature FREQUENCY RISK RISK RISK
According to FAQ #42 of the May 16, 2005, PCAOB Annually 1 1 1
guidance, “As the risk associated with the control being Quarterly 2 2 2
tested decreases, the persuasiveness of the evidence... Monthly 5 4 3
also decreases.” Higher-risk areas require more and Weekly 15 12 10
robust evidence. Management should use a mix of Daily 40 30 20
inquiry, observation, and possibly even self-assessments Multiple Times a Day 60 45 30
for low-risk areas. For high-risk areas, management
needs a higher degree of reperformance and extensive
inquiry. To the extent that entity-level controls have a
significant affect on specific processes, the entity-level INDEPENDENT TESTING
controls can be relied on to reduce testing of the The role of the external auditor is widely understood,
process- or transactional-level controls in lower-risk but it is worth noting that there is an important bal-
areas. ance between the independent role the external audi-
tor plays and the “partner” that the organization needs
Timing its external auditor to be. The company’s external
There is a natural tug-of-war in the area of when to test auditors perform their own independent testing of
controls. On one hand, it is easier to test controls controls to form the basis of their attestation to man-
throughout the year rather than cramming a significant agement’s assessment about the effectiveness of the
amount of testing into the fourth quarter. Manage- company’s ICFR. The PCAOB has stressed the
ment’s assessment, however, is an “as of” date that is at importance of integrating the audit of internal controls
the end of the reporting period, when the financial with the financial statement audit. It is imperative that
statements are filed. Following the risk-based approach, an external auditor accomplish this in order for the
management should test controls over high-risk areas organization to benefit from reduced testing, auditor

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 10 WINTER 2007, VOL. 8, NO. 2

learning curve improvements, and resultant cost provided. More specific attributes include control
savings. location, control frequency, control type—such as
As the organization shifts its focus from a “control- preventive or detective, automated or manual—a
centric” to a “risk-centric” approach, management brief description of evidence of control effective-
should keep the auditor apprised of the developments ness, and the names of the preparer and reviewer.
impacting its SOX project. In light of the recently Management should consider whether or not
released SEC’s Management Guidance, it is important detailed process and control descriptions will be used as
for the external auditor not to dictate management’s a basis for an accounting manual or methods and proce-
assessment process but also to not forget that, during dures. If so, effort should be made to ensure extensive
the process, his or her professional judgment on various detail is provided for easy access by employees. If man-
matters raised by the client is valuable. It is always a agement foresees extensive remediation, it is impera-
good practice to work out any differences in opinion up tive to have good reporting tools to track the nature of
front rather than be surprised with comments or defi- the deficiencies, remediation plans, and periodic
ciencies late in the process. Management does not want progress.
to reach the end of its assessment process only to find Whether off-the-shelf technology is purchased, con-
out that its external auditor believes that several key sultants are used, or the documentation is completely
controls were excluded from the scope of the SOX 404 homegrown, management should consider the pros and
project or that controls over significant, high-risk trans- cons of the different forms of documentation. Common-
actions were not tested sufficiently. Generally, good ly used options include process flowcharts, a control
partnership and frequent communication can prevent matrix, narratives, and templates.
such disasters from happening.
Process Flowcharts
M A N A G E M E N T D O C U M E N TAT I O N Process flows are an excellent way to draw out a
There are several schools of thought regarding the best process from beginning to end and identify control
way to document internal controls for management’s gaps. On its own, however, a process flowchart is insuf-
assessment. Whether starting from scratch or refining ficient to document a process; it is merely a starting
and revising control documentation, it is important to point to be used in tandem with other options such as a
consider the content of the documentation as well as control matrix or well-detailed narrative. When compa-
what it will be used for. In terms of content, manage- nies require departments and process owners to devel-
ment documentation in support of its SOX 404 assess- op their own flowcharts, the result is frequently an
ment should include: unintelligible web of boxes and arrows or an overly
◆ Significant accounts, processes, and major classes simplistic depiction of a process that does not empha-
of transactions; size controls. A better practice is to keep it simple and
◆ Financial statement assertions relevant to each limit the flowcharts to only the actual control points,
significant account; using only a few symbols. For organizations with multi-
◆ Information about how significant transactions are ple layers of management, the upper portion of the
initiated, authorized, processed, recorded, and chart can be reserved for corporate functions, the next
reported; layer for divisional, and the next for departmental, etc.
◆ Control objectives, financial reporting risks, and Also, it is unnecessary to flowchart every single control
the control activities in place to mitigate those point because using the risk-based approach allows
risks; and users to focus on only those controls that address the
◆ Detailed description of each control activity, identified financial reporting risks for the process
including the basic who, what, when, etc., that is under consideration.
necessary to enable someone else to reasonably
reperform the activities based on the description

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 11 WINTER 2007, VOL. 8, NO. 2

Control Matrix used. Templates with standardized control activities and
A matrix is a spreadsheet used to catalogue a company’s test plans facilitate the collection of all required data
various controls and their attributes. A matrix makes it without allowing for much flexibility, if any. While this is
easy for a PMO team to sort and query the database in an effective data collection tool with limitless reporting
detail, whether the database is Web-based or in Excel, capabilities, one caveat is that one size does not always fit
Access, or SQL. A typical control matrix contains a row all.
for each control activity, and each column represents In our experience, a combination of two or more of
fields for the various control attributes plus almost any the documentation options works best. We recommend
other piece of data considered relevant, such as test mapping out each process with a simple process flow to
steps, results, deficiencies, remediation status, etc. identify the key controls and/or control gaps and follow
There is usually a field included for a brief description that with a reporting-friendly document such as a
of the control, but one disadvantage of relying on a matrix or template that adequately captures control
matrix is size limitation—it does not accommodate high- descriptions and provides sufficient data collection and
ly descriptive narratives that might be needed because reporting capabilities.
of the complex nature of the underlying process.
B E T T E R P R AC T I C E S FOR 404 COMPLIANCE
Narratives Based on our experiences in previous years of SOX 404
A well-written and clearly articulated narrative along compliance and emerging better practices, we can offer
with a related process flowchart creates a reliable body several lessons for companies preparing to embark on
of evidence and helps the process owner clearly under- this project.
stand the relevance of each control point in the process. The importance of tone at the top cannot be stressed
Unfortunately, narratives alone do not contain individ- enough. Proper direction and enthusiasm from the com-
ual data input fields, and many reporting tools do not pany’s senior leaders are essential to motivate employ-
work well with long descriptions. Narratives may work ees to actively participate in the SOX 404 compliance
better for smaller companies with fewer controls, com- project. It drives the attitude and establishes the mind-
panies with unique controls that need additional set that is essential to the ultimate success of this initia-
description, or companies that will not use extensive tive. Without strong acceptance of SOX compliance
reporting of SOX data. Used best in conjunction with from the CEO/CFO, operational leaders of the compa-
process flows or control matrices, narratives add neces- ny, board of directors, and audit committee, the compa-
sary detail to the higher-level flowcharts or data inputs. ny’s SOX efforts will not be received well by
employees, auditors, or the investment community.
Template Approach Training is essential for a successful, ongoing SOX
A standard template is an effective way for a company to program for three crucial reasons: (1) It familiarizes the
dictate the format of each process and control activity. employees with the law and its requirements, which
Typically, a template is Web or application based, con- eases the intimidation factor and lowers cooperation
taining data fields with clear instructions and a very pre- barriers; (2) it provides active SOX participants with the
scriptive approach to documentation that may include skills necessary to execute many of the required tasks;
drop-down menus, check boxes, and very limited “free- and (3) the regulatory landscape in the internal control
writing” opportunities. A template works well for compa- assessment area is continuously changing, and providing
nies that have a large number of departments or regular training ensures that employees are well
subsidiaries that need to document and test similar conversant with the latest rules and regulations.
processes. In a decentralized organization, for example, The PMO function is very important. Well-run SOX
management may want to ensure that all documentation 404 projects utilize a project management group that is
meets minimum requirements and that templates adept at technology, communication, and organization.
impose a certain degree of uniformity over the formats Accounting knowledge is a lower priority on the list of

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 12 WINTER 2007, VOL. 8, NO. 2

requirements for this group. There will be no shortage Employees should perform the day-to-day controls
of accounting knowledge between the controller’s team because the internal controls are an integral step in
and internal audit, but good project management is achieving the company’s operational, financial report-
invaluable. ing, and compliance objectives, not simply because
One of the best decisions a company can make is to they are a necessary part of the company’s SOX compli-
appropriately place responsibility for the internal con- ance program. The SOX project should emphasize that
trols within a specific functional area. If the individuals employees are asked to perform controls because it
who perform the controls are not directly involved or do makes business sense to execute those control activities
not have a stake in the SOX project, the project will not so that objectives can be achieved with minimal risk. It
be as effective. If the controller’s department or internal is true that many controls were developed, redesigned,
audit takes responsibility for documenting and testing or reemphasized because of SOX, but this work is part
controls, the control performers will view SOX 404 of the internal controls that were either already in place
compliance only as a “check the box” exercise largely or should have been prior to any SOX implementation.
conducted by intrusive outsiders. Consequently, the Another important distinction employees need to make
underlying business function will not derive any tangi- is that performing controls should never be done solely
ble benefits. Successful training lowers inhibitions and as a means to prove a control exists for SOX testing pur-
promotes a positive view of internal control within the poses. This is circular in nature, and performing con-
management rank and file. trols simply for SOX 404 compliance defeats the entire
Constant communication is essential in managing a purpose of the control.
project as large as this. Steering committee meetings Management’s assessment of internal control is itself
must be utilized as opportunities to bring up every an important part of the company’s internal control. In
issue, allocate necessary resources, and monitor the the past, it was the breakdown of the monitoring
progress of all phases and programs. process that caused significant internal control problems
Abandon the bottom-up, test-all-practices method for many companies. An organization’s ongoing compli-
employed in the past. Instead, utilize more logical, effi- ance with SOX now provides a structure for effective
cient, and cost-effective approaches to control design monitoring of controls. Therefore, management’s
and compliance. Extend entity-level control throughout assessment of these controls is a SOX control in itself,
the various processes to achieve proper monitoring, seg- and it acts as a major part of the monitoring require-
regation of duties, and more efficient compliance. If ment in the Committee of Sponsoring Organizations of
these controls are in place, less substantive testing can the Treadway Commission (COSO) framework, Internal
be justified. If monitoring controls are generating error- Control—Integrated Framework.
rate data, even lesser substantive testing may be need- As a result of a successful SOX implementation, the
ed. For example, if there is an unacceptable error rate compliant company will have taken the first step in cre-
for a process, there is no point in testing it in order to ating or maintaining a world-class internal control envi-
conclude that it is not working. The error rate is already ronment. A company’s business operations, financial
indicating that the process is broken, and continuing to reporting, and compliance can be greatly improved as a
test it further only wastes time and money. result. ■
Automated controls have a much lower rate of failure
than manual controls. Transaction-level controls are Scott C. Wilkins, CPA, is a Sarbanes-Oxley Coordinator
well suited for automation. Additionally, automation is a at Interpublic Group of Companies, New York, N.Y.
very effective method for improving segregation of You can contact him at (646) 865-6001 or
duties and restricted access issues. Automation [email protected].
improves the company’s overall internal control system,
enables better monitoring of control activities, and Parveen P. Gupta, Ph.D., is associate professor of account-
reduces time and costs associated with compliance. ing at Lehigh University, Bethlehem, Pa. You can contact

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 13 WINTER 2007, VOL. 8, NO. 2

him at (610) 758-3443 or [email protected].

Parveen P. Gupta is currently serving as the Academic

Accounting Fellow at the U.S. Securities & Exchange Com-
mission. The Commission, as a matter of policy, disclaims
responsibility for any private publication or statement by
any of its employees. The views expressed herein are those of
Professor Parveen P. Gupta and do not necessarily reflect the
views of the Commission or Professor Gupta’s colleagues on
the staff of the Commission.

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 14 WINTER 2007, VOL. 8, NO. 2