|
Section 404 of the Sarbanes / Oxley Act
of 2002 (SOX) requires each annual report of an issuer to contain and
“internal control report” which shall:
(1) State the responsibility of
management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting; and (2) Contain an assessment, as of the end of the issuer’s fiscal year, of the
effectiveness of the internal control structure and procedures of the
issuer for financial reporting.
Management of the
issuer should direct its own internal auditor or other qualified
third party to perform an audit to determine the adequacy of its system
of internal control and its operating effectiveness; separate from the
external auditor’s independent assessment. This shall provide
Management, and become the basis for, their own disclosures regarding
the organization’s system of internal control and financial reporting as
required by SOX.
In order for this
to take place, an internal control methodology must first be adopted
by the organization (The most common standard is that of the Committee
of Sponsoring Organizations, COSO, of the Treadway Commission). Under
this standard, there are eight major types of control areas which
should exist in all effective systems of internal control:
-
Internet
Environment Controls
-
Objective
Setting Controls
-
Event
Identification Controls
-
Risk
Assessment Controls
-
Risk Response
Controls
-
Monitoring
Controls
-
Information &
Communication Controls
-
Business
Process Controls
The first seven
control areas are generally referred to as “Entity Level Controls” since
they represent controls which are generally in place at a higher level
within the organization while the last control area (Business Process
Controls) is the most detailed area since it pertains to the day-to-day
financial operations of the Company and could have as many as twenty
sub-control areas which need to be evaluated. Probably the most
critical of these is the organization’s Information Technology (IT)
systems and processes. More time and effort is generally expended in
this area because almost all financial work today relies on systems to
collect, process, analyze and assimilate data. And to complicate this
further, most companies have anywhere from two to six major system
platforms which have to be controlled and audited along with
all other IT support mechanisms. A massive undertaking for not only
smaller companies but also those in the Fortune 500.
After an
organization has developed its internal control framework and the
general internal control mechanisms that they believe should be present
in the company, determination must be made as to whether or not
these controls exist in the first place and, if they do, are
they working properly. Remediation routines are then performed to
repair any existing controls or to implement those that are critical and
not currently in place. This is followed by detailed Management testing
of the critical controls for operating effectiveness, usually
independent of the departmental or process owners who oversee
them. Any critical controls which fail in Management testing must
be remediated again prior to the end of the issuer’s fiscal or calendar
year so that the organization can avoid material weaknesses which may
require public disclosure in the external auditor’s SOX opinion.
Finally, Section
404 requires each issuer to disclose whether it has adopted a code of
ethics for its senior financial officers and the contents of that
code. Realistically this requires establishment of an Ethics
Policy or Code throughout the organization and sufficient monitoring and
response mechanisms to ensure compliance to the policies. Management
must “walk the talk” in Ethics compliance and must establish fair, swift
and consistent responses to violations. GTS can help your
organization to establish its SOX systems and associated
procedures necessary to ensure compliance at very cost effective rates
compared to Public Accounting firms and our direct competition, third
party consultants.
We provide
Section 404 services in the following areas:
-
Initial
evaluation and solutions development;
-
Project
management and cost oversight;
-
Mapping of
COSO to internal control areas;
-
Determination
of your organization’s current controls related capabilities;
-
Determination
and remediation of deficient internal controls within each COSO
area;
-
Testing of
Section 404 internal controls;
-
Re-remediation, if necessary, of continued deficient controls after
initial testing;
-
Re-testing of
previously deficient controls;
-
SAS 70
audits;
-
Integration
and coordination of work with your external auditors;
-
Issuance of
an overall internal control assessment to Management;
-
Design and
development of Ethics programs and related processes; and
-
Internal
control rationalization within the organization.
Here at GTS we
are but a phone call or e-mail away from providing support for all
your SOX related needs; no matter the nature, location or need. We
provide highly educated and experienced SOX professionals to perform the
work at your site, with management and supervisory support provided
under the leadership of our SOX principal (Michael L. Neely CIA, CFE,
CBM) who has over thirty year’s financial experience, five of which are
in actual SOX implementation leadership positions.
Call today at
804-343-7400 or e-mail Mr. Neely at
mneely@GTSnetwork.com. We guarantee it will be the best call
you’ve ever made!
GTS
Network, Inc. (Your One-Stop SOX Consultant) |
