THE SARBANES-OXLEY
SECTION 404
IMPLEMENTATION
TOOLKIT



THE SARBANES-OXLEY
SECTION 404
IMPLEMENTATION
TOOLKIT
Practice Aids for Managers
and Auditors

MICHAEL RAMOS

John Wiley & Sons, Inc.


This book is printed on acid-free paper. ࠗ
∞
Copyright © 2005 by Michael Ramos. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under
Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the
Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center,
Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www

.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department,
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at
/>Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in
preparing this book, they make no representations or warranties with respect to the accuracy or completeness of
the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a
particular purpose. No warranty may be created or extended by sales representatives or written sales materials.
The advice and strategies contained herein may not be suitable for your situation. You should consult with a
professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other
commercial damages, including but not limited to special, incidental, consequential, or other damages.
Designations used by companies to distinguish their products are often claimed as trademarks. In all instances
where John Wiley & Sons, Inc. is aware of a claim, the product names appear in initial capital or all capital letters.
Readers, however, should contact the appropriate companies for more complete information regarding
trademarks and registration.
For general information on our other products and services, or technical support, please contact our Customer
Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be
available in electronic books.
Library of Congress Cataloging-in-Publication Data:
Ramos, Michael J.
The Sarbanes-Oxley section 404 implementation toolkit: practice aids for managers and auditors / Michael J.
Ramos.
p. cm.
Includes index.
ISBN-13 978-0-471-71225-6 (cloth/cd-rom)
ISBN-10 0-471-71225-6 (cloth/cd-rom)
1. Corporations—Accounting—Corrupt practices—United States. 2. Corporations—Accounting—Law
and legislation—United States. 3. Disclosure of information—Law and legislation—United States. I. Title.
HF5686.C7R3483 2005
658.15'1—dc22
2004027094

Printed in the United States of America
10

9

8

7

6

5

4

3

2

1


Contents
About the Author
Preface
Acknowledgments

Part I Tools for Management
ADM-1
ADM-2

ADM-2a
ADM-2b.1
ADM-2b.2
ADM-2c
ADM-3
ADM-4
ADM-5

General Work Program
Project Planning Summary
Checklist for Summarizing Project Team Competence
and Objectivity
Worksheet for Determining and Documenting Significant
Accounts and Disclosures
Mapping of Business Processes to Significant Accounts
and Disclosures
Example Inquiries to Identify Changes to Internal Control
Summary of Control Deficiencies
Senior Management Review Checklist
Checklist for Preparation of Management’s Report
on Internal Control Effectiveness

Part II Documentation of Internal Control Design
DOC-1
DOC-1a

DOC-1b

DOC-2
DOC-2a


DOC-2b
DOC-3
DOC-4

Work Program for the Review of Documentation
of Entity-Level Controls
Assessment of Internal Control Effectiveness:
Overall Approach to Review of the Documentation
of Entity-Level Controls
Assessment of Internal Control Effectiveness:
Checklist for the Review of the Documentation
of Entity-Level Controls
Work Program for the Review of Documentation
of Activity-Level Controls
Assessment of Internal Control Effectiveness:
Overall Approach to Review of the Documentation
of Activity-Level Controls
Checklist for the Review of the Documentation of a
Significant Transaction or Business Unit/Location
Documentation Techniques and Selected Examples
for Routine Transactions
Checklist for Evaluating SOX 404 Software

ix
xi
xv

1
3

17
31
34
40
48
50
71
76

81

83

86

90
106

108
111
113
136

v


vi

Contents


Part III Internal Control Testing Programs

TST-ENT-1
TST-ENT-2
TST-ENT-3
TST-ENT-3a
TST-ENT-3b
TST-ENT-3c
TST-ENT-3d
TST-ENT-3e
TST-ENT-4
TST-ENT-4a
TST-ENT-5
TST-ENT-5a
TST-ENT-6
TST-ENT-6a
TST-ENT-7
TST-ENT-7a

TST-ACT-1
TST-ACT-2
TST-ACT-2a
TST-ACT-2b
TST-ACT-2c
TST-ACT-2d
TST-ACT-3

Entity-Level Controls Testing Tools
Summary of Observations and Conclusions about
Entity-Level Control Effectiveness

Work Program for Testing Entity-Level Control
Effectiveness
Index to Tests of Entity-Level Controls: Inquiries
and Surveys
Entity-Level Tests of Operating Effectiveness: Inquiry
Note Sheets—Management
Entity-Level Tests of Operating Effectiveness: Inquiry
Note Sheets—Board Members
Entity-Level Tests of Operating Effectiveness: Inquiry
Note Sheets—Audit Committee Members
Entity-Level Tests of Operating Effectiveness: Inquiry
Note Sheets—Employees
Example Employee Survey
Index to Tests of Entity-Level Controls: Inspection
of Documentation
Worksheet to Document Inspection of Documentation
of Performance of Entity-Level Controls
Index to Tests of Entity-Level Controls: Observation
of Operations
Worksheet to Document Observation of Operation of
Entity-Level Controls
Index to Tests of Entity-Level Controls: Reperformance
of Controls
Worksheet to Document Reperformance of Entity-Level
Controls
Work Program for Reviewing a Report on IT General
Control Effectiveness
Planning and Review of Scope of Tests of IT General
Control Effectiveness
Guidelines for Testing Level of Control Effectiveness

Guidelines and Example Inquiries for Performing
Walkthroughs
Example Testing Program for Activity-Level Tests
of Controls
Example Testing Program for Control Operating
Effectiveness: Revenue
Example Testing Program for Control Operating
Effectiveness: Purchases and Expenditures
Example Testing Program for Control Operating
Effectiveness: Cash Receipts and Disbursements
Example Testing Program for Control Operating
Effectiveness: Payroll
Work Program for the Review of a Type 2 SAS
No. 70 Report

139
141
145
163
191
196
207
213
220
227
235
237
240
242
245

247
250
255
261
269
277
278
283
287
291
295


Contents

TST-ACT-3a
TST-ACT-4

vii

Type 2 SAS No. 70 Report Review Checklist
Process Owners’ Monitoring of Control Effectiveness

Part IV Example Letters and Other Communications
COM-1
COM-2
COM-3
COM-4

Example Engagement Letter for Outside Consultants

to Management
Example Management Representation Letter
Example Management Reports on Effectiveness of
Internal Control over Financial Reporting
Example Subcertification

298
305

311

313
316
318
320

Part V Tools for External Auditors Performing an Audit of Internal Control 323
ADM-AUD-1

General Audit Program

About the CD-ROM
Index

325

343
345




About the Author
Michael Ramos was an auditor with KPMG and now works as an author and consultant.
He is the author of How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control. This is his tenth book.

ix



Preface
As I write this, companies are nearing the completion of their inaugural SOX 404 internal control assessment. For many, this process has been a struggle. I’ve met more than a
few people who say they’ll end up spending two years working to comply, their companies having spent untold millions of dollars. Soon, their work will be complete, and all
involved will feel the lifting of a heavy weight from their shoulders as well as a great sense
of professional pride. They’ll take a much deserved rest.
And then . . .
It starts all over. Spring ’05, SOX II. Then the next year and the year after, SOX III,
SOX IV, like a string of Hollywood B movies. While all the attention has focused on firstyear implementation, very few have had the time or desire to acknowledge that SOX 404 is
with us now, a part of the way we do business.
The challenge in this first year has been compliance—understanding the everchanging requirements and then committing all the resources necessary to get the job
done. But now that you’ve made it through the first year, a new challenge awaits. Resources
are finite. How do you now build on the process you created last year—cobbled together in
response to the rapidly evolving rules—to create a methodology that is repeatable and able
to be taught to and understood by someone who was not part of the core project team?
What can you do to make the assessment of internal control more effective and less of a
drain on already limited resources?
This book started out to be a collection of forms and checklists. It turned out to be
something much different and, hopefully, more valuable. What I discovered was that creating this book was not about the forms; it’s about the underlying process for SOX 404 compliance that the forms describe. Writing this book turned out to be an exercise in process
engineering, not in form design. The critical questions asked during writing were always:
“What should people do to comply?” “What’s the best way for them to do that? “How do
the results of this work tie in to other parts of the process?” Once I figured out those questions, designing the checklist was fairly easy. All the practice aids in this book are just parts

of a road map to lead you through a process that I’ve mapped out.
This process is still a bit fuzzy, but it is becoming increasingly more well-defined. Common approaches and methodologies have begun to emerge, which are reflected in these
practice aids. A good starting point for understanding this process I’ve laid out is the first
practice aid, the General Work Program (form ADM-1). All the other practice aids are just
footnotes to this General Work Program, providing more structure and detail to the overall process. The practice aids are integrated to provide a consistency of approach for all
the main phases in the internal control assessment: planning, documentation, testing, and
reporting.
As I worked on this project and started to define what I thought was an effective and
efficient process for SOX 404 compliance, I made some choices about the process that should
be explained. First, at each phase of the project, the project team basically does two things:
1. They gather information, and then
2. They assess that information, pull it together to form a reasoned, supportable conclusion.
xi


xii

Preface

Most of these practice aids are designed to help in information gathering, and what
I’ve tried to do is find ways to structure the presentations of that information so you can
understand what it means.
Second, in the area of testing, I believe that the most successful SOX projects have
been the ones where project teams have been actively engaged with operating personnel to
discover “what really goes on” at the company. I’ve spoken with project team leaders and
seen work programs that describe a testing approach that seems too hands-off to me. I’m
concerned about the quality of the conclusions reached by a project team that relies
primarily on a discussion with a single individual, or the reading of a document, or the
observation that a code of conduct has been posted to the company intranet to draw conclusions about control design or operation. You’ll see that the testing process I’ve laid out
is much more involved and requires the project team to be more active—asking multiple

questions, making observations, corroborating single instances of control compliance
until a clear pattern emerges.
To use these practice aids as they were intended, I think it might also be helpful if I
shared my basic principles for design. Over the years, I’ve worked with a number of certified public accountants (CPAs) who perform the same types of tasks required of a SOX
404 engagement. I’ve observed many, many instances where auditors have equated their
work with the documentation of the work. If the subject matter of their tests is quantitative,
this relationship holds true. For example, if an auditor is asked to test the accuracy of
recorded interest expense, he or she would make a calculation of the expected expense
(using average loan balance, the interest rate, etc.) and compare that expectation to the
recorded amount. The auditor would then prepare a worksheet to show the calculation
and the comparison. The process of doing the work—pushing around numbers to make a
calculation—is the same as the documentation of the work.
This equality between work and work product is not true when dealing with subjective
subject matters—such as internal control—where the primary tests are inquiry, observation, and analysis. Under these circumstances, if we put a checklist in front of someone, they too often believe their task is to complete the checklist. They focus their energy
on filling out the checklist. This approach is misguided. The task is to gather and assess
information and draw a supportable conclusion. The checklist is there to aid in their information gathering and assessment and to document conclusions. The checklist is only a
means to an end, not an end in itself.
These practice aids are designed to be work product, a culmination of the work performed. To reinforce that idea, you’ll see that the forms and checklists are addressed from
the project team member to an audience of reviewers such as project team leaders, senior
management, or the external auditors. They are designed to have the project team members “fill in the blank” about
• The work they performed
• What they observed, or the results of their tests
• What they concluded based on their observations or the results of the tests
By writing the forms in this fashion, I hoped to remind the project team member that completing the checklist is not the primary objective.
Preceding each form is a brief set of instructions on how to complete the form. These
instructions are addressed from me to the project team. These instructions are not
intended to be included in your final work product. These instructions provide reference to
Securities and Exchange Commission (SEC) rules, Public Company Accounting Oversight



Preface

xiii

Board (PCAOB) standards, and other guidance, but they do not summarize or explain
these requirements. These practice aids are intended to supplement the guidance you
already have on SOX 404, and to the extent that questions arise about the information
required to complete a form (e.g., “what is a material weakness?”), you should turn to
those other sources of guidance.
Working on this book has forced me to clarify my own thoughts on what project
teams should do to comply with SOX 404. By refining the 404 compliance process and
creating this integrated tool set, I hope I have helped to make the process repeatable and
therefore more efficient and effective. Postimplementation, this is the most immediate
challenge we face.
Other challenges are still to come. These are for another day, perhaps another book.
Enjoy!
Michael Ramos
October 2004



Acknowledgments

TECHNICAL ADVISORY BOARD
This book was written with the assistance of several individuals and their firms, who provided financial support, input, and feedback during the lengthy development of these
materials. I am very grateful to the following individuals and their firms for their generous
support and encouragement.
The members of the Technical Advisory Board are:
John Compton
Partner

Cherry Bekaert & Holland, LLP

Michelle Thompson
Partner
Cherry Bekaert & Holland, LLP

Krista M. Kaland
Partner, Director of Assurance Services
Clifton Gunderson LLP

Ronald P. Pachura
Business Risk Services Practice Director
Clifton Gunderson LLP

Michael C. Knowles
Partner
Frank, Rimerman & Co.

Randy von Feldt
Senior Manager
Frank, Rimerman & Co.

I would like to thank Ginny Carroll for her fine attention to detail and the significant
improvements she made to the overall readability of the book. A sincere thanks also to
the staff at North Market Street Graphics for all their hard work during the production
process.
Finally, I would like to thank John DeRemigis and Judy Howarth for their encouragement and patience in the development of these materials.

xv




THE SARBANES-OXLEY
SECTION 404
IMPLEMENTATION
TOOLKIT



PART I

Tools for Management



ADM-1

General Work Program
PURPOSE
This form has been designed to
• Facilitate the organization of an efficient process for evaluating the effectiveness of the
company’s internal control
• Help ensure that the company’s assessment of internal control effectiveness contains all
elements required by paragraph 40 of PCAOB Auditing Standard No. 2
• Facilitate an external auditor’s understanding and evaluation of the company management’s process for assessing the effectiveness of the company’s internal control over financial reporting

INSTRUCTIONS
Use this form to guide the design and performance of the company’s project to assess
internal control effectiveness. As each step in the program is completed, the person responsible for performing that step should put his or her initials and the date in the indicated column on the worksheet. If the step is not applicable, indicate that by noting “N/A.” Use the
“Notes” column to cross-reference to where the performance of the procedure is documented or to make other notations.

Notations in italics are additional instructions to the preparer of the form and should be
removed before the form is considered final.

ASSESSMENT OF INTERNAL CONTROL EFFECTIVENESS
GENERAL WORK PROGRAM
Company: ______________________

Reporting Date: ______________________

Prepared by: ____________________

Date Prepared: _______________________

This form summarizes the procedures we performed to document, test, and report on the
effectiveness of the company’s internal control over financial reporting.

3


4

Tools for Management

Procedure
Performed
Project Planning
1. Form the project team. Consider
both internal and external
resources and the expertise
needed to successfully complete

the project, including IT expertise.
a. Determine the extent to which
management intends to have
the external auditors rely on
the work of the project team in
their audit of the company’s
internal control. For each project team involved with those
areas
i. Assess its competency.
ii. Assess its objectivity.
[Consider using form ADM-2, Project
Planning Summary, to document the
performance of this step.]
2. Determine the nature of the internal control services, if any, that the
company’s external auditors will
provide or have provided to the
company during the current audit
period.
a. If the external auditors have
provided internal control services to the company, obtain
approval of the board and
determine that this approval
has been documented in the
minutes.
3. Gather current information relevant to the internal control assessment and make this available to
the project team members to allow
them to better plan the project.

N/A
Performed

by

Date

Notes


ADM-1

Procedure
Performed
Determine Project Scope
[For all steps listed in this subsection,
related to project scope, consider
using form ADM-2, Project Planning
Summary, to document the performance of the step.]
4. Entity-level controls
a. Identify entity-level controls
required to be documented,
evaluated, and tested according to PCAOB, SEC, or other
authoritative standards.
b. Identify other entity-level controls designed to meet significant control objectives.
5. Centralized processing and
controls
a. Identify all centralized
processes and controls, including shared service environments, that affect the relevant
assertions of significant
accounts and disclosures.
6. Activity-level controls
a. Identify the significant accounts

and disclosures within the
financial statements.
b. For all significant accounts
identified in step 6a, identify
the relevant assertions.
c. For all significant accounts
identified in step 6a, identify
the major transactions affecting
these accounts. Separately
identify
i. Routine transactions
ii. Nonroutine transactions
iii. Estimates

5

N/A
Performed
by

Date

Notes