KnowledgeLeader provides best practice articles, tools, guides and other resources on the Sarbanes-Oxley Act (SOX). This page contains an alphabetized list of all of the resources and tools on SOX, particularly Section 302 and Section 404, that are available for download on KnowledgeLeader. The tools are provided in downloadable versions, so they can be customized for use in your organization.
2014 Sarbanes-Oxley Compliance Survey
Interestingly, many companies appear to be moving rather slowly to adopt the new COSO framework, even though it is recommended for fiscal year-end dates beginning on or after December 15, 2014. Of note, the Securities and Exchange Commission (SEC) has specifically pointed out that it is monitoring the transition by issuers to the new framework as part of their documenting internal control over financial reporting. In this report, we offer detailed breakdowns of this and numerous other findings by filer status and company size. Our key findings this year include: Companies are getting started, albeit slowly, with implementing the new COSO framework; There is measurable fallout from the PCAOB’s inspection reports; Compliance costs are going up but are still manageable for many; Organizations continue to automate more processes and controls.
2015 Sarbanes-Oxley Compliance Survey
In this report, we detail our findings from our 2015 SOX Compliance Survey.
2016 Sarbanes-Oxley Compliance Survey
Protiviti’s annual Sarbanes-Oxley compliance survey looks deeply into several areas, including costs, hours and control environments of a broad spectrum of organizations.
2016 Sarbanes-Oxley Compliance Survey Podcast
Brian Christensen, Protiviti’s global internal audit leader, highlights key findings from the 2016 Sarbanes-Oxley Survey in this podcast.
A Cost-Effective Approach to Validating Performance of the Internal Control Structure—Questionnaire
This questionnaire focuses on the implementation of a cost-effective approach for validating the operating effectiveness of ICFR that includes all primary sources of evidence, supporting management’s assertion in the annual internal control report.
A Farewell to Michael Oxley
Staunch champions of corporate governance and fair financial reporting lost a friend over the holidays with the passing of former U.S. Rep. Michael Oxley on January 1.
A Guide for Documenting Processes and Controls for Sarbanes-Oxley
This guide is designed to help establish consistent Sarbanes-Oxley documentation standards throughout an organization. It discusses documentation types to use, how to document risks and controls, and follow-up procedures to take after the documentation process is complete.
Access to Programs and Data Audit Work Program
The purpose of this work program—focused on access to programs and data—is to outline the IT general controls to be tested, review the results of management’s testing, and document the procedures to test each control. Document the procedures to be performed to conclude on the operating effectiveness of the controls identified, including a specific description of the nature, timing and extent of procedures to be performed. For all controls that are tested at an interim date, list the procedures performed to roll-forward the interim testing to period end.
Accounts Payable Internal Control Questionnaire
As part of an organization’s efforts to comply with the requirements of the Sarbanes-Oxley Act ("the Act"), this questionnaire allows process owners of core functions to perform a control self-assessment of their operations. This accounts payable questionnaire is meant to be utilized as a checklist of the basic controls for that function.
Accounts Receivable Internal Control Questionnaire
The objective of this questionnaire is to have the owners of core functions and processes in an organization perform a control self-assessment of their operations.
Achieving Sustainability by Integrating the Section 404 and Section 302 Compliance Process
In this issue of The Bulletin, we focus on strategies for integrating compliance activities around Sections 302 and 404 of SOX with the objective of achieving sustainability of the internal control structure.
Acquisition Closing Checklist
The purpose of this checklist is to document the activities performed as part of the acquisitions/new business development process by a company. The steps covered in this checklist focus on pre-acquisition activities, performing due diligence, post-acquisition activities, and management approval.
Adopting the 2013 COSO Framework: Fiscal 2015 Update
This article outlines findings regarding adopting COSO 2013 and suggests that it’s just a matter of time before all companies use the revised framework in conjunction with their annual evaluations.
Advanced Auditing (Sample Syllabus)
This course is designed with topics to prepare students for the responsibilities and challenges faced as an auditor in charge. The course format will include discussions on emerging topics facing individuals in positions related to controls monitoring. The course assumes a baseline knowledge of internal and external audit, however requires only a course in one of the two. It is preferred that individuals taking this course should be those with some audit experience either through a full time audit position, internship, or class project. Guests that are subject matter experts from different areas and backgrounds will participate in class discussions in areas concerning how auditors deal with issues in today’s environment. This course is a graduate seminar, not a lecture class. Students will be expected to engage themselves fully as seminar participants.
Advanced Financial Auditing (Sample Syllabus)
This course discusses advanced concepts associated with the public accounting profession, generally accepted auditing standards, and public accounting reporting and recent developments, such as Sarbanes-Oxley/Public Company Accounting Oversight Board.
Assessing Process Maturity for Internal Control over Financial Reporting Compliance – Capability Maturity Model
The following five capability levels represent states of maturity by which the project team can rate the upstream business processes where the company’s internal controls are embedded. Organizations can use this model to assess the impact of process maturity on internal control over financial reporting for Section 404(b) compliance.
Assessing Risks and Internal Controls Guide
This presentation was developed to help with training process owners to assess risks and take responsibility for managing internal controls.
Audit Committee Charter Review Checklist
This checklist addresses a variety of topics and acts that often fall within the Audit Committee’s responsibilities. It provides a broad framework and a set of activities that can be undertaken by the Audit Committee to achieve appropriate oversight. This document is intended to only be used as a sample guide to understanding and reviewing the current charter.
Audit Committee Charter: Pre-Approval of Audit and Non-Audit Services
This charter outlines audit committee roles and responsibilities, particularly focusing on the pre-approval of services.
Audit Committee Charter: Sample 1
This sample charter outlines the purpose, composition, meeting procedures, responsibilities and duties, and annual performance evaluation requirements of the audit committee.
Audit Committee Charter: Sample 2
This sample charter outlines the purpose, authorities and responsibilities of the audit committee.
Audit Committee Charter: Sample 3
This sample charter outlines the purpose, structure and operations, responsibilities and duties, and meeting procedures of the audit committee.
Audit Committee Charter: Sample 4
Audit committees assist the board in monitoring the integrity of the financial statements, external auditor qualifications, performance of the internal audit function and external auditors, and company’s compliance with regulatory requirements. This charter provides one example.
Audit Committee Charter: Sample 5
Audit committees assist the board in monitoring the integrity of the financial statements, external auditor qualifications, performance of the internal audit function and external auditors, and company’s compliance with regulatory requirements. This charter provides one example.
Audit Committee Charter: Sample 6
This sample charter outlines the role, membership procedures, operations, communications/reporting, education requirements, authorities and responsibilities of the audit committee.
Audit Committee Charter: Sample 7
This sample charter outlines the purpose and authority, membership and meeting procedures, and duties and responsibilities of the audit committee.
Audit Committee Charter: Sample 8
This sample charter outlines the purpose, procedures, and oversight responsibilities of the Audit Committee of the Board of Directors.
Audit Committee Self-Assessment Checklist
This is a sample self-assessment checklist for audit committees to use when evaluating their current involvement in a company’s control environment.
Audit Discussion Form Sample
This sample form can be used to communicate specific findings identified during an audit and recommend a management action plan to address the findings.
Auditing to Spot Fraud, From Start to End
Fraud-risk management is here to stay. Has your organization implemented an effective strategy for fraud prevention, detection and response? Are you part of the problem or part of the solution?
Best Practices in Ethics Hotlines: A framework for creating an effective anonymous reporting program
For many years, companies have been using hotlines to detect theft and fraud with great success. But until recently, some companies still considered them a luxury rather than a necessity. With the introduction of the Sarbanes-Oxley Act, lawmakers have further validated the need for this reporting mechanism. This paper by The Network, Inc. discusses best practice techniques for developing an effective ethics hotline program by examining three critical stages: planning a successful hotline program, communicating to stakeholders about the hotline, and reacting to hotline tips.
Board of Directors Authorization Charter
This sample charter determines the objective, authority, communications/reporting and responsibilities of the board of directors.
Building Upon Section 404 Compliance: Moving Beyond Year One
In this issue of The Bulletin, we outline imperative steps for certifying officers to take to demonstrate care in reinforcing the responsibility and accountability of process owners, and in supporting these owners in their respective roles. Certifying officers should waste no time in giving these steps their strongest consideration and in discussing their conclusions with the audit committee and board of directors.
Business Control Deficiency Decision Process Questionnaire
This questionnaire serves as a guide in determining the severity of deficiencies cited during the internal control testing process. The results of this process are used to determine potential significant deficiencies and material weaknesses.
Business Processes to Application Mapping Diagnostic Template
This sample template helps map out an organization’s business processes and their impact or reliance on IT systems and applications.
Capitalizing on Sarbanes-Oxley Compliance to Build Supply Chain Advantage
Executives rely on internal controls to provide a reasonable level of assurance that supply chain processes and financial transactions function as designed. As a result, executives should adopt a back-to-basics approach to understanding and prioritizing supply chain risks, capabilities, measures and controls, beginning with but expanding beyond their material impact on the company's financial statements. This booklet, co-produced by Protiviti and APICS, details how the Sarbanes-Oxley Act (SOX) has a complementary impact on supply chain risks in infrastructure design, transaction integrity and reporting measures. It also focuses on corporate governance requirements such as executive certification and internal controls over financial reporting. The scenarios we highlight, demonstrate how the failure of supply chain “operational controls” can strain an organization’s ability to produce reliable and fairly presented financial statements.
Closing Out Year One: SOX Best Practice Checklist
This checklist provides a list of SOX considerations for companies gearing up SOX efforts in 2005 and those continuing their second year of compliance. The checklist offers advice on topics such as project management, project details, and committees. Using this type of checklist will facilitate moving SOX compliance efforts towards best practice.
Comments Pending? Companies Without Recent Comment Letters
In its 2015 Agency Financial Report the Securities and Exchange Commission (SEC) disclosed that it reviewed 51% of public companies last year. However, there has been a steady decline in the total number of 10-K and 10-Q SEC comment letters. We have heard more than one party question the apparent discrepancy between this decline and the SEC’s statement. The Sarbanes-Oxley Act of 2002 (SOX) requires the SEC to review the financial statements of every public company at least once every three years. But how many companies receive an actual comment letter every three years? This article explores this topic through comparing the number of 10-K Audit Opinions to our Comment Letters database.
Competency Assessment for Accounting Function - Sample Template
The purpose of this sample template is to document the positions that currently make up a company’s accounting function during the competency assessment process. Information in this template includes: job title, job function and responsibilities, start date, relevant work history, education level, and professional organizations and accomplishments.
Considering Going Public – Assessing Key Market Trends and Risks Based on Protiviti Research
This article discusses research results and current top-of-mind business issues and analyzes the ramifications for pre-public companies planning initial public offerings.
Control Design Effectiveness Review Checklist
This excel-based template provides an example of how to review control design effectiveness to ensure the control mitigates the associated risk. You would use this review process sheet to document the reviewer’s comments and associated response. The excel form also provides guidance in designing controls to address financial reporting assertions.
Control Gap Remediation Methodology Training Presentation
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring that there is a remediation plan in place to address control gaps and that remediation progress is monitored. This presentation serves as a guide to train SOX-project teams in identifying control gaps and implementing a remediation action plan.
Control Self-Assessment Policy
This sample policy assists control owners, process owners and internal audit with implementing and executing the control self-assessment (CSA) process.
Control Self-Assessment Questionnaire
In complying with the Sarbanes-Oxley Act, it is management’s responsibility to design, adhere to and monitor the significant operating and financial controls of the organization. This short self-assessment questionnaire has been designed to obtain management’s input in order to establish a common understanding of the level of control of an organization or department.
Control Self-Assessment Questionnaire: Sarbanes-Oxley Section 302
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This high-level self-assessment questionnaire can be used to assess the level of Section 302 compliance within your organization.
Control Testing Responsibility Matrix – Sample
This matrix outlines the Sarbanes-Oxley responsibility assignments and testing process for primary manual controls.
Sarbanes-Oxley and ITIL
This presentation discusses the importance of IT in relation to the Sarbanes-Oxley Act (SOA), and provides insights into how the best practice guidelines for service management described in the IT Infrastructure Library (ITIL) can help.
This online seminar, broadcast Wednesday, October 15, 2003 addressed IT risks in the context of Section 404 of the Sarbanes-Oxley Act of 2002. The associated presentation includes additional materials related to general IT process risks and controls, and IT risks and controls at the process level.
Control Testing Tracking Spreadsheet – Sample
This document serves as a template to use in tracking the testing of internal controls. The spreadsheet can be used to track control testing status and operating effectiveness and to create a testing timeline.
Control Transition Policy
This policy establishes procedures to ensure the continued integrity of a company’s internal controls system. It focuses on timely transition of internal control responsibilities when needed; continued and ongoing execution of key controls; and swift maintenance to internal control documentation that reflects actual controls in place and responsible individuals.
Controls Monitoring Quarterly Assessment Report
This is an example report of internal audit’s quarterly assessment of the ongoing controls monitoring processes. This report provides an overview of the work performed and corresponding audit findings.
Controls Monitoring Work Program
This sample work program provides steps to perform a quarterly assessment of management’s monitoring of company-level controls.
Controls Self-Assessment Program Overview - Training Presentation
Self-assessment is a recognized best practice and has been applied to risks and controls for many years. When systematically applied across the organization at the entity and process levels, self-assessment is a pre-determined approach whereby individuals self-review or self-audit the controls for which they are responsible and communicate the results to appropriate management. The intent of this training document is to assist control owners, process owners and internal audit with implementing and executing the self-assessment process focused on IT controls.
Corporate Audit Department Charter
This sample charter outlines the mission statement, objectives, responsibilities and services of the corporate audit department of a company.
Corporate Governance Compliance Questionnaire
The objective of this questionnaire is to assist the board and management in assessing the organization’s current corporate governance environment.
COSO 2013 and the Implications to IT Controls
As organizations transition to COSO 2013 from the earlier 1992 version, adopters will find themselves taking a hard look at the updated framework’s 17 principles as well as their impact on IT controls.
COSO 2013 Implementation Webinar: Your Questions Answered
In this article, Keith Kawashima addresses some SOX-specific questions regarding the application of COSO 2013.
COSO 2013 Internal Control–Integrated Framework Executive Summary
COSO's 2013 Internal Control–Integrated Framework (Framework) is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original Framework, broaden the application of internal control in addressing operations and reporting objectives, and clarify the requirements for determining what constitutes effective internal control. This executive summary provides an overview of the updated Framework.
COSO 2013: Keeping Up With the Times
A lot has changed in business and operating environments during the intervening decades since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the initial 1992 framework. This article provides a breakdown of what an organization needs to know in order to transition to COSO 2013, including key changes to the framework, its limitations on internal control, and suggested next steps for implementation.
COSO 2013: What Have We Learned?
United States in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 202 (SOX). As background, the U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability. No doubt Section 404 compliance is important, as it relates to maintaining effective ICFR. However, as important as the lessons learned in this critical area are, there are other important lessons that should be of interest to boards as directors consider the relevance of internal control to their risk oversight endeavors.
COSO 2013: Why Should You Care?
The updated COSO Internal Control – Integrated Framework has been out for over a year. Many companies are now using the updated Framework to evaluate their internal control over financial reporting to comply with Section 404 of the Sarbanes-Oxley Act of 2002. The COSO Framework emphasizes the importance of the tone at the top and the board of director’s responsibility for overseeing the development and performance of internal control. This issue of Board Perspectives: Risk Oversight explores six reasons why the board, or one or more of its committees, should care about the updated Framework and offer pertinent questions for boards to consider.
COSO Element: Risk Assessment
This 42-page presentation thoroughly examines risk assessment as it relates to the COSO Internal Control Framework, from objective setting to risk identification, risk analysis, and risk assessment evaluation.
Data Center Controls Questionnaire
This 45-page questionnaire covers thirteen aspects of mainframe data center general controls.
Delegated Entity Review Memo
This memo focuses on IT SOX readiness procedures for an application, testing change management, computer operations and logical security areas.
Director of Internal Audit Job Description: Sample 2
This job description provides an overview of the director of internal audit position responsibilities, which include preparing and implementing a risk-based audit plan in order to assess, report on, and recommend improvements to the company’s key operational and finance activities and internal controls.
Disclosure Committee Charter
The disclosure committee assures that information required to be disclosed by a company is properly recorded, processed, summarized and reported to senior management.
Disclosure Committee Questionnaire
The purpose of this questionnaire is to ensure that all necessary quarterly financial reporting disclosures are addressed, and any changes to these disclosures are explained by management.
Documentation - 404 Readiness Checklist
This checklist can be used to evaluate the adequacy of Section 404 process documentation prior to submitting it to the external auditor for review and prior to creating testing plans.
Documenting Processes and Internal Controls (KLplus CPE Course)
The Sarbanes-Oxley Act of 2002 requires the documentation of transaction flows and processes affecting key financial reporting elements. This course focuses on the different approaches to documenting these processes and controls.
Driving Value Out of the Section 404 Compliance Process
In this issue of The Bulletin, we incorporate insights and lessons learned regarding finance processes and show how value can be derived from improving these processes while still meeting compliance standards.
End-User Computing Audit Work Program
This work program focuses on auditing end-user computing, specifically concentrating on identifying the IT controls to be tested, reviewing the results of management’s testing and documenting the procedures used to test each control.
Ensuring a High-Quality Audit: Who is Responsible? Five Ideas for Audit Committees to Maximize Value From the External Audit Process
This article outlines some regulatory concerns and shares ideas for ensuring a healthy external audit process to maximize shareholder value.
Enterprise Risk Management: Practical Implementation Advice
Many executives do not know the value proposition of Enterprise Risk Management (ERM). Some may even consider ERM a fad or “flavor of the month,” and are just humoring the dialogue, wishing it would go away. What leaves many cold on the subject of ERM is the inability to quickly grasp what it is. This issue of The Bulletin addresses this and other relevant questions.
Entity Level Controls - Control Environment Questionnaire
The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This excel-based template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Information and Communication Questionnaire
Information and communication is the component of internal control that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their job responsibilities. This excel-based template provides a number of COSO elements and their related control objectives for entity level controls.
Entity Level Controls - Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.
Entity-Level Assessment Report
The purpose of this report is to document management’s assessment of the COSO internal control components – control environment, risk assessment, control activities, information and communication, and monitoring – at the entity level.
Entity-Level Controls – Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Audit Work Program
This sample audit work program evaluates the entity-level controls in an organization, specifically focusing on the control environment, risk assessment, information and communication, control activities, and monitoring.
Entity-Level Documentation Request Checklist
The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity-level controls address the “tone at the top” and include items such as ethics programs, investigation protocols and IT infrastructure controls. Adequate evidence of the entity-level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity-level controls are in place. This checklist provides a template in which to track the availability and status of such entity-level control documentation.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Entity-Level Risk Assessment Audit Report
This sample audit report presents findings from an entity-level risk assessment review.
Establishing an Effective Complaint and Confidential, Anonymous Reporting Process
Earlier this year, the Securities and Exchange Commission (SEC) issued rules, pursuant to Section 301 of Title III of the Sarbanes-Oxley Act of 2002 (SOX), requiring audit committees to establish procedures for "the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters." In this edition of The Bulletin, we address the issues that audit committees and management should consider as they collaborate to comply with this requirement.
Establishing an Effective Complaint and Confidential, Anonymous Reporting Process Questionnaire
This questionnaire focuses on issues that audit committees and management should consider as they collaborate to comply with the SECs rules pursuant to Section 301 of the Sarbanes-Oxley Act of 2002.
Excel in Managing Spreadsheet Risk Presentation
Control over spreadsheets associated with the financial reporting process is an increasing concern for companies. These spreadsheets have achieved an increasingly high profile within regulatory compliance. This presentation serves as a guide to train SOX project teams in testing Section 404 spreadsheet controls and utilizing a spreadsheet control framework.
Exception Form - Evaluation of an Individual Process/Transaction-Level Control
The process to evaluate and classify an individual process/transaction-level control deficiency incorporates the evaluation of quantitative and qualitative factors. This sample form assists in documenting and analyzing exceptions identified during individual process/transaction-level control testing.
Executive Certifications: Same Responsibilities, Higher Stakes – Questionnaire
Executive management has always been responsible for the quality and fairness of public reporting. However, under The Sarbanes-Oxley Act of 2002, the risks are higher and the consequences of failure more significant. This questionnaire addresses executive certification requirements.
Executive Certifications: Same Responsibilities, Higher Stakes
Although there are several aspects to the executive certification, management is certifying the effectiveness of the internal management processes that underlie the required disclosures. Certifying officers should design the certification process so that their activities are coordinated with business unit managers, process owners, internal auditors, the external auditor, legal counsel and other key parties. In this issue of The Bulletin, we answer several important questions regarding these new requirements.
Executive Report on Internal Controls: Sample 2
This audit report sample provides an opinion based on an annual assessment of the adequacy of a company’s systems of internal controls.
Expenditure Process Control Questionnaire
Expenditure process controls are important to financial reporting as this process focuses on costs companies incur while delivering goods, rendering services, or other activities that are central to the company’s operations. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Facilitating SOA Compliance Using Committees
Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.
FAST Act Paves the Road for Streamlining IPOs
This article outlines the major ways in which the Fixing America’s Surface Transportation (FAST) Act affects so-called “emerging growth companies.”
Finance End-User Computing Policy: Spreadsheets
This policy outlines procedures governing the accuracy and reliability of spreadsheets and other similar applications used to produce or support critical financial information, and to mitigate the risk of financial reporting errors caused by end-user computing errors.
Finance End-User Computing Policy: Sample 2
The purpose of this policy is to define control activities necessary to increase the accuracy and reliability of the output of end-user computing (EUC) applications used to support significant accounts and disclosures, and to mitigate the risk of financial reporting errors caused by end user computing errors. This policy enables the finance department to support compliance with the Sarbanes-Oxley Act. This policy applies to all EUC spreadsheets or databases, with associated queries, which are deemed critical in terms of their individual or cumulative impact to the financial statements or disclosures.
Financial Close Process Controls Questionnaire
This tool provides insights on financial close process controls, including the control objectives for financial close activity.
Financial Disclosure Communication Questionnaire
This questionnaire facilitates the communication of items—material transactions, contracts, events or other items—to be considered for disclosure in SEC filings.
Financial Disclosure Communication Questionnaire
This questionnaire is designed to facilitate communication of items that should be considered for disclosure in SEC filings. It does not include all possible disclosure items, but does include some examples of primary types of items that should be considered.
Financial Elements and Business Process Prioritization Memo
This memo summarizes the customized models used to prioritize financial statement elements (FSE) and processes for Sarbanes-Oxley (SOX) Section 404 compliance. The prioritization of these items helps define the extent of a company’s process-level documentation efforts.
Financial Reporting (External) Audit Work Program
The objective of this audit work program is to evaluate the operating effectiveness of internal controls identified in the external financial reporting process. It specifically focuses on controls related to the earnings release, filing forms 10-Q and 10-K, and debt compliance sub-processes.
Financial Reporting Process Flow
This process flow focuses on the annual reporting on Form 10-K and quarterly reporting on Form 10-Q.
Financial Statement Risk Assessment Approach – Qualitative and Quantitative Considerations Guide
This guide outlines the financial statement risk assessment process that is used to prioritize the financial elements and processes for Sarbanes-Oxley Section 404 purposes.
Fixed Assets Process Controls Questionnaire
Fixed assets are important to a company because of their relative permanence in the company’s operations and their use in operating activities. This excel-based template provides a number of business activities and related control objectives for each activity. This questionnaire has been updated with the following: involvement of the purchasing department, presence of a corporate depreciation policy, and monthly financial close procedures.
This sample policy details the actions constituting fraud and non-fraud irregularities, investigation responsibilities, confidentiality statements, authorization for investigating suspected fraud, reporting procedures, and termination and administration procedures.
Fraud Schemes and Scenarios
Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment.
Frequently Asked Questions Regarding Compliance with OMB Circular A-123
The Sarbanes-Oxley Act of 2002 (SOX) served as an impetus for the federal government to re-evaluate its policies relating to internal control over financial reporting. The result was the revised Office of Management and Budget (OMB) Circular A-123 in December 2004. This revised OMB Circular A-123 adopts much of what is contained in SOX Section 404. The revised OMB Circular A-123 requires U.S. government agencies to meet internal control over financial reporting standards similar to those mandated by SOX Section 404. In this booklet, we answer questions about complying with OMB Circular A-123, including an overview of the revised requirements, applicability to various federal agencies, the role of management, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Controls - Integrated Framework (New Framework), risks and control objectives, and key dates.
Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements
There are many questions on the minds of directors, certifying executives and auditors as they work together to comply with the Sarbanes-Oxley Act and new requirements from the SEC and NYSE. Listed in this booklet are common queries from companies who are dealing with these requirements. We have provided responses based on our experience that will assist executives as they evaluate their company's disclosure controls infrastructure and processes supporting executive certifications.
Guide to Internal Audit FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Internal Audit FAQ, which is designed to be a helpful and easy-to-access resource that internal audit professionals can refer to regularly in their jobs.
Guide to Internal Audit
The internal audit (IA) profession has undergone significant changes since the New York Stock Exchange (NYSE) issued its new listing standard requiring an IA function. Companies are far more likely to have in place highly developed IA functions that address not only the NYSE standards, but also the SEC’s interpretive guidance on Section 404 of the Sarbanes-Oxley (SOX) Act and PCAOB Auditing Standard No. 5 (AS5). These regulatory developments have had a significant impact on internal audit functions. This booklet is designed to be a resource for IA professionals can refer to regularly in their jobs. The publication offers detailed insights into everything from building an IA function to managing and improving the function as the organization evolves.
Guide to Public Company Transformation Answers What You Always Wanted to Know About the IPO and Beyond
If you’re preparing to take your company public, you surely know you have a lot of new reporting and legal requirements to meet, and that your organization will require a number of changes. This article outlines the updates included in the latest edition of Protiviti’s Guide to Public Company Transformation: Frequently Asked Questions.
Guide to Public Company Transformation FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Public Company Transformation FAQ.
Guide to Public Company Transformation
The objective of this Guide to Public Company Transformation is to help organizations focus on what they should have in place from a governance, technology and business transformation perspective to prepare successfully for an IPO. This guidance is designed to serve as a convenient and user-friendly resource that executives and managers at pre-public and post-IPO companies can consult to help achieve readiness.
Guide to the Sarbanes-Oxley Act FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act FAQ, which contains suggestions for Sarbanes-Oxley compliance matters, including effectively segregating incompatible duties, efficiently testing application security, and utilizing automated application controls to reduce the burden of manual procedures.
Guide to the Sarbanes-Oxley Act
As organizations complete their second year of Sarbanes-Oxley Act (SOX) compliance, executives and audit committees are expecting more value with lower costs. Fulfilling these expectations will require a shift from simply repeating the same SOX project each year to a sustainable, cost-effective compliance process that is embedded into business as usual. For many companies, significant opportunities to improve the efficiency and effectiveness of their SOX compliance efforts reside at the application level. The questions answered in this booklet have risen in our discussions with clients and others in the marketplace who frequently deal with SOX compliance matters and are focused on improving internal control over their critical business applications.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404
Since the third edition of Frequently Asked Questions Regarding Section 404 of Protiviti’s Guide to the Sarbanes-Oxley Act (SOX) series was released in August of 2004, much has happened. For example: The U.S. SEC has created a “large accelerated filer” category and has adopted different deadlines for initial Section 404 compliance for accelerated foreign private issuer filers and non-accelerated U.S. domestic issuer and foreign private issuer filers. This booklet is designed to help answer questions about the sections of SOX pertaining to public reporting; this information will assist Section 404 project sponsors, leaders and team members. We have provided responses and points of view based on our experience that we hope will assist companies as they document, evaluate and improve their internal control over financial reporting, and as they continue to enhance their executive certification process. We have also held discussions from time-to-time with both the SEC and PCAOB staff to understand their views on key points and confirm our interpretations in certain areas.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404, which considers the SEC’s interpretive guidance to management and incorporates the PCAOB’s major revisions to Auditing Standard No. 2.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
The Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly-traded companies establish internal controls for financial reporting and must maintain those controls to ensure they are effective, with the purpose reducing corporate fraud. The priority goals of Section 404 align with management’s existing responsibilities when undertaking an IT conversion or implementation project. In this booklet, we provide guidance to Section 404 compliance project teams on the consideration of information technology (IT) risks and controls at both the entity and activity levels within an organization. We also explore how application-control assessments are integrated with the assessment of business-process controls, and addresses documentation, testing and remediation matters.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act: IT Risks and Controls FAQ, which is the definitive resource guide on IT risks and control issues related to compliance with SOX Section 404.
Happy Cow vs. Hedgehog: Getting Straight on Principle 8
Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 and for other purposes, but are still struggling with Principle 8—a critical part of the Risk Assessment component of COSO 2013.
How to Standardize Documentation for Internal Controls
This presentation serves as a guide to achieving standardization for internal control documentation. It addresses what to document, how to do it, and to what extent. In addition, this presentation is a useful tool for training employees on documentation standards.
Human Resources Internal Control Questionnaire
This questionnaire is to be utilized as a checklist of the basic controls for Sections 302 and 404 of the Sarbanes-Oxley Act. This document focuses on the human resources function and its associated internal control structure.
IFRS or Country-Specific GAAP: Who’s on First
Countries worldwide face the prospect of changing the accounting standards on which their public financial statements are based. Much of the world has declared that International Financial Reporting Standards (IFRS) is the standard of choice and has either adopted it or committed to transition to it. Now, all heads are turned to the United States. U.S. companies are well-advised to begin understanding and assessing now the impact of a change from U.S. generally accepted accounting principles (U.S. GAAP) to IFRS. Amid the uncertainty as to timing, one thing is clear: Companies, both large and small, are going to need sufficient time to prepare for the transition. This issue of The Bulletin considers the issues and the ramifications of transitioning from country-specific GAAP to IFRS.
Implementation of a Change Management Policy Presentation
Identifying changes in internal controls is important in streamlining the SOX compliance process, specifically 302 and 404 certifications. When identifying changes in internal controls, it is important to have a change management policy for process owners to follow. This presentation serves as a guide in implementing an internal control change management policy. It addresses the types of changes to manage in this process, documentation requirements, and key tools and reports.
Insurance Claims Review (Healthcare) Audit Work Program
This healthcare audit program is intended to assist in determining whether internal controls in the health insurance claims review process are in place and working effectively. This audit program addresses topics such as duplicates, claim payment calculations, claim approvals, electronic Medicare claim files, reconciliation systems for claims processed, vendor data, claims filed, medical records investigation, random audits, claim committee and underwriting review, and refund status.
Internal Audit Risk Assessment – Audit Committee Report
This sample audit report summarizes internal audit risk assessment results to the audit committee. Report topics include: risk assessment approach, risk model, risk map update, top risks, proposed internal audits, audit universe coverage, distribution of internal audit efforts, and internal audit and Sarbanes-Oxley budgets.
Internal Audit Staffing and Audit Plan Report
This report addresses current internal audit staffing levels and audit plan progress.
Internal Auditing Around the World: Volume 3
Given the value added by having strong internal audit (IA) teams, it is not surprising that people play the most essential role in every IA function represented in this book. Demand for highly qualified, talented internal auditors continues to grow throughout the world, as the number of professionals meeting this description shrinks. What drives top-performing IA functions today? In this booklet, we profile 16 successful IA functions from companies across the globe and examine common denominators that separate these leaders from their peers. While there certainly are differences among the companies profiled, they share a number of important similarities in terms of philosophies, approaches, performance measurements and lessons learned – and perhaps most notably, the core concept driving IA activities within these organizations is adding value.
Internal Auditing Syllabus - Sample 1
The course will cover internal audit from a broad perspective that includes information technology, business processes, and accounting systems. Topics include internal auditing standards, risk assessment, governance, ethics, audit techniques, and emerging issues. The course covers the design of business processes and the implementation of key control concepts and will use a case study approach that addresses tactical, strategic, systems, and operational areas. Business improvements in the effectiveness and efficiency of business processes and controls will be covered in the areas of operations, finance and technology. The course is open to all majors with an interest in the design and testing of controls for improving management processes. This is the first course leading to an Internal Auditor Educators Partnership Certificate and will prepare students to sit for the Certified Internal Auditor exam. This course requires a significant degree of participation from all students on projects throughout the course.
Internal Auditing Syllabus - Sample 2
The primary objectives of this course are to: Provide a basic introduction to the Internal Auditing profession and the Institute of Internal Auditors (IIA); Enhance your understanding of key internal control issues in business processes; Relate business process controls to monitoring and auditing requirements of the Sarbanes-Oxley Act; and Provide a foundation for you to prepare for the Certified Internal Auditor (CIA) Examination.
Internal Control Audit Instructions Memo
This memo documents instructions for reviewing and testing a company's internal control environment.
Internal Control Framework (Sample Syllabus)
This course provides background in internal control in general and internal control frameworks in particular. It deals primarily with objectives and components of an internal control framework, and it emphasizes the need for internal control and costs of historic internal control failures.
Internal Control Over Financial Reporting -- An Update on Section 404 of Sarbanes-Oxley
The SEC released its final rules in June 2003 regarding Section 404, making time an asset rather than a liability. This issue of The Bulletin addresses these final rules and what they mean.
Internal Control Strategy Communication Plan
This document outlines an example process to facilitate and communicate changes necessary to strengthen an organization’s internal control environment.
Internal Controls Over Financial Reporting: Understanding Section 404 of Sarbanes-Oxley
In this issue of The Bulletin, we address in detail Section 404, a provision of SOX that is certain to garner the attention of public company executives.
Internal Disclosure Certification Process Policy
This policy documents the internal disclosure certification process, which is designed to provide comfort to the executives responsible for signing the external disclosure certification required by the Sarbanes-Oxley Act.
Internal Disclosure Certification Process Policy: Sample 2
This policy outlines procedures to ensure the fair presentation and disclosure of financial results, and is designed to ensure comfort to executives responsible for signing the external disclosure certification submitted to the SEC in accordance with SEC rules and regulations required by the Sarbanes-Oxley Act of 2002. For each section within Management’s Discussion and Analysis, the notes, and all parts preceding and following these sections, the preparer should prepare a checklist of procedures designed to ensure the accuracy of the disclosure. The preparer should sign the checklist stating that to the best of his/her knowledge the disclosure is materially complete and accurate, nothing has been knowingly omitted, and all controversial matters have been discussed and resolved with management.
Internal Financial and Management Information RCM
This document outlines risks and controls common to the internal financial and management information process.
Introduction to the Sarbanes-Oxley Act of 2002 (KLplus FREE Course)
This basic-level course provides a summary of the Sarbanes-Oxley Act and provides an overview of key sections. The course explains the role of the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) that was created by the Act to oversee auditors.
Inventory Management Control Questionnaire
Inventory is an important asset for many companies as it is often a large asset on the company’s financial statements and represents a source of revenue in the near future through sales of the goods. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
IT Application Control Deficiency Decision Process Questionnaire
This questionnaire serves as a guide in determining the severity of control application deficiencies cited during the SOX control testing process. The results of this process are used to determine potential significant deficiencies/material weaknesses. Topics in this questionnaire assist management in assessing IT application controls.
IT Application Inventory Sample Template
This template provides a structured way to define an organization’s system landscape. Use this document to capture applications utilized in the company and assess whether they fall within scope for Sarbanes-Oxley compliance testing purposes.
IT Controls Best Practices, Part 1 - Generic
This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.
IT General Controls Scoping Questionnaire
This questionnaire has been designed to facilitate an assessment of existing controls to determine if they align with the IT Governance Institute (ITGI) control objectives. This questionnaire will allow the reviewer to determine which control objectives and illustrative controls are in-scope, and document which control objectives and illustrative controls are currently addressed with existing controls.
IT General Controls: Computer Operations Audit Work Program
This work program focuses on auditing computer operations. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
IT General Controls: Program Development Audit Work Program
This work program focuses on auditing the program development process. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
IT Infrastructure Control Deficiency Decision Questionnaire
This questionnaire can be used as a guide to determine the severity of any deficiencies cited during the control testing process. A SOX control deficiency assessment can be completed using this information and other information provided by management in reaching its decision.
IT Risk Assessment Audit Report
This report outlines findings from a high-level IT risk assessment at a company.
IT Risks and Controls Review Report
The objective of this audit report is to reduce the volume of controls across applications, infrastructure and IT processes in order to improve consistency and focus on key risks.
IT Security Remediation – Self-Assessment Questionnaire
This high-level self-assessment questionnaire is intended to be used to assist with Sarbanes-Oxley Act control remediation efforts. It provides the auditee with an opportunity to inform internal audit about controls and processes they employ, and it also gives the auditee ideas about other controls and processes that may be appropriate.
It’s That Time of Year: The 2016 Audit Committee Agenda
Jim DeLoach recaps Protiviti’s ten Mandates for Audit Committees in 2016.
Management Development and Compensation Committee Charter
The purpose of the management development and compensation committee is to carry out the board of directors’ overall responsibility relating to executive compensation. This charter provides an example of its structure, authority and responsibilities.
Merger and Integration Memo
This memo outlines a project to document a company’s finance and accounting processes, as well as to identify the system support and interactions for these key processes.
Monitoring Audit Work Program: Sample 2
The objective of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO. It specifically focuses on the attributes of ongoing monitoring, separate evaluations and reporting deficiencies.
New Disclosures Policy
This policy is intended to facilitate the early detection and disclosure of reportable items to the SEC and to improve the efficiency and effectiveness of compliance efforts. The policy applies to all corporate and subsidiary locations, with particular emphasis on parties responsible for financial reporting and disclosure of related events.
Nominating and Governance Committee Charter
This charter outlines the purpose, membership procedures, meeting procedures, and roles and responsibilities of the nominating and governance committee.
Nominating and Governance Committee Charter: Sample 2
This charter outlines the structure, purpose and responsibilities of the nominating and corporate governance committee, which assists in nominating board members and in developing a company’s corporate governance guidelines.
Nominating and Governance Committee Charter: Sample 3
This sample charter outlines the purpose, membership procedures, authorities and responsibilities of the nominating and governance committee.
Nominating and Governance Committee Charter: Sample 4
This charter outlines the purpose, authority and responsibilities of the nominating and governance committee and describes its membership and administrative procedures.
Non-GAAP and SOX 302
This article focuses on the ongoing debate surrounding non-GAAP disclosures.
Payroll Process Controls Questionnaire
This sample questionnaire helps with evaluating the controls in an organization’s payroll process.
Pre-Year 1 SOX Roadmap – Audit Report
This report serves as a template for organizations to use when documenting business and IT processes for eventual Sarbanes-Oxley (SOX) compliance.
Primary Controls Tracker
This document serves as a template to use in tracking the number of key internal controls identified in an organization. The information compiled in this template can be used to develop project status reports and plan for remediation efforts.
Privacy Controls Audit Work Program
This audit program provides steps for a privacy controls review, including verifying management direction and support for privacy controls.
Process and Activity-Level Controls Assessment Guide
The document summarizes the steps needed to assess controls at the process or activity-level. The steps include selecting priority elements, understanding the processes, sourcing risks, documenting key controls, assessing control design, validating control operation and reporting.
Process Documentation Narrative and Flow Chart Guide
This guide outlines documentation techniques to develop an adequate understanding of any processing environment. It also provides a process flow example and guidance on elements to be incorporated.
Process Integration Checklist
The purpose of this checklist is to facilitate the merging of company subsidiary divisions and their duplicate processes. Included are guidelines for this facilitation process and topics to address during scheduled meetings.
Process-Level Documentation Requirements Memo
This memo describes the documentation requirements for each in-scope process related to Sarbanes-Oxley Section 404 compliance.
Program Changes Audit Work Program
This audit program focuses on auditing program change controls. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
Property Management System Control Requirements Matrix - Sample
This matrix provides sample application controls to consider within a property-management accounting system. This document guides the user in assessing the priority and vendor capability of each control. The control assessment is then summarized to develop an action plan.
Protecting Enterprise Value Through Your Anti-Fraud Program – Questionnaire
A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. This document focuses on key questions for board members and management when evaluating the anti-fraud program.
Protecting Enterprise Value Through Your Anti-Fraud Program
Simply stated, an anti-fraud program is a group of policies and procedures, backed by senior management, which fosters ethical and responsible business behavior. A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting enterprise value and preserving the reliability of public reporting. With the audit committee providing oversight, management is tasked with establishing, validating and monitoring effective internal controls to quickly prevent, deter and detect fraud. What is an anti-fraud program? Why is it important? How should companies evaluate their anti-fraud program? In this issue of The Bulletin, we will answer these and other questions. We will also provide observations and recommendations for management and audit committees to consider when evaluating their anti-fraud program.
Protiviti Flash Reports
This page provides links to and summaries of the Protiviti analysis - flash reports - that have been released in conjunction with changes and announcements from COSO, the PCAOB, or the SEC.
Protiviti's Sarbanes-Oxley Section 404 Compliance Initiatives Methodology
Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach.
Public Company Readiness Questionnaire
When preparing for an initial public offering (IPO), it is vital to pay close attention to the underlying business and IT processes, policies, and internal controls. This questionnaire focuses on certain aspects of the IPO preparation process and specific areas management should address, including common financial reporting challenges, the close process, Sarbanes-Oxley compliance and IT infrastructure.
Public Company Readiness: Getting Ready for Prime Time Before the Market Does
The recent economic environment has been a tough one for the capital markets, making all sources of capital increasingly difficult for companies to access. While there has been a recent uptick in the IPO market in the United States following one of the worst IPO droughts in decades, bank lending has declined and venture capital remains hard to secure. Companies with IPO aspirations are advised to run as if they were already public in order to be ready to strike when the market begins to recover. In this issue of The Bulletin, we focus on certain aspects of the IPO preparation process, including the need for a readiness assessment along with specific areas management should address – common financial reporting challenges, the close process, Sarbanes-Oxley compliance and the IT infrastructure.
Purchasing Rebate Review Audit Work Program
The objective of this audit program is to review the controls in place for the following areas of the purchasing rebate process: supplier rebate set-up, maintenance and forecasting, rebate processing, and rebate accounting and financial reporting. When reviewing this process, include in the documentation: the individuals performing each duty, whether the responsibilities are properly segregated (within this cycle or other cycles), and whether the process is efficient and effective.
Quarterly Compliance Assessment – Audit Report
The purpose of this report is to document internal audit’s quarterly assessment of compliance policies and procedures and the validation of the operational effectiveness of key activities and controls within those policies and procedures.
Quarterly Disclosure Controls Assessment Questionnaire
The purpose of this questionnaire is to facilitate the quarterly assessment of controls surrounding the financial reporting process. This questionnaire can be provided to managers or process owners to support efforts to identify any changes in controls, and to help meet the requirements set out by the SEC.
Record Disposal and Retention Policy: Sample 2
This policy outlines procedures for the disposal and retention of records. This policy is predicated upon three principles: complete, accurate and high-quality records are to be maintained; important data is to be backed up; and records are to be retained only for their period of immediate use, unless longer retention is specifically authorized. Along with the procedures and guidelines, the document also contains the record retention schedule. In this example, most corporate records may be vital to current goals and useful for analysis of current operations, but are of little or no value to the company by the time they are over one year old. Longer retention periods are based upon legal, audit or management requirements.
Relationship with External Auditors Policy
This policy outlines the relationship between a company and its external auditors. This document also discusses the importance of providing external auditors adequate information and other related company responsibilities.
Remediation Efforts and Needs – SOX Training Presentation
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring control deficiencies are accurately communicated to appropriate personnel and properly tracked. This presentation serves as a guide to train SOX project teams in identifying and communicating deficiencies noted during the testing process.
Request for Proposal: Internal Audit and Sarbanes-Oxley Compliance
This RFP for co-sourcing internal audit and Sarbanes-Oxley compliance services provides a variety of sample questions to ask a potential outsource or co-source partner.
Request for Proposal: Internal Audit Services and Sarbanes-Oxley Regulatory Compliance
This is a sample request for proposal (RFP) and vendor questionnaire from a company seeking a service provider to establish an internal audit function with an emphasis on compliance with the Sarbanes-Oxley Act.
Request for Proposal: Sarbanes-Oxley Compliance
This is a sample request for proposal (RFP) for Sarbanes-Oxley compliance assistance working with a company’s internal audit department.
Revenue Process Control Questionnaire
Revenue process controls are important to financial reporting because this process measures the accomplishments of the operating activities of a company. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Revenue Recognition Webinar Series: Industry Considerations and Cross-Functional Implications
Chris Wright addresses some of the top questions posed during Protiviti's July 23rd revenue recognition webinar, including the new accounting standard’s impact on internal audit departments and Sarbanes-Oxley compliance.
Risk Assessment Survey Template - Sample
The goal of Enterprise Risk Management is to identify, evaluate and manage key risks impacting an organization’s ability to achieve its objectives and strategies. This document provides a template to inventory and assess critical risk areas (business functions) and the associated risks embedded within each area. The results can be used to help develop an Internal Audit Plan. The results may also be included in the Risk Assessment Report provided to the Audit Committee.
Sarbanes-Oxley 404 Compliance Project Testing Guidelines and Documentation Standards Presentation
An efficient and organized testing strategy is an important part of complying with Sarbanes-Oxley (SOX) Section 404. This presentation serves as a guide to train SOX project teams in testing Section 404 key controls and documenting testing results. It incorporates the importance of independent testing by Internal Audit to lessen the work required by the external auditor.
Sarbanes-Oxley Act Project Approach Memo
The purpose of this memo is to document management’s approach for the current financial year's Sarbanes-Oxley compliance project processes.
Sarbanes-Oxley Auditor Walkthrough Guide
This training presentation was created to help prepare company personnel for the walkthrough process related to Sarbanes-Oxley Section 404 compliance. It includes questions to expect from the external auditor and example responses to these questions by different company departments.
Sarbanes-Oxley Control Deficiency Assessment Form
This form assists in evaluating Sarbanes-Oxley control deficiencies and allows management to document related responses. The evaluation criteria includes: evidential deficiencies, potential impact to financial statements, safeguarding of assets and antifraud controls, likelihood that an error could occur, compensating controls and multiple similar control deficiencies.
Sarbanes-Oxley Documentation Review Audit Work Program
The objective of this audit program is to ensure that Sarbanes-Oxley (SOX) Section 404 processes are documented to communicate a clear understanding of the business activity, including its related risks and controls, roles, and responsibilities. The steps in this work program are intended to ensure all changes made to process documentation are reviewed for accuracy and completeness.
Sarbanes-Oxley Multiple Locations Scoping Memo
This memo outlines the analysis performed by a company to determine the scope of internal control documentation and testing.
Sarbanes-Oxley Review Process Tracking Worksheet - Sample
This sample helps project teams track key information and dates associated with developing Sarbanes-Oxley process documentation and management review.
Sarbanes-Oxley Roles and Responsibilities Guide
The purpose of this guide is to describe example roles and responsibilities the various team members involved in Sarbanes-Oxley (SOX) compliance can take on during the project. Roles and responsibilities are described for: process/control owners, risk control specialists, the Project Management Office (PMO), and the Internal Controls Steering Committee (ICSC).
Sarbanes-Oxley Section 302 Diagnostic Survey
This tool helps assess how an organization is achieving various Section 302 compliance activities.
Sarbanes-Oxley Section 404 Audit Committee Questionnaire
There is no question that complying with Sarbanes-Oxley Section 404 requires much effort. This seven-page questionnaire includes important questions audit committees should ask throughout the inception of a project and the first year of compliance.
Sarbanes-Oxley Section 404 Committees
This guide describes the composition, function and operating style of a Sarbanes-Oxley Section 404 compliance steering committee, and the interrelationship between a steering committee and a disclosure committee.
Sarbanes-Oxley Section 404 Compliance Project Work Paper Standards and Guidelines: Policy and Procedures
The purpose of this document is to establish basic guidelines and standards for the preparation and review of work papers relating to the Sarbanes-Oxley Act Section 404 compliance project.
Sarbanes-Oxley Section 404 Management Testing Plan Policy
This sample policy helps to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of a company and its subsidiaries’ internal control over financial reporting.
Sarbanes-Oxley Section 404 Process Prioritization Report
This document outlines the steps used by management in assessing the criticality of business processes, which is important in setting the scope for the internal control over financial reporting assessments. This includes prioritizing financial reporting elements, defining processes, linking processes to financial elements, and prioritizing processes.
Sarbanes-Oxley Section 404 Program Executive Scorecard - Sample
This document serves as an executive report template focused on the progress of the Sarbanes-Oxley Section 404 program.
Sarbanes-Oxley Section 404 Project Conclusion Memo
This memo documents an organization’s approach to Sarbanes-Oxley Section 404 compliance and concluding results from the annual assessment.
Sarbanes-Oxley Section 404: Compliance Plan – Sample
This sample document establishes a framework and standard policy for compliance with Section 404 of the Sarbanes-Oxley Act.
Sarbanes-Oxley Section 404: Guidance for Documenting Test Results
This guide outlines steps to complete when documenting SOX Section 404 test results. The steps specifically describe how to set-up a standard process for referencing work papers, documenting test results, documenting control remediation, and filing work papers.
Sarbanes-Oxley Section 404: Report Testing Methodology
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams in testing reports that are used during the financial reporting process. Note: Testing individual reports is a relatively inefficient manual process and should only be used if General Computer Controls and/or End User Computing Controls do not provide adequate assurance over reports.
Sarbanes-Oxley Spreadsheet Controls Memo
This is a sample email sent by the process owner to finance staff regarding the documentation of controls over spreadsheets as part of Section 404 SOX compliance.
Sarbanes-Oxley Sustainable Compliance Questionnaire
This questionnaire addresses how organizations can make Sarbanes-Oxley compliance sustainable while improving business processes that impact financial reporting.
Sarbanes-Oxley Testing Strategy Memo
This memo documents a company's high-level testing strategy for Sarbanes-Oxley compliance.
Sarbanes-Oxley Walkthrough Checklist
The purpose of this checklist is to provide guidance to help a process owner prepare for a process walkthrough. It also includes post-walkthrough questions to help the process owner document any questions or issues raised.
Sarbanes-Oxley Walkthrough Guidance for General IT Controls
Process walkthroughs are an important part of Sarbanes-Oxley compliance projects. They provide the opportunity to validate the steps necessary to complete a process and view the control environment of a process. This presentation describes the goal of performing a process walkthrough and steps to take during the walkthrough process.
Sarbanes-Oxley Walkthrough Preparation Memo
This Sarbanes-Oxley process memo informs and prepares business process control managers to engage in “walkthrough” discussions with auditors. In this sample, the internal and external auditors have to conduct their validation/fieldwork on internal controls in compliance with Section 404 of the Sarbanes-Oxley Act.
Sarbanes-Oxley Year-End Audit Committee Report
This report to the audit committee focuses on the progress of the Sarbanes-Oxley Section 404 program.
SAS 70 Review – Report on Assessment of Controls - Sample
Type II SAS 70 reports are an integral part of assessing a company’s internal controls over financial reporting if a company uses an outsource provider. The SAS 70 report is intended to communicate, from auditor to auditor, the testing performed around the outsource provider’s internal controls, particularly controls over IT processes. This report can help an organization communicate the findings of a Type II SAS 70 review and assess how the results of the report impact the company’s internal controls over financial reporting.
Scaling Accounting and Finance With Confidence
This article describes the strategic and operational value of automated financial and accounting systems with continuous accounting processes.
Section 404 Compliance: Lessons Learned for the Next 12 Months
In 2006, the Securities and Exchange Commission (SEC) held a roundtable discussion on the second year experiences with the internal control reporting and attestation provisions of the Sarbanes-Oxley Act of 2002 (SOX). The following week, both the SEC and Public Company Accounting Oversight Board (PCAOB) announced their plans to follow-up on the roundtable results and other feedback they have received. Because of these developments and because many accelerated filers are either preparing for or executing their third year Section 404 assessments, it is a good time to reflect on lessons learned. In this issue of The Bulletin, we articulate seven lessons for improving Section 404 assessment and compliance processes. As companies achieve superior quality, time and cost performance, they will unlock the value in Section 404 compliance.
Section 404 Compliance: Planning for Next Year
Year Two of Section 404 compliance for most accelerated filers is shaping up to be a year of incremental improvement. Management has taken a hard look at items such as number of key controls and testing scopes. This issue of The Bulletin focuses on some of the opportunities companies should consider as they plan for Year Three.
Segregation of Duties Review Report
This 23-page sample report focuses on a project's final deliverables, including a project overview, remediation roadmap, rollout plan and lessons-learned document.
Seminar in Auditing (Sample Syllabus)
This course describes: advanced problems and research in the application of auditing standards; internal control evaluations; applications of statistics; audits of EDP systems; and auditor’s ethical, legal, and reporting obligations. In addition, the following topics will be covered: the history of auditing leading to SOX, accounting ethics, fraud, internal auditing and risk management, sampling and IT auditing. These topics represent the most critical elements for understanding the current state of auditing.
Senior Vice President of Internal Audit Job Description: Sample 2
This job description provides an overview of specific responsibilities and qualifications for the senior vice president of internal audit position.
Setting the 2008 Audit Committee Agenda
Audit committees have another crowded agenda over the next year. Many aspects of the audit committee charter continue to require ongoing attention, including the myriad of committee activities around the rules issued by the U.S. Securities and Exchange Commission (SEC) and the listing standards promulgated by the exchange to which the company is subject. Obviously, audit committees must continue to address these important requirements, as they provide the minimum standards by which they operate. This issue of The Bulletin provides observations and ideas for boards of directors and their audit committees regarding matters they should consider during the coming year. The agenda items we have listed are significant matters warranting audit committee attention and we believe that the committee can play an important oversight role in addressing these items.
Setting the 2009 Audit Committee Agenda
Since we published Setting the 2008 Audit Committee Agenda a year ago, the world has dramatically changed. 2009 promises to be a challenging year for audit committees. Without a doubt, the financial crisis has increased uncertainty and created changes to strategic plans, operating budgets and organizations. Uncertainty and change increase the need to identify, understand and manage risk effectively. This issue of The Bulletin provides observations and ideas and matters to consider for boards of directors and their audit committee to get through the trying times in the upcoming year. The agenda items we have listed are significant matters warranting audit committee attention, and we believe that the committee can play an important oversight role in addressing them.
Setting the Audit Committee Agenda Questionnaire
Good business leaders are aware that the world is changing–dramatically. This questionnaire is for executive management, boards of directors and their audit committees to help ensure their organizations are ready to address change. It also addresses management’s perspective on the audit committee’s agenda and lists challenges and business-facing mandates for audit committees to assess.
Sourcing SOX Compliance Costs: Fewer Controls, More Scrutiny
This article by Protiviti Managing Director Nichole Minice focuses on how in the current audit environment, organizations are placing an increased emphasis on information produced by entity (IPE).
SOX Compliance: Unpacking the Results From Our Survey
In this article, Protiviti Executive Vice President Brian Christensen discusses the results of Protiviti’s 2016 Sarbanes-Oxley Compliance Survey.
SOX Control Deficiency Assessment Form
This form assists in evaluating SOX control deficiencies and documenting management responses. Users can also assess the severity of deficiencies noted during the documentation and testing process. The evaluation criteria includes: evidential deficiencies, potential impact to financial statements, safeguarding of assets and antifraud controls, likelihood that an error could occur, compensating controls, and multiple similar control deficiencies.
SOX Coordinator Job Description
This job description provides an overview of the responsibilities for the Sarbanes-Oxley coordinator (internal controls) position.
SOX Policy Evaluation Checklist
Policies are an important part of the internal control over financial reporting evaluation process. This is a sample checklist to use when identifying the availability and status of company policies associated with the financial reporting process. This tool also assists with organizing policies by financial statement, area of significance, and financial statement element.
SOX Process Flow – High Level Methodology
This process flow documents a high-level methodology for Sarbanes-Oxley compliance.
SOX Process Walkthrough Questionnaire
The purpose of this template is to provide guidance to business units in the performance of walkthroughs associated with Sarbanes-Oxley Act compliance requirements. It may also be used by management in other matters related to the evaluation of internal controls over financial reporting.
SOX Self-Assessment and Self-Testing Instructions
This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline.
SOX Testing Documentation Template
This template can be used to document SOX internal control testing procedures, results and recommendations.
SOX Testing Methodology Example
This is a SOX Testing Methodology that highlights several aspects of SOX testing including scope, approach and population.
SOX Testing Review Checklist
This excel-based template provides an example of how to review SOX testing documentation. You would use this review process sheet to document the reviewer’s comments and tester’s response. The excel form allows you to record comments related to the test plan, test execution, and documentation format.
SOX Year-End Update Testing Memo
This memo defines the process a company uses to update testing of internal controls for Sarbanes-Oxley compliance purposes near or at the year end.
Spreadsheet Controls Policy
To comply with SOX guidelines, it is important to establish appropriate policies that incorporate controls emphasizing the use, storage and modification of spreadsheets and databases used in preparation and reconciliation of the financial reporting process. This policy is intended to ensure that all spreadsheets/databases critical to the financial reporting process or that generate key reports relied upon by management are managed and controlled based on associated risks.
Spreadsheet Controls Procedures and Checklists for Sarbanes-Oxley Compliance - Sample
Lack of controls over spreadsheets can present a risk to the accuracy of financial statement information and may be identified as a deficiency under Sarbanes-Oxley Section 404. This document contains an example of spreadsheet control procedures. The procedures outline the access and change control steps that could be applied for financial spreadsheets. Also included is a checklist that tracks the spreadsheet control procedures and can be used in SOX spreadsheet testing.
Spreadsheet Risk Management FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Spreadsheet Risk Management FAQ, which is designed to answer frequently asked questions about spreadsheet risk based on real business need.
Spreadsheet Risk Management: Frequently Asked Questions - Second Edition
Many companies rely on spreadsheets as key applications that support operational and financial reporting processes. The increased regulation and compliance that now impact spreadsheet control is not surprising given past few years of numerous multimillion-dollar errors and fraud attributed to the use of spreadsheets. We also see companies filing reports of material weaknesses and deficiencies with the Securities and Exchange Commission (SEC) as a result of the lack of controls around their financial reporting spreadsheets. This regulatory pressure and increasing focus from auditors are forcing organizations to address the issue of spreadsheet risk management, though few really understand what the issue is and what they need to do about it. This booklet represents a pragmatic response to spreadsheet risk based on real business needs. Although this publication uses the term “spreadsheet,” much of the guidance applies equally to other end-user-developed applications, such as databases and reports.
Staying Focused on Core Business Issues Amid Corporate Governance Compliance
In this issue of The Bulletin, we cover the basics of corporate governance compliance.
Strengthening Governance Through Risk Management
Boards of directors and management know that the price of surprise is steep and should work together on an effective plan for managing risk. This issue of The Bulletin provides five comprehensive recommendations for strengthening governance through improved risk management.
System Backup Review Audit Work Program
The purpose of this audit program is to review an organization’s system backup procedures. This includes identifying all applications key to the organization, identifying the responsible person for the back-up procedure, analyzing actual procedures performed, and determining the appropriateness of handling related media. A key step in this work program is to identify all key applications in use at the company. In this list, include all SOX-related applications as well as any other applications deemed critical to company operations.
Tax Compliance Process Internal Control Questionnaire
The purpose of this questionnaire is to assess the internal controls related to a company’s tax compliance process. This document outlines sample tax compliance controls and assists in identifying if the control is in place.
Tax Compliance Process Report
This document reviews the business processes related to the tax compliance process, identifies manual and system-based controls, and documents issues and weaknesses.
Technology Risks and Controls: What You Need to Know – Questionnaire
Disclosure and internal controls seem to be commanding the headlines these days, with particular emphasis on complying with Sections 302 and 404 of The Sarbanes-Oxley Act (SOX). This document poses questions to help determine where controls over information technology (IT) fit into the picture; why is IT important; and why management and executives should care.
Technology Risks and Controls: What You Need to Know
In this issue of The Bulletin, we focus on the relevance of IT risks and controls to a company’s meeting the internal control objectives over the reliability of financial reporting.
Test Documentation Validation Checklist
This checklist provides guidance on how to track documentation related to tests of controls. It focuses on examples of documentation needed to complete tests of controls, a template to record the completeness and accuracy of the documentation received, and areas to track missing required documentation and sampling requests made to the client.
Testing Status Template - Sample
This testing status sample template can assist in tracking the testing of controls, control attributes, and testing attributes such as control description, control method, and control frequency.
The Bulletin Newsletters
The Bulletin is a periodic newsletter from Protiviti offering detailed insights on corporate governance and related risk management issues, including key processes impacted by the Sarbanes-Oxley Act.
The Changing Corporate Governance Landscape and Its Implications
This issue of The Bulletin reviews examples of what the board of directors and management should do as they work to improve corporate governance.
The Changing Corporate Governance Landscape and Its Implications – Questionnaire
Corporate governance requirements established by The Sarbanes-Oxley Act have permanently mandated executive certification of public reports for all registrants. In this environment, companies are feeling greater pressures to take further actions. This questionnaire focuses on what boards and management should do as they work to improve corporate governance.
The Code of Conduct: Laying a Cornerstone for Effective Governance
In this issue of The Bulletin, we provide important steps for boards of directors and management to consider in designing and implementing an effective code of ethics.
The Code of Conduct: Laying a Cornerstone for Effective Governance Questionnaire
If there is one constant for success in a rapidly changing global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior. This document discusses important questions for boards and management to consider when designing and implementing an effective code of ethics.
The Expanded Responsibilities of the Audit Committee: A New Mandate
This issue of The Bulletin explores the new requirements of audit committees and their implications, and suggests six keys to an effectively functioning audit committee.
The Global Privacy and Information Security Landscape FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Global Privacy and Information Security Landscape FAQ, which discusses over 350 key laws and regulations, including the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the European Union General DP Directive, and the Electronic Communications Privacy Act.
The Impact of M&A on PCAOB Firm Population
Since the PCAOB first started disclosing it, the total number of accounting firms registered with the regulator to perform audits for public companies has been a dynamic metric. This article takes a closer look at this metric's trends.
The Importance of Integrating Sections 302 and 404
Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.
The PCAOB’s Effect on Auditor Market Share
A recent paper looks into the PCAOB’s role in contributing to the perception of an auditor’s assurance value and whether or not it has an effect on an auditor’s market share.
The Role of Personal Accountability in the New Environment
This issue of The Bulletin outlines seven key principles that provide a framework for establishing and reinforcing the personal accountability of management and the board of directors. Application of these principles will create a healthy tension within the organization and facilitate communication between management and the board.
The SEC’s New Guidance on Section 404: What It Means to You
In May, the Securities and Exchange Commission (SEC) approved its interpretive guidance to management on implementing Section 404 of the Sarbanes-Oxley (SOX) Act of 2002. What’s new with respect to this guidance? What hasn’t changed? This issue of The Bulletin explores these questions and introduces eight important decisions that warrant a fresh look by every SEC registrant subject to SOX compliance requirements.
The Self-Assessment Process: Management’s Tool for Reinforcing Process Owner Accountability
In this issue of The Bulletin, we discuss the self-assessment process and how one can be implemented to reinforce process owner accountability, or if one is already in place, how to improve it.
The Updated COSO Internal Control Framework FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Updated COSO Internal Control Framework FAQ, which addresses various questions regarding the 2013 new Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Setting the 2006 Audit Committee Agenda
Much has happened since 2003 when the SEC adopted rules mandated by The Sarbanes-Oxley Act of 2002 (SOX) that, among other things, expanded and formalized the responsibilities of audit committees. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
The Updated COSO Internal Control Framework
In May of 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its long-awaited updated Internal Control – Integrated Framework (New Framework). The New Framework is an important development; it facilitates efforts by organizations to develop cost-effective systems of internal control and supports organizations as they adapt to the increasing complexity of a changing business environment. Companies using the 1992 framework should familiarize themselves with the New Framework and companion materials, determine their transition plan, and communicate to the appropriate stakeholders the release of the New Framework and its implications to the organization. In this booklet, we address various questions regarding the New Framework from COSO, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Top 10 Lessons Learned From Implementing COSO 2013
In this issue of The Bulletin, we share 10 lessons learned from COSO 2013 successful implementations from a variety of sources—working with our clients, information gathered from thousands of attendees at our webinar series, and our annual SOX Compliance Survey.
Treasury Process Controls Questionnaire
The treasury process is important to a company because it is the function overseeing the cash flow of the company’s operations and its use related to payments, receipts, and investments. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Update Testing – Control Self-Assessment Questionnaire
This questionnaire has been designed to facilitate an assessment of whether the controls within a business unit are currently operating effectively. To meet the guidelines of Section 404 requiring management attestation as of a company’s fiscal year-end, this questionnaire is used to identify any changes that have occurred or are planned prior to year-end. Questions in this tool focus on verifying that process documentation is complete and accurate, all key internal controls and key information systems have been identified, and all areas within a business unit that are relevant to Sarbanes-Oxley have been identified.
Using Risk Management Frameworks
This presentation defines and describes various types of internal controls, and reviews control frameworks, including COSO, COSO ERM and COBIT.
Using the COSO Internal Control - Integrated Framework for Sarbanes-Oxley Compliance (KLplus CPE Course)
The SEC has ruled that the criteria on which management’s evaluation of internal controls is based must be derived from a suitable, recognized control framework. The SEC points out in the final rule that the COSO Internal Control – Integrated Framework satisfies this requirement.
Vice President, Internal Audit/Chief Audit Executive Job Description
This job description outlines the responsibilities, qualifications and experience for the vice president, internal audit/chief audit executive position.
Wanted: A Cost-Effective Approach to Validating Performance of the Internal Control Structure
This issue of The Bulletin addresses the importance of integrating self-assessment, entity-level monitoring and independent tests of controls into a coordinated approach to provide evidence supporting management’s assertion in the annual internal control report.
Whistleblower Policy and Procedures
This policy establishes standards and procedures to ensure that the accounting and audit-related complaint handling process complies with management’s and the audit committee’s objectives.