Question

Problem 2.

Using Wikipedia, look up the entry for Sarbanes-Oxley Act. Look over the table of contents and find the section that describes Section 404 and give it a read. Based on your textbook reading and Wikipedia review, briefly respond to the following. What does Section 404 require of management’s internal control report?

Answer 1

Sarbanes-Oxley Section 404: Assessment of Internal Control

The most contentious aspect of SOX is Section 404, this requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This is the most cost consuming aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort. It requires management to

· Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;

· Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;

· Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;

· Perform a fraud risk assessment;

· Evaluate controls designed to prevent or detect fraud, including management override of controls;

· Evaluate controls over the period-end financial reporting process;

· Scale the assessment based on the size and complexity of the company;

· Rely on management's work based on factors such as competency, objectivity, and risk;

· Conclude on the adequacy of internal control over financial reporting.

SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems.