||January 7, 2008
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404: Table of Contents
View and download the entire booklet
Applicability of Section 404 Requirements
What Is Section 404 and How Does It Relate to Sections 302 and 906?
- Which companies are subject to the requirements of Section 404?
- Are foreign companies subject to the requirements of Section 404?
- Does Section 404 apply to small-business issuers?
- Are unlisted companies with public debt required to comply with Section 404?
- Are municipal utilities or universities that sell bonds required to comply with Section 404?
- Do insured depository institutions (e.g., banks and savings associations) that are already complying with the requirements of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) have to comply with Section 404?
- What is the distinction between the requirements of FDICIA and the requirements of Section 404?
- Does Section 404 apply to registered investment companies?
- Does Section 404 apply to U.S. divisions or units of foreign-based companies?
- Does Section 404 apply to not-for-profit entities?
- Does Section 404 apply to asset-backed issuers?
- Does Section 404 apply to forward-looking financial information?
- Does Section 404 apply to the MD&A disclosures?
When Is Section 404 Effective for Different Companies?
- What does Section 404 require companies to do annually?
- What does Section 4040 require companies to do quarterly?
- How often must management assess internal control over financial reporting?
- Is Section 404 limited to public reports for which executive certification requirements are required?
- What does Section 302 of the Sarbanes-Oxley Act require companies to do?
- What does Section 906 of the Sarbanes-Oxley Act require companies to do?
- How are the requirements under Section 404 and the requirements under Sections 302 and 906 of the Sarbanes-Oxley Act related?
- How does the Section 404 assessment enhance the Section 302 executive certification process?
- Is there a value proposition from a controls assessment process beyond compliance with Section 404?
What Is Meant by “Internal Control Over Financial Reporting” and “Disclosure Controls and Procedures”?
- When do companies have to comply with Section 404 requirements?
- Why did the SEC defer the effective date of Section 404 compliance?
- What happens if an issuer that is currently not an accelerated filer qualifies as an accelerated filer because of an increase in market capitalization? When does the issuer have to file an internal control report?
- Assume Company A, which reports on a calendar year, plans to go public this year and is expecting a capitalization below the $75 million accelerated filer threshold. When must it comply with Section 404?
- When is the internal control report due?
- Does the independent accounting firm express an opinion on management’s assertions regarding internal control over financial reporting?
- As of what date is management’s annual assessment conducted?
- Is a quarterly assessment required of internal control over financial reporting?
- If management is not required to assess internal control over financial reporting until the first internal control report is issued, what about the references to such internal controls in the quarterly executive certifications required by Section 302?
The COSO Internal Control – Integrated Framework
- What is “internal control over financial reporting”?
- What are “disclosure controls and procedures,” a key component of the certification requirements under Section 302?
- What are examples of disclosure controls and procedures that generate required disclosures?
- How should management design the disclosure controls and procedures so that the disclosure process will not become simply a ritual?
- What should the certifying officers do when evaluating disclosure controls and procedures on a quarterly basis?
- How is internal control over financial reporting distinguished from disclosure controls and procedures?
- Are there examples of internal control over financial reporting that fall outside the realm of disclosure controls and procedures?
Getting Started With Section 404 Compliance
- What is COSO?
- What is the Internal Control – Integrated Framework?
- How is the COSO framework applied at the entity level during the Section 404 assessment process?
- How is the COSO framework applied at the activity or process level during the Section 4040 assessment process?
- Must the Section 404 compliance team address each of the five COSO elements in each critical process affecting a significant financial reporting element?
- Since the COSO framework includes internal controls over operational effectiveness and efficiency over compliance with applicable laws and regulations, to what extent must management evaluate these controls to support the internal control report?
- If a company already uses the COSO framework, is there anything more it needs to do to comply with Section 404?
- Will the COSO framework on enterprise risk management affect the Section 404 assessment?
Identifying Reporting Requirements and Relevant Processes
- How does management get started?
- How is the project team formed?
- How should management articulate roles and responsibilities?
- What should management consider when developing a project plan?
- When planning the project, what key scoping decisions should be evaluated, and what criteria should management consider when making these decisions?
- How does a company decide the “significant areas” to review for purposes of documenting and evaluating its internal control over financial reporting?
- How does a company assess materiality when prioritizing financial reporting elements?
- What are “control units,” and why are they important?
- How does management select the controls units and locations to review?
- How should management communicate the project effort to the organization?
- What steps should be included in the project plan?
- To what extent can companies rely on prior controls documentation?
- How should companies document and validate their assessments of internal controls?
- What tools and technologies are used to implement controls repositories, document process maps, facilitate the assessment process and manage overall Section 404 compliance?
- Is there a way to estimate the effort and cost of complying with Section 404 in Year One?
- Will companies need to add internal resources to comply with Sections 404 and 302?
- Is a cultural assessment necessary?
Summarizing Risks and Developing Control Objectives
- How does management deploy a top-down, risk-based approach to determine the extent to which internal controls should be documented and validated?
- What standards and criteria should be set before beginning the project?
- Are all transactions evaluated in a similar manner when understanding transaction flows and related controls?
- How are the critical processes identified?
- What is a “reasonable” number of business processes for purposes of Section 404 compliance?
- What role do process owners play?
Integrating Fraud Considerations Into the Assessment
- Why identify risks?
- How are risks identified?
- What are control objectives and how do they relate to risks?
- How are control objectives defined?
Identifying, Documenting and Assessing Controls
- What is the scope of an anti-fraud program and controls?
- What’s new and what really matters with respect to fraud?
- What suggested steps should management take with respect to fraud?
- How are fraud risks assessed?
- How should management get started with integrating fraud considerations into the Section 404 assessment?
Validation of Operating Effectiveness (“Testing of Controls”)
- What are the primary sources of the SEC’s guidance to management for purposes of evaluating internal control over financial reporting?
- Does the SEC provide any guidance to management for purposes of documenting its evaluation of internal control over financial reporting?
- How and why are entity-level controls assessed?
- How is an assessment of the design effectiveness of entity-level controls conducted?
- How is the operating effectiveness of entity-level controls validated?
- Are entity-level controls the same thing as entitywide controls?
- How are IT risks and controls considered?
- What if transaction processing is outsourced?
- Do SAS 70 reports apply to processes other than IT and to specialists?
- Where does an entity-level controls review end and the process-level controls review begin?
- How is the process- or activity-level assessment conducted?
- What are walkthroughs, why are they necessary and how should the Section 404 compliance team prepare for them?
- How are processes and transaction flows documented?
- Should we reduce the extent of our process documentation as we apply the top-down, risk-based approach?
- What are some examples of control activities?
- What are monitoring activities?
- When and how should the period-end financial reporting process (close the books) be evaluated?
- What are examples of controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles?
- What should the Section 404 compliance team consider when documenting controls over estimated transactions?
- What is the external auditor looking for with respect to the period-end financial reporting process 9close the books)?
- What factors are considered when evaluating the design effectiveness of controls?
- What factors are considered when evaluating the operating effectiveness of controls?
- Must a company link its key controls directly to financial statement accounts?
- What level of assurance must management attain when reaching a conclusion on the design and operating effectiveness of internal controls?
- How does management define “reasonable assurance” for purposes of evaluating the effectiveness of controls?
- How should control gaps be identified and summarized?
- What should be done to address controls gaps if any are found during the assessment?
- How does a company define a “control deficiency”?
- How are compensating controls considered?
- How does a company define a “significant deficiency in internal control?
- How does a company define a “material weakness” in internal control?
- Why is the distinction between a significant deficiency and a material weakness so important?
- Is it possible for a material weakness reported in a prior year to be classified as not a material weakness in the current year, even though it has not been fully remediated?
- Is a significant deficiency no longer as important given the SEC’s redefinition of the term and focusing on the Section 404 compliance process on identifying material weaknesses?
- What is meant by the “prudent official test”?
- What must management do if there is a “significant deficiency” or a “material weakness” in internal control?
- Which changes to internal control over financial reporting “materially affect” or are “reasonably likely to materially affect” the effectiveness of the company’s internal control over financial reporting for purposes of complying with the Sarbanes-Oxley Act?
- What is management’s responsibility for changes in internal controls that could affect the adequacy of internal controls after the date of management’s assessment?
- Can management rely on the self-assessments of process owners as the sole basis for rendering the annual internal control report?
- If pervasive entity-level and monitoring controls are designed and operating effectively, to what extent does management need to evaluate specific controls at the process level?
- What does it mean that the Section 404 assessment is based on a point in time and why is it important?
- If evaluation and testing are done throughout the year but management’s required evaluation and the internal control report are as of year-end, what type of evaluation is necessary as of year-end for management to render the internal control report as of that date?
- What approaches are recommended for “testing” the effectiveness of internal control over financial reporting?
- Who is responsible for validating operating effectiveness?
- What is “testing of controls”?
- How does management test controls that do not leave a trail of documentary evidence?
- How can inquiries or interviewing be considered “tests” of controls?
- What is reperformance?
- When are tests of controls performed?
- What is a test plan?
- Why is it important to define the failure conditions before beginning testing?
- How does the evaluation team ascertain the test period?
- How does management select testing method(s) to apply on specific circumstances?
- How does management determine the appropriate sampling method?
- How is judgmental sampling applied?
- How is statistical sampling applied?
- How does management determine sample size?
- How is the sample selected from the population?
- How does management finalize the formal test plan?
- How are testing results documented?
- How are testing results evaluated?
- How does management decide which controls to test?
- How does management decide the extent of testing?
- Why are control descriptions important and how does management know they are adequate?
- How should the Section 404 compliance team classify individual control techniques so that the team, as well as the independent auditor, can more effectively plan the required tests of controls?
- Is testing by process owners acceptable for purposes of supporting management’s assertion?
- With respect to the period between the date management completes its preliminary evaluation of operating effectiveness and year-ned, what must management do to update its evaluation?
- What should management do when exceptions are identified?
- How is monitoring evaluated?
- How are pervasive process controls tested?
- How are information process controls tested?
- How are IT controls tested?
- How much testing should management perform relative to the testing the external auditor performs?
- What should the Section 404 compliance team do if a significant level of exceptions is encountered during testing?
- How many exceptions are acceptable before a control deficiency is deemed to exist?
- What if the external auditor’s testing results differ from management’s results?
- Should the external auditor participate during management’s testing process?
- If control deficiencies or gaps are identified, how should we remediate them?
- Assume a company identifies a material weakness in internal control and remedies that deficiency during the year it is required to comply with Section 404 under the SEC’s rules. How soon before the end of the fiscal year must the deficiency be corrected?
- Since this Section 404 project requires a point-in-time review, for how long do remediated controls need to be in place and in operation to be considered effective?
- How does management evaluate the company’s internal control with respect to unconsolidated investments accounted for under the equity method?
- How are material acquisitions occurring during the fiscal year handled for purposes of determining the scope of the Section 404 assessment?
- What is the impact of excluded acquisitions on management’s executive certification under Section 302?
- How does management apply the SEC’s exclusion for material acquisitions when they occur early in the fiscal year?
- How are divestitures of significant entities (or net assets) and discontinued operations considered for purposes of evaluating internal control over financial reporting?
- What are some of the considerations with respect to an entity spun off from a Section 404 compliance company to form a standalone public company?
- How does a lag in reporting of the financial results by certain foreign subsidiaries for financial reporting purposes affect the assessment of internal control over financial reporting?
- How are certain entities consolidated based on characteristics other than voting control, including certain variable interest entities and entities accounted for via proportionate consolidation, handled for purposes of determining the scope of the Section 404 assessment?
- If controls are replaced or eliminated during the period before the end of the year, must the evaluation team test them?
- Do the SEC’s Executive Compensation Disclosure and Analysis rules fall within the scope of the Section 404 compliance process?
- Is monitoring of debt compliance within the scope of Section 404 compliance?
Moving Beyond the Initial Year Assessment
- How should management formulate conclusions with respect to internal control over financial reporting?
- What should be communicated to executive management, project sponsors and the board?
- What is the internal control report?
- When management identifies a control deficiency that is deemed to be a material weakness in internal control over financial reporting, must the company disclose the weakness in its public reports even though the weakness may be corrected prior to the end of the year? If so, when is this requirement effective?
- If the Section 404 compliance team determines at year-end that there are control deficiencies deemed to be significant deficiencies in internal control over financial reporting, are there circumstances requiring public disclosure of these deficiencies in connection with the filing of the internal control report?
- What constitutes a change in internal control over financial reporting and how is materiality considered for purposes of evaluating the effects of such changes?
- Must management disclose improvements of internal controls?
- Must management disclose the company’s remediation efforts related to a material weakness?
- What are the form and content of the internal control report?
- Where is the internal control report included in Form 10k?
- Can the results of the assessment of internal control over financial reporting affect the company’s executive certifications under Sections 302 and 906?
- What impact would a conclusion that the internal controls are ineffective have on the company?
- What happens if there is a significant event affecting internal control over financial reporting following the end of the year but before the internal control report is released?
- What happens if a company completes its Section 404 assessment and files and unqualified internal control report, and subsequently restates its financial statements for the applicable period?
- What documentation does management need to support the assertions in the internal control report?
- How long must management retain the documentation supporting the assertions in the internal control report?
Role of Management
- Why should certifying officers care about the Sarbanes-Oxley Section 404 compliance structure going forward after the first internal control report is filed?
- What are the elements of an effective Sarbanes-Oxley Section 404 compliance structure after the initial annual assessment is completed?
- How are the process owner engaged going forward?
- How does a self-assessment program work going forward?
- Why do process owners need support going forward?
- What are alternative structures for supporting process owners in complying with Sarbanes-Oxley Section 404 after the initial annual assessment?
- How does the maturity of a company’s business processes affect the sustainability of its internal control structure?
- How do companies “find the value” from Section 404 going forward?
- After the initial annual assessment, how does management conduct the quarterly evaluations of those elements of internal control over financial reporting that are a subset of disclosure controls and procedures?
- After the initial annual review of internal control effectiveness is completed, should management assess changes to the company’s risk profile on a quarterly basis?
- After the first year of compliance, what happens to Section 404 compliance costs?
- Will subsequent annual assessments be similar to the initial annual assessment?
Role of Internal Audit
- What is the role of the disclosure committee?
- What is the role of the Section 404 compliance project sponsor?
- What is the role of the Section 404 compliance project steering committee?
- How are the disclosure committee and the project steering committee related? How does their scope differ? How should they interact? How should the membership differ?
- What is the role of other executives?
- Who signs off on internal control over financial reporting?
- What communications, if any, are required of management beyond the quarterly executive certifications and annual internal control report?
- What is the role of operating and functional unit managers?
- Can management rely solely on self-assessments of process owners for purposes of their evaluation of design and operating effectiveness?
- Can management rely on the work of the internal auditors?
- To what extent can management rely on the work of the independent public accountant in making the assessment of internal controls effectiveness?
Role of the Independent Public Accountant
- What is the current status of the NYSE requirements that listed companies have an internal audit function?
- What should companies do if they are listed on other exchanges? Are they required to have an internal audit function?
- How should internal audit avoid any conflict-of-interest issues as it plays a value-added role with respect to the Section 404 certification process?
- What is the role of internal audit in the evaluation process?
- What changes in internal audit can be expected as a result of Section 404?
Role of the Audit Committee
- When and how should the independent public accountant be involved during management’s annual assessment process?
- How should management prepare for the attestation process?
- Did the SEC provide any guidance with respect to the attestation report?
- What does the PCAOB require with respect to the attestation report?
- What internal control “design” assistance can the independent public accountant provide without impairing independence?
- Can the independent public accountant perform any testing on behalf of the audit client?
- Can the company use its independent public accountant’s software and/or methodology to support management’s assessment?
- Can the company engage the independent public accountant to create original documentation of its internal control over financial reporting without impairing independence?
- What kind of work can management expect of the company’s independent public accountant during the attestation process?
- Can management share interim drafts of the financial statements with the auditor?
- Can management discuss accounting issues with the auditor?
- Can management rely on the statutory audit work performed by the external auditor for significant subsidiaries or joint ventures?
- Can the external auditor use the work of the internal audit function and others for purposes of performing an audit of internal control over financial reporting?
- Can the independent auditor issue a report to management or the audit committee indicating that no significant deficiencies were noted during an audit of internal control over financial reporting?
- Will the SEC accept an adverse opinion on internal control over financial reporting?
- What is required of the independent auditors each quarter?
- Can the same audit firm issue an opinion of internal control over financial reporting of a user organization and also issue the SAS 70 letter pertaining to a service organization to which the user organization has outsourced a significant process?
Impact of Sections 302 and 906
- With respect to the financial reporting process and internal control over financial reporting, what is expected of the audit committee?
- How and when should the audit committee be involved in management’ evaluation process and in the independent public accountant’s attestation process?
- What Questions are audit committees asking with respect to the Section 404 evaluation during the first year of compliance?
- What questions are audit committees asking of companies that have complied with Section 404 for several years?
Accelerated Filing Requirements
- What is the impact of the Section 404 rules on Sections 302 and 906?
- May certifying officers cite “reasonable assurance” when referring to the company’s disclosure controls and procedures?
- Why do companies report internal control deficiencies that are not material weaknesses?
- What are the common types of control deficiencies being reported by public companies?
- What are the section and size of characteristics of companies reporting control deficiencies?
- If a significant change occurred in the second fiscal quarter, but before the filing of the first fiscal quarter Form 10-Q, is there a requirement to disclose the subsequent event in the first fiscal quarter Form 10-Q?
- Must management aggregate and evaluate control deficiencies on a quarterly basis at the same level of rigor as at year-end?
Private Companies and Initial Public Offerings
- What are the latest filing requirements with respect to Form 10-K and Form 10-Q?
- For purposes of applying the SEC’s market capitalization test, what is meant by “public float”?
- When determining the applicability of the accelerated filing requirements under the SEC’s Section 404 rules, when is the measurement date for purposes of quantifying a company’s “market capitalization”?
- If a company is below the market capitalization threshold now but subsequently exceeds the threshold, when must it begin to comply with the accelerated filing deadlines?
- If a calendar-year reporting company meets the requirements as an accelerated filer for SEC reporting purposes as of December 31, 2006, what is its Section 404 compliance status if its market cap subsequently falls below the required threshold as of June 30, 2007?
U.S. and Foreign Nonaccelerated Filers and Foreign Locations
- Any advice for a privately held company that intends to either undertake an IPO or sell to a public company during the next two to three years?
- If a private company has plans to go public sometime in the future, with plans to file an S-1 three years from now (which would require three years of audited financial statements), would three years of internal control attestation reports by its public accountants be required as well?
- Should a privately held company implement provisions of Sarbanes-Oxley?
- Assuming a June 30 year-end company goes public on September 30, 2007, is the first Section 302 certification required to be included in the first 10-Q for the quarter ended December 31, 2007, or will the company be required to certify as of September 30, 2007?
- Is Section 404 applied differently to smaller companies?
- Can public companies rely on their external auditor to compute the tax provision and reserves included in their financial statements?
- Based on experiences to date by U.S. and foreign filers, what are the lessons for companies who have just begun their compliance efforts?
- Are foreign filers subject to the Section 302 executive certification requirements?
- Must Section 404 documentation prepared in countries outside the United States be presented in English?
- If a foreign private issuer files financial statements prepared in accordance with home country generally accepted accounting principles (GAAP) or International Financial Reporting Standards (IFRS), with an accompanying reconciliation to U.S. GAAP, should it conduct its evaluation based on the primary financial statements or the amounts disclosed in the reconciliation to U.S. GAAP?
- When evaluating the severity of control deficiencies, how do foreign private issuers apply the reference to “interim financial statements” included in the definition of a material weakness?
- How does a foreign private issuer treat an investee company reporting in the registrant’s primary statements differently than in the reconciliations to U.S. GAAP?