Implementing Section 404

A practical Approach to the Sarbanes-Oxley Act

By Joel C. Quall

E-mail Story
Print Story
The Sarbanes-Oxley Act requires that all public companies do something that they probably should have been doing anyway: assign the CEO and the CFO authority over the company’s internal controls and the opportunity to demonstrate competent and transparent governance, not just to the SEC but to shareholders and the financial community in general. While some public companies may previously have managed with less-than-stellar internal controls, those days are over.

In order to achieve increased effectiveness and efficiency from implementing the act’s requirements, companies should begin with a clear understanding of the objectives and requirements and develop an executable plan. Compliance deadlines will be met, work processes will flow more smoothly, and along the way, any hidden value may likely be revealed. In short, the silver lining of Sarbanes-Oxley may be that it gives companies the motivation and means to improve themselves.
A company’s implementation of Sarbanes-Oxley section 404 should have a dual focus: compliance and internal controls enhancement. The company will need defined objectives, clear requirements, proper resources, and an achievable schedule.


Section 404 reads as follows:

The Commission shall prescribe rules requiring each annual report required by Section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

1. State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
2. Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

In February 2004, the SEC extended the deadline for compliance with section 404. Accelerated filers (defined as U.S. companies with a market capitalization exceeding $75 million) must be in compliance for their first fiscal year ending on or after November 15, 2004. For nonaccelerated filers, compliance is required beginning with the company’s first fiscal year ending on or after July 15, 2005.

Benefits of Implementing Section 404

Although section 404 clearly defines requirements for disclosure of internal controls, the larger issue is how well a company understands internal controls. Implementing section 404 presents a great opportunity to enhance the efficiency and value of the company. Potential immediate benefits include the following:

Training, educating, and development of personnel. Many employees perform their duties and responsibilities by rote. Evaluation encourages employees to take a closer look and discover new ways to improve their efficiency and ultimately become a more capable workforce. Another benefit from the evaluation process is the opportunity for cross-training employees for more than their present duties and responsibilities. A thoroughly cross-trained workforce that is knowledgeable about their job functions and how they affect the company means employees that work smarter, not harder.

Improving the efficiency of the company. Companies that ask their financial employees why they do certain things are often surprised to find that a particular procedure or task has no affect on the financial statements.

By documenting procedures, companies will expand awareness, allowing them to become more efficient in reducing operating costs, eliminating pointless or redundant processes, and maintaining correct staffing levels. Human capital makes the critical difference; assigning the right personnel to the right task and department enables companies to be most effective.

For example, efficiencies allow a company to reduce the number of days needed to close its books. Documenting and testing the financial transaction cycles enables a company to develop or update its policy and procedure manual, and leads to more-effective accounting and governance practices. A company with foreign operations or multiple subsidiaries can become streamlined, with one unified financial accounting reporting system and one policy and procedure manual.

Upgrading board of directors and audit committee members. Many recent corporate accounting failures are traceable to members of the board of directors or audit committee, who have been criticized for poor supervision of company senior executives. Sarbanes-Oxley mandates that audit committees designate a board member as a “financial expert” as a way to improve the quality of members of the board of directors and audit committee.

Other benefits. Implementation of section 404 may lead to some surprises, discovery of weaknesses in the internal control system, or even revelation of past or present fraud. Companies should prepare by deciding in advance how to manage such a finding, bearing in mind that for a company to find its own flaws is preferable to others finding them.

Companies that are considering an initial public offering (IPO) should have a good grasp of what reporting requirements public companies face. By complying with Sarbanes-Oxley, companies take steps toward compliance so they can meet SEC and stock exchange listing requirements as soon as possible. Building these requirements into the structure of a company that is considering an IPO costs less than making changes later.

Privately held companies, although not legally obligated to comply with Sarbanes-Oxley, may also choose to voluntarily implement section 404 as part of an overall plan to improve business practices and to be prepared in case similar legislation is passed on the state or local level.

Definition of Internal Controls

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) created a model of internal control. COSO broke down internal control into five interrelated components in order to simplify a company’s organizational plan of all activities that go into an efficient internal control structure.

COSO defined internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives” in the following categories:

  • Effectiveness and efficiencies of operations;
  • Reliability of financial reporting; and
  • Compliance with applicable laws and regulations.

Control environment. This component of internal control sets the tone of a company and is the foundation for all other components of internal control: discipline, structure, integrity, ethical values, employee competence, management’s philosophy and operating style, and the leadership provided by senior management and the board of directors.

Risk assessment. Risk assessment is the establishment of objectives, and the identification and analysis of risks to achievement, forming a basis for determining how the risks should be managed.

Control activities. These are the policies and procedures that ensure how management directives are executed. They include activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, the safeguarding of assets, and the segregation of duties.

Information and communication. Information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Personnel must understand their own role in internal control, as well as how individual activities relate to others. Employees must have the means to communicate information upstream, with customers, suppliers, regulators, and shareholders.

Monitoring. The internal control process must be monitored. This is accomplished through management’s ongoing assessment of the performance of internal control. Ongoing monitoring allows the internal control process to react to changing conditions of the company.

The SEC issued a final rule titled “Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports” (Release No. 33-8238), which became effective August 14, 2003. The final rule defines “internal control over financial reporting” as:

A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements.

The final rule attempts to link governance controls with control activities of COSO. Time and again since Sarbanes-Oxley was passed, COSO has been identified as the preferred internal control framework. The objectives of the COSO framework include improving efficiency and profitability, preventing fraud, and developing accurate financial reporting. Companies that follow the COSO framework will build an efficient internal control structure and be in compliance with the final rule of the SEC.

Developing and Executing the Implementation Plan

Once a company understands the above internal control model, it can implement section 404 using a five-step methodology.

Step 1: Form the sponsoring committee, the implementation team, and the formal written plan. The success of an internal controls project depends upon the endorsement and ongoing support of senior management and the board of directors. Senior management should believe that implementing section 404 is more than a legal obligation; in the long run, doing so will increase the value of the company.

The ultimate success of all projects derives from a company’s values—its culture of integrity, honesty, and high ethical standards. This tone is set at the top. In addition to senior management setting the tone, resources must be available to the project. The implementation team, as defined below, must hold the authority to make critical decisions and allocate resources when and where needed. Two major resources that senior management must contribute are time and personnel. Once senior management decides on the requirements and commits to the project, speed is essential. A small, focused, motivated team, staffed by the best experts that the company can afford, is the best means to success.

A carefully conceived plan is key. A clear statement of requirements must be followed by a timeline with obtainable milestones and a realistic estimate of required resources. This becomes a proper workplan when the form of deliverables is developed and included. Communication with outside professionals, such as the audit firm and legal counsel, is important. They should be in agreement with the process, especially because the audit firm will ultimately be called upon to certify the process.

Sponsoring committee. The company should organize a sponsoring committee that is charged with defining the requirements for the implementation team. The sponsoring committee will also supervise the implementation team and be responsible for seeing that the team’s duties and responsibilities are executed.

This approach is geared toward a large company and may be impractical for a small or medium-sized company. Such companies may wish to combine the sponsoring committee and the implementation team.

The sponsoring committee will define the requirements for the project, which are then signed off on by the CEO, the CFO, the in-house legal counsel, the board of directors, and the members of the audit committee. This committee must take responsibility for ensuring that the right questions are asked at the right time; for seeing that the implementation team has the proper resources and ongoing executive support; for signing off on the implementation plan; and for monitoring progress and reporting back to the board of directors, audit committee, and outside professionals (i.e., outside legal counsel and auditors). The implementation team may issue a weekly or monthly report to all internal parties as well as to outside legal counsel and auditors. Before any report is released to outside parties, however, in-house counsel should review it for potential legal issues.

Implementation team. This team is responsible for developing the implementation plan, submitting it to the sponsoring committee for approval, and executing it. The team must generate all supporting
documentation, including a new policy-and-procedure manual. The team must represent the company’s disciplines and should include the following individuals:

  • Chief accounting officer
  • Accounting department representatives
  • Members of the internal audit department
  • Chief information officer
  • Members of the information technology department
  • Representatives of foreign subsidiaries
  • Representatives of key business units
  • Members of the treasurer’s department.

The implementation team should formally present the plan in writing to the sponsoring committee. Once approved, the plan will serve as a roadmap for the implementation team.

If internal control weaknesses are noted during the implementation, the team should address plans to remedy them as soon as possible. After the initial process, the implementation team should meet on a monthly basis to monitor the internal control structure.

Step 2: Document the financial cycles. Virtually all public companies already have some semblance of an internal control structure in place, however informally it may be documented. Documenting financial cycles allows the company to assess the effectiveness of internal controls at an acceptable level of errors or omissions. The documentation process should reflect the internal control objectives and identify any internal control deficiencies that may exist.

Documentation can take different forms. Three common methods of documenting the understanding of internal control are narratives, flowcharts, and internal control questionnaires. These can be used separately or in combination.

The preferred documentation methods are narrative workflow and a flowchart of the financial cycles. The documentation should be traced back to the policy-and-procedure manual, if one exists, which should be updated if any deviations are noted. If the company has systems descriptions, these are a good starting point.

A narrative is a written description of a company’s internal controls and financial cycles and should include the following:

  • Descriptions of every document and record used in the accounting system.
  • Descriptions of every process that occurs, whether manual or computer-generated, drilled down to the lowest level possible (e.g., preparation of purchase orders with the applicable sign-offs).
  • Descriptions of the disposition of every document and record in the system.
  • Indications of the identified control related to the document or procedure. For example: authorizations and approvals, preparer and reviewer sign-offs, verification, and separation of duties.

A flowchart is a symbolic representation of a company’s flow of documents and processes. The flowchart can be a better representation of document workflow and separation of duties as the documents and processes go through the financial cycle. Flowcharts have the advantage of being easily updated on a periodic or as-needed basis.

An internal control questionnaire can be obtained from outside audit firms. These questionnaires are very generic and can be difficult to customize if the questionnaire is not received in an electronic format.

Software companies, such as SAP, PeopleSoft, Oracle, and others, have developed software evaluation tools that help users automate the documentation of their internal control structure. Although technology has made the documentation process easy, a well-trained user of the software must be able to correctly understand the computer-generated documentation and evaluate its findings and conclusions.

Step 3: Test transactions. The test of transactions is a method to verify that identified internal controls are performing as they were designed to do. The test of transactions should be performed in two directions, each tracing transactions through the computer and manual processes involved.

Cradle-to-grave. The first direction is a sample made of certain source documents (e.g., vendor invoice, sales transaction, subsidiary ledger balance) and is traced through to the financial statement balance. The test of transactions in this direction addresses two questions:

  • Do the internal controls handle the transactions in the matter designed?
  • Do all the transactions reach the financial statements?

Grave-to-cradle. The test in this direction traces a sampling of transactions from the financial statement balance back to the source document. The test of transactions in this direction addresses the issue of whether all data contained in a financial account balance is supported by source documentation.

In both directions, the sample of transactions tested should be selected using a sampling technique. Sampling techniques can employ either a judgmental or statistical approach. An example of a judgmental approach is a systematic selection of days of the fiscal year or every 100th transaction in a numerical sequence. A statistical approach would take random samples from among all transactions.

The tests of transactions should be designed to test management assertions as defined in SAS 31, Evidential Matter, which classifies management assertions into five categories:

  • Existence or occurrence. This assertion deals with whether assets, liabilities, and equity included in the balance sheet actually existed on the balance sheet date. Additionally, the assertion of occurrence is concerned whether recorded transactions included in the financial statements actually occurred during the period. This assertion is concerned with the inclusion of amounts that should have been included (e.g., inventory that exists and is available for sale at the balance sheet date).
  • Completeness. This assertion states that the financial statements include all transactions and accounts that should be presented. It is concerned with the possibility of omitting items from the financial statements that should have been included (e.g., a sales-cutoff test to determine that sales are recorded in the proper accounting period).
  • Valuation or allocation. This assertion is related to whether the asset, liability, equity, revenue, and expense accounts have been included in the financial statements at appropriate values (e.g., fixed assets stated at the net book value).
  • Rights and obligations. This assertion is related to whether the assets are the rights of the company and the liabilities are the obligations of the company at the balance sheet date.
  • n Presentation and disclosure. This assertion is related to whether components of the financial statements are properly classified, grouped, or reported separately and disclosed in the financial statements (e.g., liabilities properly recorded as a current or long-term liability).

Step 4: Evaluate. After the tests of transactions are performed, the results must be evaluated. The documentation should describe the procedures used and the results obtained about operating effectiveness to provide a basis for their conclusion. If, during the evaluation, internal control deficiencies are identified, plans to remedy these internal controls should be documented and implemented as soon as possible.

Internal control deficiencies are classified into two categories:

  • Reportable conditions are significant deficiencies in the design or operation of the internal control structure that could adversely affect the company’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.
  • A material weakness is a reportable condition that is so serious that the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material to the accuracy of the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned tasks. The presence of a material weakness may indicate that the internal control structure is not effective.

A company must take corrective action to remedy an internal control deficiency as soon it is noted. The corrected internal control procedure must be in place and in operation for a period of time prior to the reporting date for management to be able to evaluate the corrected control and conclude that the control is operating effectively as of the reporting date.

A review of prior years’ audit management letters should be made to determine that all past identified weaknesses are addressed. A company may decide to upgrade existing computer systems, purchase a new accounting software system, or improve the integration of computer processes with the manual processes.

The evaluation does not end here. Pursuant to SEC rules, a company must report on internal control for every reporting period. The evaluation of internal control is an ongoing process and must become part of the culture of every company. The evaluation of internal control should always be extensive, but the collection of information does not have to be as extensive as the initial implementation. Companies should update the internal control process on a quarterly basis, and fully evaluate it annually. Additionally, when a company acquires another company, the acquirer must evaluate whether the acquisition will have a material affect on its internal control structure.

Exhibit 1 and Exhibit 2 illustrate documentation forms for assessment of internal controls.

Step 5: Report. When the SEC final rule (Release No. 33-8238) became effective on August 14, 2003, it stated that the company’s annual Form 10-K must report management’s responsibilities to establish and maintain adequate internal controls over financial reporting.

The report of management should contain the following:

  • A statement of management’s responsibility for establishing and maintaining adequate internal controls over financial reporting for the company;
  • A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal controls over financial reporting;
  • Management’s assessment of the effectiveness of the company’s internal controls over financial reporting as of the end of the company’s most recent fiscal year, including a statement as to whether the company’s internal control over financial reporting is effective. The assessment must disclose any material weaknesses in the company’s internal controls over financial reporting identified by management. Management is not permitted to conclude that the company’s internal controls over financial reporting are effective if there are one or more material weaknesses in the company’s internal controls over financial reporting; and
  • A statement that the auditor has issued an attestation report on management’s assessment of the registrant’s internal controls over financial reporting.

Companies sometimes need to reinvent themselves to succeed. Companies that focus merely on legal compliance with the Sarbanes-Oxley Act will miss the potential benefits of using the act’s provisions as a catalyst for company-wide change. Companies can leverage the Sarbanes-Oxley provisions to improve employee efficiency and productivity, streamline operations, and make better financial decisions through timelier financial information. The Sarbanes-Oxley Act represents an opportunity to elevate corporate integrity, restore investor confidence, and move the economy forward.

Joel C. Quall, CPA, is manager of technical accounting and internal control at MarketAxess Holdings Inc., and a member of the NYSSCPA’s Chief Financial Officers Committee. He can be reached at




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices


Visit the new