Sarbanes-Oxley

Evaluating internal controls - Considerations for documenting controls at the process, transaction or application level

The Sarbanes-Oxley Act of 2002 (the Act) makes reporting on internal controls mandatory for SEC registrants and their independent auditors. Section 404 of the Act directs the SEC to adopt rules requiring annual reports of public companies to include an assessment, as of the end of the fiscal year, of the effectiveness of internal controls and procedures for financial reporting. Section 404 also requires the company's independent auditors to attest to and report on management's assessment. The SEC issued its proposed rules in October 2002 and, if adopted as proposed, they will be effective for companies with fiscal years ending on or after September 15, 2003.

Companies should be getting ready now for the comprehensive documentation and evaluation of internal control that will be needed to support management's assessment and the auditors' attestation report. Our publication, Preparing for Internal Control Reporting A Guide for Management's Assessment under Section 404 of the Sarbanes-Oxley Act (the Guide) (Ernst & Young SCORE Retrieval File No. EE0677), provides a methodology and framework for completing the evaluation.

The methodology outlined in the Guide includes five phases:

• Understand the Definition of Internal Control
• Organize a Project Team to Conduct the Evaluation
• Evaluate Internal Control at the Entity Level
• Understand and Evaluate Internal Control at the Process, Transaction, or Application Level
• Evaluate Overall Effectiveness, Identify Matters for Improvement, and Establish Monitoring System

Guidance on the first two phases of the methodology is provided in the Guide. Detailed guidance on the third phase is provided in the Ernst & Young publication, Evaluating Internal Controls Considerations for Evaluating Internal Control at the Entity Level (Ernst & Young SCORE Retrieval File No. EE0687). We will be providing more information about the overall evaluation the last phase in a future publication. This document is a tool to assist management in performing the fourth phase: understanding and evaluating internal control at the process, transaction, or application level.

Internal control at the entity level can have a pervasive influence on internal control at the process, transaction, or application level. However, unlike the evaluation of entity-level controls, documenting and evaluating controls at this detailed level will be far more specific and likely will require significantly more time to complete.

Evaluating process, transaction, or application level-controls provides a good deal of the evidence management will need to support its overall assessment of the effectiveness of internal control over financial reporting. Management will need to consider controls, including information technology (IT) controls, which serve to prevent or detect errors of importance relating to each significant account.

Management also will need to consider controls that address each of the five components of internal control:

• Control Environment
• Risk Assessment
• Information and Communication
• Control Activities
• Monitoring

Controls relating to several of these components control environment, risk assessment, and monitoring often are at a higher level and must be evaluated carefully to determine whether the controls are sensitive enough to prevent or detect errors of importance or fraud relating to each significant account. Many of the more detailed controls that management will identify to support its assessment will be from the information and communication and/or control activities components and primarily relate to specific processes and applications.

Companies with multiple locations, business segments, or reporting units likely will need to sponsor multiple, concurrent documentation efforts to adequately address all significant aspects of the system(s) of internal control in a timely manner. The broader documentation and evaluation efforts required in these situations make it incumbent on management to invest appropriate time in building a project team, developing an approach for identifying and documenting controls, determining the types and amount of required documentation, training all team members, developing appropriate timelines for completing all phases of the work, and developing appropriate two-way communication plans so all project team members are adequately informed about project requirements and issue management and resolution procedures.

Like our previous publications, this document is designed to assist management in transforming COSO's conceptual framework into a detailed evaluation of internal control over financial reporting. Ernst & Young developed this document based on our extensive knowledge and expertise in evaluating internal controls. While no methodology can consider all possible issues related to an assessment of a company's internal control, we believe this document provides a useful methodology and framework to assist management in its evaluation.

Evaluating internal controls - Considerations for documenting controls at the process, transaction, or application level)