Section 404 of the Sarbanes-Oxley Act requires companies registered with the Securities and Exchange Commission (SEC) to state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and to report at the end of each financial year on the effectiveness of these internal control structures and procedures for financial reporting. Section 404 also requires management to obtain a report from the company's auditors attesting to management's assertion about the effectiveness of internal control over financial reporting.
This factsheet is based on our understanding of the rules under Section 404, together with the Auditing Standard "An Audit of Internal Control Over Financial Reporting Conducted in Conjunction with an Audit of Financial Statements" issued by the Public Company Accounting Oversight Board in June 2004.
Implementation and Subsequent Developments
Companies were divided into two populations for the purposes of implementation.
Revised implementation timings have now come into force, as have changes to the categorisation of filers. Large accelerated filers have a worldwide market value of outstanding voting and non-voting common equity held by non-affiliates of $700 million or more, accelerated filers have a worldwide market value of between $75 million and $700 million. These values are to be determined as at the last business day of the second fiscal quarter. These categorisations impact upon filing deadlines, as well as for commencement of Section 404 compliance.
Any company that is not an accelerated filer will be required to comply with the requirements of Section 404 for the first fiscal year ending on or after 15 July 2007. A foreign private issuer that is an accelerated filer, reporting annually using Form 20-F rather than Form 10-K, must begin to comply with requirements for its first fiscal year ending on or after 15 July 2006. US accelerated filers and foreign private issuer accelerated filers that use Form 10-K rather than Form 20-F remain with the prior commencement deadline of the first fiscal year ended on or after 15 July 2005.
Defining Internal Control
Internal control can be based on the COSO framework, which defines internal control as a process that provides reasonable assurance regarding the achievement of objectives in the following areas:
- Effective and efficient operations - address basic business objectives including performance and profitability targets and the safeguarding of assets;
- Reliable financial reporting - preparation of reliable financial statements and other financial information;
- Compliance with applicable laws and regulations - all laws which are relevant to the company in respect of financial reporting.
Internal control over financial reporting is defined as a process to provide reasonable assurance regarding the the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted principles, including policies and procedures that provide for:
- The maintenance of records, that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- Reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and the directors of the company; and
- Reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.
Management's Responsibilities
Management is responsible for the effectiveness of internal control, and assessing the effectiveness of internal control, specifically:
- Documentation and design of controls;
- Testing of controls;
- Evidence and documentation to support its assessment of the effectiveness of internal control.
Management may use internal auditors or advisers to assist in its assessment.
The key steps in the process by which management develops sufficient evidence to support its assessment and conclusions are:
- Assessing the risk of material misstatement;
- Identifying company level controls;
- Identifying significant accounts and disclosures;
- Identifying relevant financial statement assertions;
- Identifying significant processes in major transaction cycles;
- Determining which business units should be included in the evaluation;
- Documenting the design of internal controls;
- Determining which controls should be tested;
- Evaluating the design effectiveness of controls;
- Testing and documenting the operating effectiveness of controls;
- Evaluating internal control deficiencies and concluding on overall effectiveness.
Assessing the Risk of Material Misstatement
Management's assessment of internal control will start with an assessment of the risk of material misstatement covering the two main components:
- Inherent risk - the susceptibility of assertions in the financial statements to a material misstatement;
- Fraud risk - the risk of material misstatement due to fraudulent financial reporting or misappropriation of assets.
Identifying Company - level controls
Company level controls are controls to monitor operations and oversee the control environment. They often have a pervasive impact on controls at the process, transaction or application level. They include:
- Controls within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programmes, such as compliance manuals and fraud prevention, that apply to all locations and business units;
- Risk assessment process;
- Centralised processing controls;
- Monitoring results of operations;
- Internal audit;
- Financial reporting process;
- Board approved policies that address specific business control and risk management practices.
Management needs to determine whether adequate company-level controls exist and document them. They should evaluate and document the effectiveness of the audit committee's oversight of financial reporting and internal control.
Identifying significant accounts and disclosures
Management should identify any likelihood that financial statements (overall and on a line by line basis) or financial disclosures could contain misstatements that individually or when aggregated with others have a material effect on the financial statements.
Identifying relevant financial statement assertions
For each significant account and disclosure, management needs to identify and document the relevant assertions such as existence, authorisation, completeness, valuation, rights and obligations and disclosures.
Identifying significant processes in major transaction cycles
Next, management should identify and document the significant processes applicable to each major transaction cycle, such as turnover, purchases and payroll. This requires:
- An understanding of the flow of transactions, including how transactions are initiated, recorded, processed and reported;
- Identifying and documenting the points in the process where there is a risk of misstatement in respect of each financial statement assertion;
- Identifying and documenting controls that are in place to reduce the risk of misstatement;
- Identifying and documenting the controls that have been put in place to reduce the risk of unauthorised purchase, use or disposal of the company's assets.
This will include the activities of outside service organisations.
Determining which business units should be included in the evaluation
Management must determine which business units should be included in its assessment, based on the relative financial significance of the unit, and the risk of material misstatement arising from it.
Documenting the design of internal controls
It is the company's responsibility to document internal controls and developing and maintaining evidence is an inherent element of effective internal control. Management's documentation will cover the entire process of initiating, recording, processing and reporting individual transactions. Such documentation will include for example flowcharts and narrative descriptions. Documentation will cover the design of controls related to financial statement assertions for significant accounts and disclosures, the prevention or detection of fraud, financial reporting processes and safeguarding assets.
Determining which controls should be tested
Management must determine which controls are to be tested, and test the operation of all controls related to relevant assertions for all significant accounts and disclosures. Controls to be tested should include:
- Controls over initiation, processing, reconciling and reporting significant accounts;
- Controls over the selection and application of accounting policies;
- Controls relating to the prevention and detection of fraud;
- Controls on which other controls are dependent;
- Controls over significant nonroutine and non-systematic transactions, such as accounts involving judgements and estimates;
- Company level controls.
Evaluating the design effectiveness of controls
Management should evaluate the effectiveness of the design of the controls, considering how the control was applied, the consistency with which it was applied, and by whom it was applied. The evaluation should be documented.
Testing and documenting the operating effectiveness of controls
The form of testing can include enquiry, observation, inspection and reperformance although enquiry alone should not generally be perceived as an adequate basis for assessment. The testing must be conducted over a period of time adequate to determine operating effectiveness as of the accounting reference date.
Evaluating internal control deficiencies and concluding on overall effectiveness
Internal control deficiencies exist when the design or operation of a control does not allow the company to prevent or detect misstatements on a timely basis. They are classified as:
- Inconsequential - they are negligible or insignificant;
- Significant deficiency - a deficiency that adversely affects the ability of the company to prepare financial statements in accordance with generally accepted accounting principles;
- Material weakness - a significant deficiency which results in more than a remote likelihood that a material misstatement will not be prevented or detected.
Management must evaluate the significance of each deficiency. The Section 404 rules preclude management from determining that a company's internal control is effective if it identifies one or more material weakness.
Management should communicate important aspects of its Section 404 assessment to the audit committee and the independent auditors on an ongoing basis. Evidence must be maintained in support of the assessment.
31 January 2006