The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal controls over financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.[32] This course provides an overview of SOX Section 404 and discusses how one can effectively implement a solid program to address the needs of SOX 404.
The Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 for public accounting firms on July 25, 2007.[33] This standard superseded Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also released its interpretive guidance [34] on June 27, 2007. These two standards together require management to:
- Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
- Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;
- Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;
- Perform a fraud risk assessment;
- Evaluate controls designed to prevent or detect fraud, including management override of controls;
- Evaluate controls over the period-end financial reporting process;
- Scale the assessment based on the size and complexity of the company;
- Rely on management's work based on factors such as competency, objectivity, and risk;
- Conclude on the adequacy of internal control over financial reporting.
Sarbanes-Oxley Act was passed in 2002 and year one of attestation for publically traded companies was 2004. SOX 404 is the most prominent of the many requirements covered under the legislation. Examining and putting into practice a suitable methodology for SOX compliance with SOX 404 is crucial.
Taking this course will prepare you to successfully address the challenges of Section 404 at your company - a high profile and critical process!
Information within this course comes from readily available public domain documents and is utilized by the trainer as a supplement for relaying the course content.
Note: The concepts outlined in this course are up to date and relevant in regards to the Sarbanes-Oxley legislation. Although there have not been any changes in the legislative concepts of the law since it’s release in 2002, some aspects of executing the work have evolved. This speaker is preparing a series of courses titled “Sarbanes-Oxley 20 years later”. Those courses can be found individually on the platform and would be beneficial for anyone involved with compliance.
NOTE: The Instructor has created 5 new segments on Sarbanes-Oxley Update - 20 Years Later:
Sarbanes-Oxley Update - 20 Years Later: Accounting Risk Assessment Considerations
Sarbanes-Oxley Update - 20 Years Later: Sourcing Emerging Risks Part 1
Sarbanes-Oxley Update - 20 Years Later: Evaluating Testing Processes
Sarbanes-Oxley Update - 20 Years Later: Sourcing Emerging Risks Part 2
Sarbanes-Oxley Update - 20 Years Later: Examining Fraud Risks
Learning Objectives
- Discover the requirements of Sarbanes-Oxley Act SOX 404
- Recognize COSO and the Internal Control Framework
- Identify SEC and PCAOB ongoing SOX 404 requirements
- Identify and apply the steps of the SOX 404 process
- Identify documentation Requirements
- Identify testing Requirements
- Define significant Deficiency and Material Weakness
- Recognize PCAOB 2012 Report on Public Companies ICFR
Included In Certifications
This course is included in the following Certification Programs:
16 CoursesSarbanes-Oxley (SOX) Certification
- Sarbanes Oxley Overview
- SOX: Authoritative Bodies
- Sarbanes-Oxley (SOX) Standards - Evolution
- Information Technology General Controls Primer
- COSO 2013 Overview
- Sarbanes-Oxley (SOX) Section 404
- Sarbanes-Oxley Section 302: ICFR
- Sarbanes-Oxley (SOX) And Fraud Sections
- Sarbanes-Oxley (SOX) - Top Down Risk Assessment Part 1
- Sarbanes-Oxley (SOX) - Top Down Risk Assessment Part 2
- Sarbanes-Oxley (SOX) - Entity Level Controls
- Sarbanes-Oxley (SOX) Identifying and Documenting Controls
- Sarbanes-Oxley (SOX) Testing
- Sarbanes-Oxley (SOX) - Assessing Data Impact
- XBRL - Connection to SOX 302/404 and Critical Roles
- Tools For Sarbanes-Oxley Compliance
200 Reviews (714 ratings)
Prerequisites
Prerequisite: Exposure to SOX
Advanced Preparation: None
Thank you again for teaching this course. It has helped tremendously to shorten the learning curve regarding SOX! I have one final question. Given that SOX compliance doesn't align well with IIA auditing standards, what is the typical layout for the work papers (i.e., test plan, templates etc.)?
Good question and one that doesn't have a straight forward answer. My suggestion is to look into some of the vendors who have SOX software. In some cases they have templates. Another suggestion is to speak with your external auditors. Many companies use the external auditors templates and then customize them for their needs. Many organizations still use excel spreadsheets where they list all the controls (by COSO component) and then have the accounting assertions across the top of the spreadsheet to link the controls to the most relevant assertion. Then they have columns where the controls are described and assessments are made regarding the suffuciency of the design. A separate column then records the testing and the results. So as you can see, there are many methods. I would also suggest looking at some of the Big 4 accounting firm websites. They sometimes have example templates. Or look at Knowledgeleader.com which is a site hosted by Protiviti. They have many tools that are useful.
Thank you so much!
Hi Lynn,
I respectfully request your assistance regarding SOX. Research indicates that SOX compliance work is conducted virtually in order to reduce costs. This seems to be more prevalent with small to medium sized public companies. Please let me know your thoughts on where to find companies that conduct virtual SOX compliance. Thank you in advance for your valuable time.
Stephen
Hi Stephen - I'm unsure what research you may be pointing to. SOX is a legislative requirement for any publicly traded company so the work is done to actually comply with standards. Many of the research studies done over the past 10+ years showed that in the initial years, SOX was very costly to companies. As the years have gone by, and the PCAOB has moved from AS2 to AS5, compliance costs have gone down a bit. However, now COSO 2013 has swung that pendulum back a little.
For companies that are not required by legislation to comply with SOX (non-publicly traded companies), they generally try to work through the exercise because they believe it will improve their internal controls and also hopefully reduce costs. However I have not specifically seen recent studies on that.
When you ask about virtual SOX compliance - what are you referring to specifically?
Hi Lynn,
I found a virtual SOX compliance course on the Lord & Benoit website. It explains the process to conduct SOX compliance virtually in the course overview.
It piqued my curiousity regarding virtual SOX compliance. Reviewing numerous job ads suggests that internal audit/compliance personnel are not offered to work remotely/virtually.
Please let me know your thoughts. Thank you again for you input.
Stephen
You are into a bit of unchartered waters here. From one perspective there are a lot of SOX groups that do work remotely because of outside locations or foreign entities. But they are probably executing the work from their corporate offices. You start to get into a lot of information privacy issues when you allow people to access information systems from home. I don't know of anything specifically that says it isn't allowed but I believe you would be hard-pressed to find an organization that would be fully open to the idea. There is a lot of SOX work like walkthroughs that couldnt be done virtually - or maybe would not be considered effective. So I believe the bottom line is it is all up to the organization and with probably some input from their external auditors
Hi Lynn,
Thank you again for your input! I truly appreciate it.
Stephen
Can a non listed, non US company's external auditors provide an opinion on ICFR in their report if company's Management urges them to or is there any regulation stopping external auditor from doing so because they are truly not under SOX or PCAOB?
Sorry for the delayed reply. The program was not providing me the reply button.
I think your question is more of a legal question than SOX legislation. Many on listed company's now follow SOX and in some cases their auditors will provide an opinion to managment on ICFR. It depends on your contract. I am not aware of any PCAOB rules that prohibit this but again, consult with legal