is a great time to learn from the larger companies who have
already filed and exceeded their budgets. For the companies
that have already filed, there are lessons to be learned that can
help save money in year two and beyond.
A typical Section 404 project incurs six major costs:
1. Business process documentation labor — mostly the flowcharting of processes that directly impact financial statements
and the development of risk and control matrices.
2. Business process testing labor — testing and remediation to
ensure controls are in place and functioning.
3. Information technology (IT) general controls documentation
and testing labor — describing and testing general controls
around IT systems, namely
data centers, computer networks, hardware, and operating systems.
4. The review and edit of
resulting documents — a
quality control process to
ensure appropriate review
of documentation before
5. Documentation and testing
tools — either Web-based
or application software used
to gather and store results of documentation and testing. Treadway Commission (COSO) frameworks, and Public
6. Audit fees — costs incurred for the review of documentation Company Accounting Oversight Board (PCAOB) standards.
produced during the project and the subsequent tests con- ‡Documenters/testers. Documenters interview the process
ducted by auditors. owners, knowledge experts, operations owners, and IT
Within this article are several strategies for managing an applications administrators and recommend operational
effective and efficient documentation project for Section 404 process improvements. Documenters must understand
of Sarbanes-Oxley. The article should not, however, be con- the business processes relevant to the company and
sidered all-inclusive of appropriate procedures and tests to should have communication and flowcharting skills, as
comply with the act. In determining the propriety of any spe- well as internal audit experience.
cific procedure or test, Section 404 project managers should ‡Librarians. By offloading routine tasks from busy employ-apply their own professional judgment and should obtain the ees, documenters, and outside contractors, librarians can
judgment of the company’s external auditors as to the specific save much time in the project. Skills required of librarians
control circumstances presented by the particular environment. include clerical and computer experience.
‡Review committee. The review committee evaluates the
importance of control gaps and decides the extent of remediation required. The committee must have knowledge of
GAAP, the COSO frameworks, and PCAOB standards. Committee members also should have public company U.S.
Securities and Exchange Commission reporting experience.
‡Steering committee. This committee approves the scope,
schedule, and resources dedicated to the project and monitors the project’s progress as reported by the project managers. Some steering committee members may overlap the
review committee. Members of the committee should have
executive-level decision-making, leadership, influence, and
Well-trained documenters will save a lot of time on Section 404 projects. Before preparing any documentation, the
project managers should meet with the documenters to ensure
they understand the project’s scope and know how much detail
to document, and to determine if existing resources are available that can speed the documentation phase. Additionally,
documenters should follow a series of steps — predetermined
by the project manager — to document each process.
STRATEGIZE DOCUMENTATION LABOR
If outsourced, documentation labor will be one of the most
expensive components of a Section 404 project. Therefore, it
is important to correctly identify the roles of everyone involved.
Suggested team roles include:
‡Project manager. Among the project manager’s many
responsibilities are coordinating project efforts and hiring
for other roles. The project manager should have project
and people management experience, audit experience, and
presentation and communication skills, as well as knowledge of generally accepted accounting principles (GAAP),
The Committee of Sponsoring Organizations of the
One way of identifying
relationships is to flowchart each
cycle on a single page using
SELL THE PROJECT INTERNALLY
Without visible support from the top, it is unlikely that employees further down in the organization will participate in the project as actively as needed. One of the best ways to elicit
participation throughout the organization is to conduct kickoff
meetings. After educating the chief executive officer (CEO) and
chief financial officer (CFO) about the requirements of Sarbanes-Oxley, the next step is to speak directly to the CEO’s staff. During these presentations, it is important to emphasize that
Sarbanes-Oxley is a law, and the consequences of noncompliance could harm relationships with customers and vendors
and adversely affect the share price of the company’s stock.
Further down the organization, the project team should educate employees on Sarbanes-Oxley and give them an estimate of
how much time they will spend participating in the Section
404 project. Often, it will be less time than they expect. For example, if there is a separate documentation team, employees will
only be interviewed regarding processes in which they are involved.
These meetings may only take an hour each, and it may require
only two or three of these meetings to document an entire process.
INTERNAL AUDITOR JUNE 2005