How to Comply with Sarbanes-Oxley Section 404

MICHAEL J. RAMOS, CPA, also author of Wiley Practitioner's Guide to GAAS and The Sarbanes-Oxley Section 404 Implementation Toolkit, is a consultant and professional writer primarily in auditing and accounting technical matters, and Vice President of AuditWatch. He has written numerous successful products, including nonauthoritative practice aids, implementation guides, and authoritative AICPA audit and accounting guides. In addition to text-based products, he has also authored a variety of training programs, including computer-based multimedia training and audio and video scripts. Ramos has written in the areas of ethics, auditing, and fraud detection.

Preface.Preface to the Second Edition.Acknowledgments.1. The Engagement Approach.Management's Required Assessment of the Entity's Internal Control.The Independent Auditor's Reporting Responsibilities.A Risk-Based, Top-Down Approach for Evaluating Internal Control.Considerations for Outside Consultants.Appendix 1A: Action Plan: Structuring the Engagement.Appendix 1B: Requirements for Management's Assessment Process: Cross Reference to Guidance.2. Internal Control Criteria.The Need for Control Criteria.The COSO Internal Control Integrated Framework.Information and Communication.Monitoring.Business Process Activities.Controls Over Information Technology Systems.Appendix 2A: Example Value Chains.Appendix 2B: Internal Control for Small Business.3. Project Planning.The Objective of Planning.Information Gathering for Decision Making.Information Sources.Structuring the Project Team.Coordinating with the Independent Auditors.Documenting Your Planning Decisions.Appendix 3A: Action Plan: Project Planning.Appendix 3B: Summary of Planning Questions.4. Identifying Significant Control Objectives.Introduction.Entity-Level Control Objectives Presumed to Be Significant.System-Wide Monitoring.Identifying Significant Activity-Level Control Objectives.Coordinating with the Independent Auditors.Appendix 4A: Action Plan: Identifying Significant Control Objectives.Appendix 4B: Example Significant Control Objectives.Appendix 4C: Map to the COSO Framework.Appendix 4D: Map to the Auditing Literature.5. Documentation of Significant Controls.Documentation: What It Is ... And Is Not.Assessing the Adequacy of Existing Documentation.Documentation of Entity-Level Control Policies and Procedures.Documenting Activity-Level Controls.Sarbanes-Oxley Automated Compliance Tools.Coordinating with the Independent Auditors.Appendix 5A: Action Plan: Documentation.Appendix 5B: Linkage of Significant Control Objectives to Example Control Policies and Procedures.6. Testing and Evaluating Entity-Level Controls.Introduction.Internal Control Reliability Model.Overall Objective of Testing Entity-Level Controls.Testing Techniques.Evaluating the Effectiveness of Entity-Level Controls.Documenting Test Results.Coordinating with the Independent Auditors.Appendix 6A: Action Plan: Testing and Evaluating Entity-Level Controls.Appendix 6B: Survey Tools.Appendix 6C: Example Inquiries of Management Regarding Entity-Level Controls.Appendix 6D: Guidance for Designing an IT General Controls Review.7. Testing and Evaluating Activity-Level Controls.Introduction.Confirm Your Understanding of the Design of Controls.Assessing the Effectiveness of Design.Operating Effectiveness.Evaluating Test Results.Documentation of Test Procedures and Results.Coordinating with the Independent Auditors.Appendix 7A: Action Plan: Documentation.Appendix 7B: Example Inquiries.8. Evaluating Internal Control Deficiencies and Reporting on Internal Control Effectiveness.Internal Control Reporting-No Material Weaknesses.Internal Control Reporting-Material Weaknesses.Expanded Reporting on Management's Responsibilities for Internal Control.Coordinating with the Independent Auditors and Legal Counsel.Appendix 8A: Action Plan: Reporting.Appendix 8B: Example Disclosures of a Material Weakness.Appendix 8C: Example Reports on Management's Responsibilities for Reporting and Internal Control.Appendix 8D: A Framework for Evaluating Control Exceptions and Deficiencies: Version 3.Index.