Complying with Sarbanes–Oxley Section 404: A Guide for Small Publicly Held Companies

LYNFORD GRAHAM , CPA, PhD, CFE, is coeditor of Accountants Handbook, Eleventh Edition; Internal Controls: Guidance for Private, Government, and Nonprofit Entities; and contributing author to Montgomery's Auditing , Twelfth Edition, all published by Wiley. He is also the author of Information Technology Audits. Dr. Graham consults on professional accounting and auditing matters, focusing on multidimensional problem solving requiring "leading-edge" thinking and "hands-on" management. With diversified experience as author, executive, consultant, auditor, and educator, he has a solid record of accomplishments, having served on the AICPA Auditing Standards Board.

Preface ix Acknowledgments xi About the Author xiii CHAPTER 1 Introduction and Company Requirements 1 Chapter Summary 1 Lessons Learned 1 Management's Evaluation of Internal Control 4 SEC Company Requirements 8 Working with the Independent Auditors 23 CHAPTER 2 The COSO Internal Control Framework 25 Chapter Summary 25 Need for Control Criteria 25 The Triangle of Efficiency 26 COSO Internal Control Integrated Framework 27 Information and Communication 50 Internal Control for Small Businesses 54 Information Technology Controls 58 Control Objectives and Assertions: The Building Blocks of Controls Documentation 64 Example Control Objectives by COSO Component 65 Appendix 2A: Understanding and Awareness of Control Responsibilities 71 Appendix 2B: Management Antifraud Programs and Controls: An Element of the Control Environment 73 Appendix 2C: Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees 95 CHAPTER 3 Project Scoping 97 Chapter Summary 97 Introduction 97 Does "In Scope" Imply Extensive Testing? 100 Review Obvious Information Sources 103 A Process for Risk Assessment 116 Appendix 3A: Summary of Scoping Inquiries 133 Appendix 3B: Understanding Fraud Risk Assessment 137 CHAPTER 4 Project Planning 143 Chapter Summary 143 Objective of Planning 143 Information Gathering for Decision Making 144 Structuring the Project Team 147 Consider Project Tools and Software 153 Consider a Pilot Project 163 Coordinating with the Independent Auditors 167 Documenting Your Planning Decisions 169 CHAPTER 5 Documentation of Internal Controls 173 Chapter Summary 173 Importance of Documentation 173 Assessing the Adequacy of Existing Documentation 175 Documentation Supporting the Control Environment 177 Documenting Activity-Level Controls 182 Finding Control Activity Control Objectives 208 Appendix 5A: Sample Control Objectives for Major Control Activities 210 Appendix 5B: Linkage of Significant Control Objectives to Example Control Policies and Procedures 223 CHAPTER 6 Testing and Evaluating Entity-Level Controls 231 Chapter Summary 231 Overall Objective of Testing Entity-Level Controls 231 Testing Techniques and Evidence 234 Evaluating the Effectiveness of Entity-Level Controls 252 Documenting Test Results 257 Appendix 6A: Conducting Interviews: Gathering Internal Control Information 259 Appendix 6B: Example Practice Aids Gathering Internal Control Information 267 Appendix 6C: Example Inquiries of Management Regarding Entity-Level Controls Gathering Internal Control Information 274 CHAPTER 7 Testing and Evaluating Activity-Level Controls 281 Chapter Summary 281 Introduction 281 Confirm Your Understanding of the Design of Controls First 281 Assessing the Effectiveness of Design 286 Assessing Operating Effectiveness 288 Evaluating Test Results 304 Documentation of Test Procedures and Results 305 Interactions with the Independent Auditors 305 Appendix 7A: Sample Size Tutorial 307 Appendix 7B: Example Inquiries 310 CHAPTER 8 Evaluating Control Deficiencies and Reporting on Internal Control Effectiveness 313 Chapter Summary 313 Control Deficiencies 313 Evaluating Control Deficiencies 314 Annual and Quarterly Reporting Requirements 326 Reporting on Management's Responsibilities for Internal Control 332 Required Company and Auditor Communications 333 Reporting the Remediation of Weaknesses 337 Coordinating with the Independent Auditors and Legal Counsel 337 Appendix 8A: Action Plan: Reporting 339 Appendix 8B: Assessing the Potential Magnitude of a Control Deficiency 341 KEY RESOURCES 345 Final Rule: Management's Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports 345 Index