Sarbanes-Oxley Section 404
June 29, 2005
1
Table of Contents

SOX 404 Background
3

SOX 404 Goals
4

SOX 404 Requirements
5

SOX 404 Assertions
6

SOX 404 Compliance
7

COSO – Internal Controls
8

COSO – Internal Controls Framework
9

Why Do You Really Care About SOX 404?
10

Things You Can Do
11
2
SOX 404 Background
Due to the scandals in corporate financial reporting, Congress enacted in
2002, the Sarbanes Oxley Act (“SOX”). The Security Exchange
Commission oversees the compliance by publicly traded companies to the
Act. The Public Companies Accounting Oversight Board (“PCAOB”) drives
the compliance.
SOX Section 404 rules require each annual report to contain an internal
control report which shall state the responsibility of management for
establishing and maintaining an adequate internal control structure and
procedures for financial reporting, and contain an assessment of the
effectiveness of the internal control structure and procedures of the issuer
for financial reporting.
Filing due dates:
• Fiscal years ended on or after November 15, 2004 for accelerated
filers (ie., market capitalization in excess of $75mm)
• Fiscal years ended on or after July 15, 2006 for non-accelerated
filers.
3
SOX 404 Goals
The goals of a SOX 404 program are to ensure that enterprise internal
controls are of such quality that there will be:
 no material weaknesses that must be reported at the registrant
level by either management or the by external auditor;
 no significant deficiencies that must be reported at the registrant
level by either management or the external auditor to the Audit
Committee of the Board of Directors; and
 no material misstatements of the company’s financial
statements
4
SOX 404 Requirements

Client management must:
 Document and test the internal controls over financial reporting
 Issue an annual assertion on the effectiveness of internal control
over financial reporting

External Auditors must:
 Determine nature, timing, and extent of testing
 Review work performed by management
 Perform some independent tests of controls
 Attest and report on:
• Management’s 404 assertion process
• Design and effectiveness of internal controls
5
SOX 404 Overview - Assertions
In order to make the assertion, the client must:
 Document and evaluate the design of controls
 Evaluate the operating effectiveness of significant controls
 Identify significant deficiencies or material weaknesses
 Document the results of the evaluation
 Communicate findings (e.g., significant deficiencies and
material weaknesses) to the independent auditor
Note: Absence of sufficient evidence to support the Company’s
assessment may constitute a significant deficiency that results in a
report qualification by the external auditors.
6
SOX 404 Compliance
7
COSO – Internal Controls




COSO provides the PCAOB’s accepted basis for establishing internal
control systems and determining their effectiveness.
Stands for “Committee of Sponsoring Organizations”
Originally formed in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting (aka “The Treadway Commission”)
The sponsoring organizations include:
 American Institute of Certified Public Accountants (AICPA)
 The Institute of Internal Auditors (IIA)
 Financial Executives International (FEI)
 Institute of Management Accountants (IMA)
 American Accounting Association (AAA)

Published two documents and one pending
 1992 – Internal Controls – Integrated Framework
 Mid 90’s – Internal Control on Derivative Issues
 Early 2004 – Enterprise Risk Management Framework
8
COSO - Internal Control Framework
Objectives
The process to determine
whether internal control is
adequately designed,
executed, effective and
adaptive
The process which
ensures that relevant
information is identified
and communicated in a
timely manner
The policies and
procedures that help
ensure that actions
identified to manage risk
are executed and timely
Components
The evaluation of
internal and external
factors that impact an
organization’s
performance
The control conscience of
an organization. The
“tone at the top”
9
Why Do You Really Care About SOX 404?
Non-profit (country clubs) and non-publicly traded (hotels) companies
are not required to comply with SOX 404 requirements.
Reasons to care:
• Board members, who are responsible for the establishment and
maintenance of good corporate governance –ALL
• Financing sources (banks and investors) want assurance that the
financial statements are not misrepresented – ALL
• Owners want assurance that the financial statements are not
misrepresented – Hotels
• Risk of membership loss due to fraudulent practices disclosed to
the public – Country Clubs
• If acquired by a publicly traded company, SOX 404 compliance is
required - Hotels
10
Things You Can Do
Steps to take to enhance your internal controls:
• Establishment of an audit committee to provide financial reporting
and internal control expertise, along with oversight on such
matters
• Establish a “Whistle-Blower” policy to provide the means and
safeguards to those who identify fraudulent practices
• Assess the risk associated with the processes that make-up your
organization (ie., sales/revenue, cash, accounts receivable, fixed
assets, accounts payable, payroll, etc.)
• For high risk areas and processes ask yourself, “What Could Go
Wrong” and address the answers to the question (ie., segregation
of duties)
Reference List:
• http://www.aicpa.org/audcommctr/homepage.html
• http://www.pcaobus.org
• http://www.sec.gov/rules/pcaob.html
11