| In 2005 about 3,700
large-cap ($75 million or more)
companies underwent the first wave of
Sarbanes-Oxley section 404 audits. Here, a
firm experienced with Sarbanes-Oxley
section 404 audits for accelerated filers
shares its best practices to help with
compliance for nonaccelerated filers
(companies with market capitalization
under $75 million), which must begin
filing audit reports for fiscal years
ending after July 15, 2007. |
auditor’s section 404
responsibility is to critically
evaluate the design and effectiveness of
management’s internal controls over
financial reporting, test as necessary,
form an opinion and communicate
significant deficiencies and material
weaknesses to management and the audit
At least one year
before the deadline,
management should assign a
project leader, establish a time line
and a project team, engage outside
assistance if necessary, set scoping
criteria, “assess risk” and review the
section 404 plan with the audit
committee and external auditors.
companies with limited
accounting staffs will need assistance
with tax accounting, lease accounting,
reviews of transactions such as
last-minute journal entries, application
of GAAP, staff training, IT controls,
the control environment and segregation
of duties and internal control
documentation from sources independent
from their auditors.
Act already has had a
profound impact on the accounting
profession and corporate America.
Companies are now more conscious of how
and why they do what they do, and in
many cases they have improved their
processes or eliminated duplication.
John W. Green,
CPA, is a partner at Marcum &
Kliegman LLP, Melville, N.Y. His
e-mail address is
et’s hope performing
Sarbanes-Oxley section 404 audits of internal
controls turns out to be easier for nonaccelerated
filers. Those of us who already have performed
section 404 internal control audits will attest
the process is long, complex, tedious and
stressful. Indeed, section 404—which requires a
company’s annual report to certify exactly how
effective its control and reporting procedures
are—is proving to be the most challenging part of
the Sarbanes-Oxley Act. This article describes how
our firm, Marcum & Kliegman LLP of Melville,
N.Y., approached section 404 audits, and shares
some best practices we learned on the job.
|A Work in Progress
At press time, the SEC
Advisory Committee on Smaller Public
Companies’ latest release suggested it may
recommend full or partial exemptions of
section 404 for certain size small public
THERE’S WORK TO DO
The SEC required companies with market
capitalization equal to or greater than $75
million (accelerated filers) to comply with
section 404 for fiscal years ending after November
15, 2004 (see “
The Value Proposition ,” JofA ,
Sep.05, page 77). Accordingly, in 2005 about 3,700
companies underwent the first wave of internal
control audits. Of them, about one in seven
reported material weaknesses.
Nonaccelerated filers will commence compliance
for fiscal years ending after July 15, 2007. No
one knows exactly how many eventually will comply,
but about 12,000 companies are listed on various
national exchanges. In addition, banking and
insurance companies are discussing adopting
“Sarbanes-Oxley-like” initiatives for nonpublic
entities. Some states have enacted tougher
regulations on not-for-profits, and nonpublic
broker-dealers and hedge funds soon may face
increased regulation. CPA firms will be busy for a
while, so it’s a good time to work on skills to
handle the workload.
PCAOB Auditing Standard no. 2, An Audit
of Internal Control Over Financial Reporting
Performed in Conjunction with An Audit of
Financial Statements, provides guidance for
a section 404 audit. The performance and reporting
directions are based on the framework developed by
the Committee of Sponsoring Organizations (COSO)
of the Treadway Commission. COSO’s 1992 report
Internal Control—Integrated Framework
describes five key components of internal
control (the control environment, risk assessment,
control activities, information and communication,
and monitoring) and provides businesses with
The SEC requires that
companies’ management design an internal control
system that can substantiate every assertion in
their financial statements. To do that, management
has to analyze the company’s system of internal
control over financial reporting and provide
evidence sufficient to support its conclusions.
The external auditor’s responsibility is to
do the following:
Critically evaluate management’s
Evaluate both the design and
effectiveness of the internal control system.
Perform independent testing.
Form an opinion on the internal
Communicate significant deficiencies
and material weaknesses to both management and the
Both management and the
external auditor must evaluate any internal
control deficiencies that exist and quantify their
severity. Auditing Standard no. 2 prescribes a
much lower deficiency threshold than previous
audit guidance. It includes three definitions.
First, an internal control deficiency exists when
the design or operation of a control does not
allow management or employees, in the normal
course of performing their assigned duties, to
prevent or detect misstatements on a timely basis.
Second, a significant deficiency is a single
deficiency or combination of deficiencies that
results in a more than remote likelihood
that a misstatement of the annual or interim
financial statements that is more than
inconsequential will not be prevented or
detected. Finally, a material weakness is a
significant deficiency or combination of
significant deficiencies that results in a
more than remote likelihood that a
material misstatement in the annual or interim
financial statements will not be prevented or
Before fieldwork begins, company
management and the external auditors must discuss
the thresholds and reach consensus on the
significant accounts and disclosures—and they
absolutely must agree on how best to quantify
more than remote and more than
404 ROAD MAP
A typical section 404 project plan for a
nonaccelerated filer should not be rushed.
Ideally, the first phase should commence 12 to 18
months before the company’s reporting deadline.
The last phase will coincide with the fieldwork
for the fiscal yearend financial statement audit.
Marcum & Kliegman bases its work plan on the
Phase one: Planning and scoping.
Company management assigns a project
leader and project team, establishes a time line,
engages outside assistance if necessary, sets
scoping criteria, performs risk assessment and
reviews the section 404 plan with the audit
committee and external auditors.
Phase two: Documentation and evaluation.
Company management documents,
reviews and updates all control activities,
prepares flowcharts, seeks feedback from external
auditors and remediates control deficiencies.
Phase three: Management testing.
Company management tests key
controls, documents the results of testing and
fixes any control deficiencies.
Phase four: Interface with external
auditors. Company management
performs complete walk-throughs of systems with
external auditors. It reviews its test results
with the external auditors and presents an initial
management assessment to them.
Phase five: External auditor testing.
The external auditor completely
reviews all internal control documentation
including narratives, flowcharts and
walk-throughs. Then the external auditor
identifies areas of risk and related key controls,
verifies the scope of testing, designs test plans
and determines sample sizes. The external auditor
then tests the controls’ operating effectiveness
and evaluates the test results with management and
the audit committee.
Phase six: Reporting.
Management prepares its section 404
assessment for inclusion in Form 10-K, reviews the
document with external auditors and determines who
within the company should sign the section 404
certifications. The attestation could include the
company’s general counsel and/or chief information
officer if they are heavily involved in the system
of internal control over financial reporting. At
this stage the external auditors summarize their
testing, review the test results and prepare a
draft opinion. After that they report their
conclusions to the audit committee, obtain a
management representation letter and prepare a
final opinion for inclusion in Form 10-K.
Marcum & Kliegman has four clients that
qualified as accelerated filers. Based on the
section 404 work our firm has done to date, we
developed a “top 10” list of section 404 best
practices that we use in our internal training
classes, client newsletters and public speaking
Start the process early.
Pending changes from the SEC, the
first nonaccelerated filers will have to report as
of July 15, 2007. That may seem a long way off,
but it is actually right around the corner, and
section 404 projects already should have started
at small-cap companies. Stress the need for
clients to self-assess to get a leg up on any
deficiencies before auditors come in.
Prepare a comprehensive risk assessment.
Focus on material accounts and
processes. Consider the primary reasons for
reports of material weaknesses and determine
whether the client needs improvement in the
Review of transactions (especially
last-minute journal entries).
Application of GAAP.
Staff expertise and training.
The control environment and
segregation of duties.
Internal control documentation.
Note : Small-cap companies with limited
accounting staffs will almost certainly need
assistance with some or all of the above areas.
Develop specific section 404 training
for your staff. Staff members
more experienced with debits and credits (that is,
posting to a general ledger and reconciling
accounts) will adapt to training more efficiently
and have better relations with clients. Hold
training sessions that focus on following a
transaction from initiation straight through to
the general ledger and financial statements to
help less experienced staff members get up to
Advise clients to appoint a section 404
team leader. The section 404
audit will run more smoothly if one person assumes
the leadership role, with responsibility for
keeping the project on track and acting as liaison
with the external auditors, consultants, internal
auditors, audit committee and key members of
management. This person should not be the CFO, CEO
or an external consultant. The ideal person is an
internal auditor or someone who will not be
distracted by monthly or quarterly closing
processes or financial reporting.
Carefully monitor and evaluate the
project team. The external
auditor must meet with the project team on a
regular basis and promptly inform management and
the audit committee if deadlines slip or the
internal control documentation is not adequate.
This oversight is especially critical if
management engages an outside consultant. There is
a booming cottage industry of section 404
consultants, and we found that not all consultants
are created equal. Given that large numbers of
companies will have to start reporting next year,
in addition to the existing accelerated filers,
there likely will be a shortage of section 404
qualified internal staff. However, the SEC’s
Advisory Committee on Smaller Public Companies may
modify section 404 small cap compliance rules
before then, which may change the marketplace.
Flowchart, flowchart, flowchart!
System narratives are nice, but
flowcharts rock. A well-designed flowchart
highlights the key controls in a fraction of the
time it takes to read a system narrative—and using
them is more fun. Ideally, the client should
prepare the flowcharts. When that’s not possible,
the external audit teams will need to do it for
smaller companies. We found Visio, Microsoft Excel
and PowerPoint easy to use and sufficient for most
Keep the audit committee informed.
Regular communication with the audit
committee is critical. A periodic audit committee
conference call will ensure there are no surprises
at the end.
Discuss deficiencies with management
promptly and candidly. While
about 14% of section 404 filers have reported
material weaknesses, virtually all filers have had
significant deficiencies reported to the audit
committee by the external auditor. When an auditor
finds a significant deficiency or material
weakness, it can result in a stressful
conversation with management—especially when
long-standing clients have had clean opinions on
previous financial statement audits (see “ What We’re Up Against, ”
We’re Up Against |
is a little exchange that took
place with one of our clients
Jim, we are doing a
walk-through of your
accounts-payable system and we
see that you paid a $7,500
invoice with two checks issued
on the same day, one for
$4,500 and one for $3,000. Can
you explain to us why this
CFO : Yes, of
course. We have a strict rule
that all checks over $5,000
have to be signed by at least
two authorized signers and we
had to get the check out that
day. Only one signer was
around, so we just cut two
But, Jim, issuing two checks
in this manner defeats the
purpose of having two signers
as a control procedure.
Wouldn’t you agree?
CFO : I see
your point. Well, I’ll just
have to make sure that the CEO
pre-signs some checks and
leaves them for me so I won’t
have that problem in the
Author : Needless to
say, we corrected his
An auditor who finds a significant deficiency
or material weakness should
Bring the problem to the attention of
management and the audit committee immediately.
Discuss the implications openly and
Offer suggestions for remediation.
Keep current with new developments.
Last year at this time there was
little formal guidance on how to perform an
internal control audit available to CPA firms.
Today guidance is available from the AICPA, the
SEC, the PCAOB and the Web sites of the Big 4 and
other national firms.
Use the work of others.
For the many smaller public
companies that don’t have full-time internal audit
staff, outsource CFO or internal audit personnel
may be an effective alternative for internal
control documentation or testing. Find the best
service providers in these areas so you can offer
clients alternative help if they need it.
FOLD 404 INTO THE FINANCIAL STATEMENT AUDIT
Technically the section 404 audit and the
financial statement audits are integrated. So far,
however, external auditors have not been able to
use section 404 internal control testing in fiscal
yearend financial statement audits. This should
not be a surprise, given that Auditing Standard
no. 2 is relatively new and there was some
uncertainty about how to apply it. Still, the
PCAOB encourages integration and stressed this
point in a Board Policy Statement on May 16, 2005
One simple example of how an external
auditor can use internal control tests is to
design testing of the accounts-receivable revenue
cycle so interim customer accounts-receivable
balances are verified via confirmations or another
procedure. If weaknesses are noted in the system,
the sample size for the yearend confirmations can
be greatly reduced based on the internal controls.
| Urge clients to get
going. A section 404 internal
audit should begin 12 to 18
months before the company’s
reporting deadline. |
Use flowcharts. A
highlights the key controls in
a fraction of the time it
takes to read a system
A good place to
start is to design testing of
revenue cycle, so interim
balances are verified via
The amount of additional work needed to
complete a section 404 audit generally will exceed
your expectations. For small business clients,
uncovering gaps in company controls “may well be
grimly costly,” said the Wall Street Journal
(August 15, 2005). In fact, audit fees for
accelerated filers have increased by 40% to 80%.
Plan accordingly and remember Murphy’s Law.
The Sarbanes-Oxley Act already has had a
profound impact on the accounting profession and
corporate America. Companies are now more
conscious of how and why they do what they do, and
in many cases they’ve improved or streamlined
their processes. CPAs at all levels of practice
need to consider the implications of section 404
for all types of clients. Nonpublic companies in
regulated industries, or any companies that wish
to do business with a public company, will benefit
from a clearer business model. Focusing on
internal control reporting in the future can help
achieve the goal of improved bottom-line results.
answers individual questions
at the Sarbanes-Oxley Act hot
line: 866-265-1977, and
provides up-to-date compliance
information for CPAs at
Implementation Central, http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/
Accounting and Auditing Update
Workshop (2005 ed.) (#
Annual Update for
Accountants and Auditors
(2004–2005 ed.) (# 730024JA).
A Review of Recent Activities
(2005 ed.) (# 732771JA).
Reporting: A Manager’s Guide
to Surviving the Audit (#
Reporting: A Practical Guide
to the PCAOB Standard (#
(text, # 736772GZJA;
DVD/manual, # 186753GZJA;
VHS/manual, # 186752GZJA).
of Internal Control in a
Financial Statement Audit,
an AICPA Audit and
Accounting Guide (# 012451JA).
of Internal Control in a
Financial Statement Audit:
An Amendment to SAS No.
55—SAS 78 (# 060671JA).
Reporting Fraud: A Practical
Guide to Detection and
Internal Control by
Charles R. Lundelius Jr. (#
Financial Reporting and
Analysis, John Wiley
& Sons (#
AICPA Center for
Public Company Audit Firms,
Tool Kit, www.aicpa.org/cpamarketing
Practice Center, http://pcps.aicpa.org
information or to place an
order, go to
www.cpa2biz.com or call
the AICPA at 888-777-7077.