Financial Reporting

FinancialReporting

April 2004

Compliance with Section 404 of theSarbanes Oxley Act: A CompanyPerspective

IntroductionThe upcoming requirement for public companies, going forward,to report on the effectiveness of their internal control over finan-cial reporting (terms in bold are defined in the Glossary accom-panying this communication), and for auditors to report on thatassertion and on the effectiveness of internal controls, has raiseda lot of questions, such as:

• How do I assess my controls?

• Do I need assistance, or can I do this project internally?

• What can my independent auditor do to help me in this process?

• How much should I document and test?

• How do I make the critical distinctions between control deficiencies,

significant deficiencies, and material weaknesses?

• What are my reporting requirements?

The list of questions continues to grow as companies document, assess, and

test their controls. As this is the first year of implementing this new require-

ment, there are both “knowns” and “unknowns,” but the implementation date

is approaching, and companies and auditors will need to move forward on a

best efforts basis, even in the absence of specific answers to all the questions.

This communication focuses on Section 404 of the Sarbanes-Oxley Act of

2002 (“the Act”) from management’s perspective. It summarizes our current

understanding of what the SEC and auditors are likely to expect of companies.

Contents:Introduction ..........................................1

Management’s Report .........................2

Management’s Project to Comply with Section 404 Requirements ....3

Required Management Representations to the Independent Auditor .......................4

The Scope of the Company’s “Controls Over Financial Reporting” ........................................6

Documenting Controls Over Financial Reporting .........................8

Management’s Required Assessment of Controls ................10

Documenting the Control Environment ..................................11

Information Technology GeneralControls .........................................11

Extent and Timing of Management Testing ...................12

Managing the Compliance Costs ...17

Concluding Remarks .........................17

Important References and Company Resources .....................17

Glossary - The Definition of Key Terms .......................................18

APPENDIX............................................19

This communication should not be used in lieu of reading Section 404 of the Act,the related SEC rules, and the PCAOB Auditing Standard. Future clarifications ormodifications and changes to the SEC rules and PCAOB Auditing Standard maysupersede guidance or requirements provided here.

BDO Seidman, LLP noted in our

comments on the PCAOB Exposure

Draft on auditing internal controls

that more guidance is needed to

assist companies in defining their

responsibilities under the Act. To

date, such additional guidance has

not been forthcoming. Neither the

independent auditor nor the

PCAOB can interpret management’s

responsibilities under the Act. This

needs to come from the SEC.

Issuance of PCAOB Standard No. 2,

An Audit of Internal Control Over Finan-

cial Reporting Performed in Conjunction

with An Audit of Financial Statements, on

March 9, 2004, which is subject to

SEC approval before it becomes

effective, provides some insight into

what auditors are likely to “expect”

regarding management’s documen-

tation and testing of controls, and

thus indirectly creates guidance for

management.

This Financial Reporting Letter

is based on highlights of existing

requirements noted in the Act, SEC

rulemaking to date and Auditing

Standard No. 2. The PCAOB has

formed a Working Party to help

identify the myriad of company and

auditor issues that arise in the

implementation process. Once the

Standard becomes effective, the

PCAOB may disseminate interpre-

tive guidance on those issues that

have been identified. At this time

we are not aware of any project of

the SEC underway to develop spe-

cific implementation guidance for

companies. Careful attention to

subsequent guidance on company

and auditor requirements will be

necessary as this new requirement

for management and the auditor is

implemented.

The process that will take place

over the next several months

regarding Auditing Standard No. 2

includes the posting of the Stan-

dard by the SEC for an exposure

period (occurred on April 12). At the

conclusion of the exposure period,

the Standard, if approved, will be

published in the Federal Register.

Once published, the Standard will

be effective. Implementation guid-

ance should follow the approval by

the SEC of the final Standard, and

thus may not be available until this

summer. We believe there will be a

need for clarifying and implementa-

tion guidance throughout 2004 and

2005, as more practical issues are

identified.

Management’sReportTop management of public compa-

nies (issuers) subject to the Section

404 requirements will be required to

include in their annual reports an

assessment of the effectiveness of

the company’s internal control over

financial reporting. This assessment

is made “as of” the balance sheet

date. If a material weakness is iden-

tified as existing at the balance

sheet date, it must be disclosed in

management’s report.

Management cannot conclude

that the company’s internal controls

over financial reporting are effective

in the presence of one or more

material weaknesses.

The format of the report is flexi-

ble, in order to permit the most

meaningful and relevant reporting

for each company, but the following

elements are required (See Item

308(a) of Regulation S-B and S-K):

• A statement of management’s

responsibility for establishing and

maintaining adequate internal

control over financial reporting;

• A statement identifying the

framework used by management

to conduct the required assess-

ment of the effectiveness of the

company’s internal control over

financial reporting;

• An assessment of the effective-

ness of the company’s internal

control over financial reporting

as of the end of the company’s

most recent fiscal year, including

an explicit statement as to

whether that internal control

over financial reporting is effec-

tive; and

• A statement that the registered

public accounting firm that

audited the financial statements

included in the annual report

has issued an attestation report

on management’s assessment of

the company’s internal control

over financial reporting.

If material weaknesses are dis-

covered prior to the “as of” reporting

date, and there is sufficient time for

the company to remediate them,

they need not be reported as of year-

end. However, the company has

quarterly certifications it must make

to the SEC under Section 302 of the

Act, and such identified material

weaknesses, even if corrected, need

to be reported as a change in con-

trols during the quarter.

If a subsidiary’s financial state-

ments cover a different fiscal period

than the consolidated entity,

required subsequent events proce-

dures relating to that subsidiary

might reveal a material weakness

existing at the “as of” reporting date.

In such cases, we believe the weak-

ness should be included in the con-

solidated management assessment

for that year.

Significant deficiencies do not

need to be publicly reported, but

should be evaluated to assess

whether, in the aggregate, the iden-

tified significant deficiencies consti-

tute a material weakness. The defi-

nition of significant deficiency in

PCAOB Standard No. 2 sets a

2 COPYRIGHT 2004, BDO SEIDMAN, LLP

Financial Reporting

threshold that is very low, so manyof the deficiencies identified duringthe testing of controls, absent effec-tive compensating controls toachieve that control objective andrelated assertion, may rise to thelevel of a significant deficiency.Note that normal managementoversight, and the application ofbroad analytical procedures such ascomparisons to budgeted amounts,are not generally considered ade-quate compensating controls. If alarge number of significant defi-ciencies are identified, manage-ment may conclude that, in theaggregate, they constitute a mate-rial weakness.

The identification of a materialadjustment to the financial state-ments of any sort by the auditor as aresult of performing the audit of thefinancial statements is a strongindicator of the existence of a mate-rial weakness in company internalcontrols.

In addition to the required ele-ments of communication, manage-ment may wish to communicateadditional information in its report.Such information might includedisclosures concerning remediateddeficiencies, plans regarding newcontrols, and cost-benefit state-ments regarding controls (e.g.,statements that remediation costswould exceed the benefits of aneffective control in a particular cir-cumstance). If management choosesto make such disclosures, the audi-tor is required to disclaim an opin-ion on this additional information.

What are the Implications ofReporting that a MaterialWeakness Exists?It is only conjecture how many com-panies will ultimately issue reportsindicating one or more materialweaknesses. Even after remediationof currently known deficiencies and

weaknesses, some estimate the

range of between 10 to 20 percent of

large established entities will still

report the existence of material

weaknesses. Some estimates are

much higher for the first-time

reporting of internal control effec-

tiveness by smaller companies. In

small start-up businesses, the rate

may be much higher, as effective

segregation of duties and the imple-

mentation of a formal controls sys-

tem may be impractical to achieve.

It is not clear how the financial

markets will react to reports of inef-

fective controls. The market gener-

ally dislikes “surprises,” like earn-

ings surprises. Conjecture is that

larger, more established companies

are expected to have more effective

controls. If so, reported weaknesses

by larger companies may be per-

ceived more severely than those of

smaller ones. Only time will tell.

This issue will likely be the focus of

academic research as companies

report under the requirements of

the Act.

Even if a company reports a

material weakness, if it takes prompt

action to correct it, there need be no

long range effect on the perceptions

of the company, as remediation will

indicate a stronger control environ-

ment. Over time, it is likely that

fewer companies will be reporting

weaknesses and thus those that do

report them will stand out.

Management’sProject to Complywith Section 404RequirementsManagement may choose to self-

manage its required documentation

and testing or hire advisors or con-

sultants to assist it in that process.

However, the company’s independ-

ent auditors or members of theirfirm are precluded from serving inany role that could compromise theaudit firm’s independence in per-forming their required assessmentsand procedures. Any permittedinternal control related service theindependent auditor is engaged toperform must be specifically pre-approved by the audit committee.

It is currently believed thatemployees of the independentaudit firm may be engaged to func-tion as a “scribe” in the documenta-tion of management controls,clearly working under the directsupervision of management. How-ever, such employees should not beinvolved in any way in directing thedocumentation efforts or directingwhich controls are documented orbe involved in management’s test-ing of the controls. To date, manyboards of directors and audit com-mittees have hired third party con-sultants so that independencequestions will not arise.

Overview of a Typical ProjectPlan A typical company project plancomprises various phases. A com-monly encountered series of phasesincludes:• Identifying the company individ-

ual with overall responsibility forthe project (e.g., CFO)

• Identifying the designated proj-ect manager and related teammembers

• Identifying the framework thatwill underlie the analysis (e.g.,COSO)

• Scoping (identifying the accounts,locations and processes) of theengagement for documentationand testing purposes

• Selecting an approach and toolsthat will facilitate documenta-tion and testing

COPYRIGHT 2004, BDO SEIDMAN, LLP 3

Financial Reporting

(continued on page 5)


Financial Reporting

Required Management Representations to the Independent Auditor

In addition to the representations made by management to independent auditors regarding the audit of the finan-cial statements, additional representations regarding the audit of internal controls will be required. Before the inde-pendent auditor can issue the two control-related opinions on management’s assessment of the effectiveness of itscontrols and on the effectiveness of the company’s internal control, the auditor will require certain written repre-sentations from management, including the following:

• Acknowledging management’s responsibility forestablishing and maintaining effective internal con-trol over financial reporting

• Stating that management has disclosed to theauditor all deficiencies in the design or operationof internal control over financial reporting identi-fied as part of management’s assessment, includ-ing separately disclosing to the auditor all suchdeficiencies that it believes to be significant defi-ciencies or material weaknesses in internal controlover financial reporting

• Stating that management has performed an assess-ment of the effectiveness of the company’s internalcontrol over financial reporting and specifying thecontrol criteria

• Describing any material fraud and any other fraudthat, although not material, involves senior man-agement or management or other employees whohave a significant role in the company’s internalcontrol over financial reporting

* Stating that management did not use the auditor’sprocedures performed during the audits of internalcontrol over financial reporting or the financialstatements as part of the basis for management’sassessment of the effectiveness of internal controlover financial reporting

• Stating whether control deficiencies identified andcommunicated to the audit committee during pre-vious engagements have been resolved, and specif-ically identifying any that have not.

• Stating management’s conclusion about the effec-tiveness of the company’s internal control overfinancial reporting based on the control criteria as ofa specified date

• Stating whether there were, subsequent to the datebeing reported on, any changes in internal controlover financial reporting or other factors that mightsignificantly affect internal control over financialreporting, including any corrective actions taken bymanagement with regard to significant deficienciesand material weaknesses

• Documenting a project plan• Documenting the relevant con-

trols• Assessing the effectiveness of

controls design• Testing controls effectiveness• Communicating issues inter-

nally and to the independentauditors as they arise

• Concluding on controls effec-tiveness

Good Practice. Many companieshave benefited from completing aninitial “pilot” project focused onselected accounts at one or twoselected locations in order toensure the company’s envisionedprocess is workable and can becommunicated to others, and toensure that the selected tools areeffective for their purpose. This“shake down” phase is where cor-rections can be made most effi-ciently before committing to a plan.

In practice, these phases maybe blurred, or may be taking placein different locations at differenttimes. Effective scheduling of scarceresources is an important elementof project management. As the proj-ect proceeds, if deficiencies areidentified, a process of remediationand retesting of the effectiveness ofthe controls takes place.

Throughout the various projectstages, the observations of theindependent auditor can be helpful,but project management responsi-bility and project decisions clearlybelong to management.

Choosing a Project Managerand Project TeamWhether an internal or externalresource, a project manager willneed to possess or acquire a strongunderstanding of:• The requirements of the Act and

the related SEC rules

• Any future interpretations of man-

agement requirements under

Section 404 by the SEC or PCAOB

• Internal controls as they relate

to the financial reporting

requirements and processes,

and in that regard, an internal

controls framework (such as

COSO), including the role of

control objectives, and the rela-

tion of controls to those objec-

tives and relevant assertions

such as completeness, exis-

tence, etc.

• Information technology

• Complex project management

skills

Most projects will require a

team of employees to ensure the

project has access to the requisite

manpower and skills. Organiza-

tionally, the project should report to

an appropriate level of manage-

ment such as the CFO. Members of

the core team will need to have the

ability to obtain access to the infor-

mation and individuals necessary to

complete management’s require-

ments to assess, document, and

test internal controls over financial

reporting.

If management believes that the

project management and perform-

ance cannot be effectively staffed

from internal resources, a qualified

consultant will need to be engaged,

and, if so, the quicker the better.

Already, a significant number of com-

panies have engaged consultants

and are in the process of document-

ing their controls. As fewer qualified

resources are available to manage

and staff such engagements through

2004 and into 2005, the engagement

of timely, qualified assistance will

become more difficult.

While it is generally not appro-

priate for the independent auditor

to recommend just one specific

company advisor, we believe the

independent auditor can be helpfulin suggesting a number of possiblealternatives and in helping manage-ment assess the qualifications andtechnical understanding of a pro-spective manager. However, man-agement clearly must make theselection.

Hiring a third party consultantdoes not in itself ensure that theproject will be efficient and meetthe requirements of the SEC rules.Insightful assessment of the projectmanager’s qualifications and care-ful monitoring of the project bymanagement is essential.

Management’s assessment ofthe project management team’sperformance should include contin-ued monitoring of the projectprogress and meeting of importantmilestones, and consider feedbackfrom the internal auditor, the inde-pendent auditor, as well as othercompany personnel.

Benefits of Using InternalAuditors or IndependentConsultantsIn considering the use of a thirdparty consultant to advise, manage,and/or perform procedures, man-agement needs to consider thatthere may be benefits of engaginginternal auditors or a third partyconsulting resource beyond theobvious desire to leverage theirexperience and expertise. Since theindependent auditor may considerthe work of objective and compe-tent “others” (including internalauditors) when determining theirrequired procedures, the use ofsuch resources in the documenta-tion and testing process may resultin lower independent auditor costs.

Management’s attitude towardsthe new requirements may alsoinfluence the likely success and ulti-mate cost of the project. Approach-ing the Section 404 requirements


Financial Reporting

using marginally qualified resources,

and testing to the minimum levels

believed possible is a strategy that

has hidden costs and pitfalls that

can de-rail the process at a late

stage, when remediation of weak-

nesses may be impossible. There-

fore, management should approach

the project with a positive attitude

regarding its possible benefits and

should be prepared to devote

enough resources to ensure robust

coverage. Further discussion of this

issue is presented in the section

entitled Extent and Timing of

Management Testing.

The Scope of theCompany’s “ControlsOver FinancialReporting”Companies will need to define the

scope of what accounts and pro-

cesses are being included in their

assessment, documentation, and

testing of internal controls. Auditing

Standard No. 2 suggests that there

are a number of criteria that could

cause a financial statement ele-

ment, process, or location to be

included in the analysis.

• Starting at the consolidated

financial statement level, all sig-

nificant accounts (regardless of

whether they are assessed as

being high risk). For example,

fixed assets are included if they

are significant.

• All significant processes. The

financial statement closing

process (annual and quarterly)

is always a significant process.

Periodic depreciation and amor-

tization, accruals, and the esti-

mation of allowances such as

bad debts will often be signifi-

cant processes.

• Disclosure controls and proce-

dures. Disclosure controls ensure

that the accounting disclosures

in the footnotes are complete

and accurate.

• All financial statement elements

or processes or functions that,

due to a risk of misstatement or

fraud, could give rise to an expo-

sure or a material misstatement.

For example, the trading of cur-

rencies or existence of derivative

financial instruments could give

rise to significant business and

disclosure risks that might not

always be apparent.

Clearly, most accounts at the

consolidated financial statement

level and a significant number of

processes are expected to be

included in the project plan. In

some cases, it is easier to think of

what may be “scoped-out” of the

analysis.

In a multi-location entity, clearly

inconsequential locations that are

immaterial to say, income or signif-

icant account balances, both indi-

vidually and the aggregate, need

not be included in management’s

analysis unless a specific risk is

identified that relates to one or

more of these entities.

Equity method investments,

variable interest entities (VIEs), and

any proportionately consolidated

entities (e.g., this accounting

method may be used in the oil and

gas industry) where management

does not have sufficient access to

the entity to extend the controls

project to those entities are also

“scoped-out.” Management will

include in its analysis, however, the

company’s controls over informa-

tion gathering and any controls over

significant payments or receipts

that involve the scoped-out entity,

unless the amounts are clearly

immaterial. Management should

document the reason for scoping

these entities out of its analysis, as

auditors will be required to review

and concur with this analysis.

We believe that if a company, as

a result of its agreement with the

VIE, joint venture, or other invest-

ment vehicle performs the book-

keeping functions for the invest-

ment, it may need to include those

functions in its internal control

assessments, documentation, and

testing.

Companies acquired at or near

the year-end are currently required

to be included in management’s

assessment of controls. This often

will create a practical problem when

these entities are significant, as

there may be insufficient time for

management to adequately docu-

ment and test their controls, and for

the auditor to perform the required

procedures. Auditing Standard No.

2 indicates that the SEC may be

considering a provision that would

allow companies to exclude certain

year-end acquisitions from compli-

ance with the Section 404 require-

ments (with some required disclo-

sures). Companies should consider

discussing this issue in advance

with their independent auditors

when year-end acquisitions are

foreseeable. Be alert for future SEC

rulemaking on this specific issue.

While controls that impact only

operations and not the financial

reporting process are not generally

relevant for inclusion in manage-

ment’s internal control assessment

plan, special consideration may

need to be given to issues that may

arise in heavily regulated industries.

Evidence of failures to meet regula-

tory and compliance requirements

may indicate the need for additional

disclosures or could have an impact

on the determination of accrual or

reserve amounts. Auditors will be


Financial Reporting

reviewing any identified regulatory

compliance issues to determine

whether there is an impact on the

financial statements or disclosures

or the effectiveness of internal con-

trols, such as the “tone at the top”

within the company.

Common processes, common

control environments, and com-

pany-wide controls may sometimes

provide an appropriate basis for

documenting and assessing con-

trols at locations that may aggre-

gate to a material amount, but are

not individually material. For exam-

ple, in many multi-location entities,

common control processes have

been implemented over significant

processes such as sales and

accounts such as cash. Various loca-

tions may also share common

accounting systems.

For some highly decentralized,

multi-location companies that do

not have common processes and

controls, covering all but an imma-

terial portion of significant accounts

and processes of the entity will be

difficult to achieve, as the corporate

structure may involve the inclusion

of hundreds of independent entities.

Nevertheless, such companies must

develop a basis for their assertion

about the effectiveness of internal

controls. These situations will need

special consideration by manage-

ment and the independent auditor,

and may be an area of future inter-

pretive guidance by the PCAOB.

Good Practice. Companies have

found it helpful to prepare a matrix

of all accounts at the consolidated

level. This matrix helps management

identify the significant accounts. The

matrix is often expanded to show the

breakdown of the accounts by signif-

icant location, line of business, or

some other division of the entity.

This matrix helps management to

document its scope and analyze thecoverage attained by management’splan.

A well-designed project plan anda well-documented system of inter-nal controls has value to the entityand the auditor. While the burdenthat this expected scope of companycoverage imparts on managementseems significant, the first-time doc-umentation and assessment is themost challenging, and even as sys-tems evolve over time, the experi-ence and insight gained in this ini-tial year of implementation will havefuture benefits.

Use of Service OrganizationsThe phenomenon of outsourcing

has expanded considerably in the

last decade. Many companies are

surprised when they examine the

extent and variety of the outsourc-

ing that has become an integral part

of their internal accounting and pro-

cessing systems. Functions that

may commonly be outsourced

include payroll processing, network

administration and information

technology management, human

resources, and even the accounting

and transaction recording process

in its entirety.

When a service organization is

used in lieu of an internal process,

management’s responsibility regard-

ing internal control is unchanged,

including the responsibility to

assess, test, and monitor the con-

trols. However, those controls may

be resident in the service organiza-

tion, and management may have

limited access to that entity’s pro-

cessing environment. Nevertheless,

management must satisfy itself that

effective controls are in place over

the transactions processed by the

service organization. This can be

accomplished in different ways.

The auditing profession’s mech-

anism for dealing with this situation

to date has been to have the service

organization engage an auditor to

perform procedures and issue a

report on the controls over process-

ing by the entity. This report is dis-

cussed in Statement on Auditing

Standards No. 70, Service Organiza-

tions. Commonly referred to as a

“SAS 70” report, this document was

designed as an auditor-to-auditor

communication regarding the inter-

nal controls over the processing or

other functions performed by the

service organization. One type of

report only assesses the design of

internal controls over the function

being performed. However, this type

of report will not be useful to meet

the requirements of Section 404.

The reports must address both

design and operating effectiveness

of controls.

Additionally, the SAS 70 reports

must be timely to be able to provide

assurance to the company’s inde-

pendent auditor. A report dated

more than a year before the “as of”

date of the company’s required

report on internal controls provides

little evidence of current controls

effectiveness. Reports issued nearer

the “as of” date of the company’s

report on internal control effective-

ness, are stronger evidence of con-

trols effectiveness. Obviously, man-

agement must also be assured the

controls and functions reported on

by the service organization’s auditor

are the ones of interest and focus to

the company.

When a service organization’s

auditor report is not available, is not

relevant or timely, or does not

extend to the operating effective-

ness of the controls, management

needs to obtain information from

the service organization to support

their assertion over the effectiveness


Financial Reporting

of company controls. Obtaining

access to this information about the

provider’s processing environment

can be difficult so the issue should

be covered in the contractual

arrangement between the service

organization and the company. It

can also be awkward for the service

organization with numerous public

clients (and auditors), all of whom

have need for this information.

It has been observed that the

market for service organization

auditor reports has changed in

recent months. More service organ-

izations are requiring them, and

many more are being scheduled for

update every 6 months or so to

accommodate different client fiscal

years. The procedures and related

testing being performed are also

being aligned with the Section 404

requirements.

Even so, there are complex

issues that can arise in the current

environment that will need to be

addressed in future guidance. Cur-

rent standards regarding service

organization reports were devel-

oped prior to the Act, and may not

fit well in a variety of areas with the

current Section 404 environment.

For example:

• Can management rely on a serv-

ice organization auditor’s report

issued by the company’s inde-

pendent audit firm, since man-

agement cannot rely on proce-

dures of the auditor for its assur-

ance? Is the answer different

when the service organization

has one or a few customers ver-

sus thousands of customers?

• Is a service organization’s audi-

tor report sufficient when the

function outsourced is an impor-

tant part of the business (e.g.,

outsourcing the entire IT func-

tion or entire transaction pro-

cessing function)?

• If a company obtains a service

organization’s auditor report

that covers an important pro-

cess or function when viewed

from the company’s perspective,

even if not significant to the

service organization, must the

auditor issuing the service

organization report be regis-

tered with the PCAOB?

• How will companies obtain a

service organization report on

processes outsourced to other

countries? The concept of such

reports is not generally well

established outside of the U.S.,

and the work may need to be

performed by an auditor regis-

tered with the PCAOB to be

acceptable.

These and other issues are likely

to be addressed by future guidance.

We suggest companies identify

these situations early and alert their

independent auditors to the issues.

Be alert for further guidance or

modifications of the professional

auditing standards addressing serv-

ice organizations later this year.

There is one more issue that

companies need to consider. Some

larger organizations, to meet spe-

cific contractual arrangements with

other companies, may perform cer-

tain record-keeping functions that

pertain to another business. For

example, some companies may

only provide summary reports of

the transactions they process and

the commissions that are due on

those transactions. Such compa-

nies may never have considered

themselves “service organizations,”

but the current environment puts

them into this role as it relates to

other businesses. In such circum-

stances, the company needs to

consider whether it should engage

an auditor to issue a SAS70 report

in lieu of receiving substantive

inquiries by the company beingserviced and their auditors on therelevant underlying controls andtheir operating effectiveness.Because such arrangements aremore likely to involve a single com-pany and may also cover a signifi-cant process from the perspectiveof the company receiving the serv-ice, the auditor selected to preparethe report may need to be differentfrom the one used by the companyfor which the service is performed,and the “service auditor” may needto be registered with the PCAOB.

DocumentingControls OverFinancial ReportingThere is no specific format specifiedfor management’s documentation.Flowcharts, narratives, and othermeans may be used to supplementthe documentation of controls.Excel, Word, and manual documen-tation certainly can be used, butspecial purpose software may helpcompanies consistently documenttheir controls and processes andfacilitate updating and versioncontrol.

Software Software packages are in use nowand new ones are continually com-ing to market to help companiesdocument their controls. The selec-tion of a tool or software programthat is appropriate to the entity andits special characteristics or is tai-lored to its industry is itself animportant responsibility of projectmanagement.

When considering a softwarepackage, in addition to price, man-agement should consider the ven-dor’s experience and reputation,recommendations from otherusers, the ease of learning the soft-


Financial Reporting


Financial Reporting

ware by possibly a wide number ofusers, and degree of flexibility andtechnical guidance inherent in thesoftware’s functionality. The ease ofupdating the data over time and ameans of archiving each year’s doc-umentation and testing results assupport for management’s asser-tion in the financial statements arealso considerations when reviewinga package. Management shouldalso consider whether the archivingprocess results in a record that canbe reviewed in the future (givingconsideration to likely futureadvances in technology and howthe vendor will ensure the readabil-ity of the documentation) as maybe required for regulatory or legalpurposes.

Methodology Whether software or anothermethod is used, the documentationmethodology will generally startwith a control objective. The frame-work (e.g., COSO) used will providea starting point for some genericcontrol objectives. These may needto be tailored for certain specificindustries such as banking andinsurance, and an element of proj-ect management will be to obtaininformation about tailored controlobjectives that are being used in theindustry. The controls that supporteach objective are then articulated,whether preventive or detective innature.

Documentation should be insufficient detail to communicate:

• The design of controls over allrelevant assertions related to allsignificant accounts and disclo-sures

• How transactions or processesare initiated, authorized, record-ed, processed, and reported (insufficient detail to assist auditorsin their required “walkthroughs”)

• Points in the process wherefraud or error could occur. The following example illus-

trates the relationship between con-trol objectives, risks, controls, andrelated assertions for one risk relat-ing to a control objective.

Example: Payroll / Human Resources Cycle

PROCESS CONTROL OBJECTIVE

RISK CONTROL ACTIVITIES

ASSERTIONS

Payroll Processing Salaried payroll isprocessed accuratelyand completely

Incorrect amountsare paid to salariedemployees

Time records arereviewed andapproved by eachdepartment head.

Existence,Accuracy (Accuracyis an element in thebroader assertion ofValuation andAllocation)

Independentcalculations ofexpected payroll(i.e., month endbalance + additions+/- changes –deletions) arecompared to actual.

Accuracy

Actual payroll iscompared tobudgeted amounts.

Etc…

Completeness,Accuracy, etc.

Good Practice. While truly redun-

dant controls do not need to be

documented, it may be prudent to

do so during the initial documenta-

tion process, even if they are not

scheduled for testing. This informa-

tion may be useful if testing later

reveals the primary control to be

less than effective. The identified

redundant control may then be

tested as a “fall back” compensatory

control.

The documentation should

relate the controls (or the identified

process) to relevant financial state-

ment assertions (e.g., complete-

ness, existence, valuation and allo-

cation, rights and obligations, and

presentation and disclosure) to

ensure the controls fully address

control objectives. While the afore-

mentioned are the specific asser-

tions named in Standard No. 2, the

use of other, functionally equivalent

assertion identification methods

continue to be appropriate.

Quality documentation that fol-

lows this approach will make a clear

record of the controls in place and

assist management and auditors in

identifying the controls to test. It

will facilitate the auditor’s under-

standing and assessment of the

company’s controls as well as con-

tribute positively to the auditor’s

assessment of the adequacy of

management’s process.

Good Practice. While not required

of management, the auditor is

required to “walkthrough” signifi-

cant controls and processes to con-

firm the documentation of manage-

ment. It is recommended that man-

agement objectively “walkthrough”

its descriptions of its controls in

advance to ensure that the docu-

mentation is accurate and com-

plete.

Failure to adequately document

controls and relate internal controls

to a framework, control objectives,

and assertions is a deficiency that

can rise to the level of a material

weakness, depending on the extent

of the deficiency.

Retaining Management’sBasis for Their AssertionThe management assessments,

documentation of the controls, and

the results of management’s tests

that form the basis of manage-

ment’s assertion regarding controls

should be archived annually, and

retained in a retrievable form for a

period of time to meet regulatory

and legal requirements. We believe

this is consistent with the existing

general requirement that compa-

nies retain documents supporting

information in SEC filings and the

SEC requirement that companies

maintain adequate books and

records.

Management’sRequiredAssessment ofControlsAuditors will be anticipating that

management’s process for assess-

ing the effectiveness of the com-

pany’s internal control over finan-

cial reporting will address the fol-

lowing elements:

• Determining which controls

should be documented and

tested, including controls over

all relevant assertions related to

all significant accounts and dis-

closures in the financial state-

ments. Such controls would

include:

1. Controls over initiating, auth-

orizing, recording, processing,

and reporting significant

accounts and disclosures and

related assertions embodied

in the financial statements.

2. Controls over procedures used

to enter transaction totals into

the ledgers and the general

ledger.

3. Controls over the selection

and application of accounting

policies.

4. The design and implementa-

tion of antifraud programs and

controls.

5. Controls over the quarterly

and year-end closing process

(for example, consolidation

adjustments and eliminations

and reclassifications).

6. Controls, including informa-

tion technology general con-

trols, on which other controls

are dependent. For example,

the integrity of financial sys-

tems is potentially impaired

when systems security is

inadequate.

7. Controls over significant non-

routine and non-systematic

transactions, such as accounts

involving judgments and esti-

mates and recording of such

adjustments.

8. Controls over the safeguard-

ing of assets. Either protective

or detective controls to en-

sure against financial state-

ment misstatement due to

loss or theft.

9. Company level controls, in-

cluding the control environ-

ment, risk assessment pro-

cess, centralized processing

and controls, and controls

over the period-end (quarterly

and annual) financial report-

ing process.

• Assessing the risk that a control’s

failure could lead to a material

misstatement.


Financial Reporting

• Evaluating the design and oper-

ating effectiveness of the con-

trols.

• Determining whether any identi-

fied deficiencies in internal con-

trol constitute significant defi-

ciencies or material weaknesses.

• Communicating any findings to

the auditor and others.

Documenting theControl EnvironmentAn important element of the COSO

framework is the control environ-

ment. It comprises a number of

overarching components, including:

• Integrity and Ethical Values

• Management Philosophy and

Operating Style

• Assignment of Authority and

Responsibility

• Governance – Board of Directors

and the Audit Committee

• Commitment to Competence

• Organizational Structure

• Human Resource Policies and

Practices

While these are subjective ele-

ments, management must assess

them and document how the com-

pany has addressed each one. Since

the auditor must also assess these

factors, good documentation will

facilitate the auditor’s review.

Auditing Standard No. 2 clarified

the importance of the effectiveness

of the audit committee within the

context of overall corporate gover-

nance. Specifically, it is expected

that management will make and

document an assessment of the

effectiveness of the audit commit-

tee. In making this assessment,

companies will generally review the

committee’s charter; and examine

the members’ independence from

management, and interactions and

relations with the internal auditors,

the CFO, CEO, and the independent

auditors.

Management probably already

has many of the components to

begin the documentation of the

control environment. Charters of

the board and audit committee, a

corporate ethics or code of conduct

policy, and the human resources

policy and procedures manual are

often essential elements of the doc-

umentation process.

Anti-fraud programs and proce-

dures are also an element of the

control environment. An exhibit

published with the recent auditing

standard on fraud (SAS 99,

Consideration of Fraud in a Financial

Statement Audit) entitled Guidance to

Help Prevent, Deter, and Detect Fraud

included recommendations to help

companies develop and implement

anti-fraud programs and proce-

dures. For some companies, those

programs may already be well doc-

umented due to their recent imple-

mentation.

Contributing to the current

focus on fraud in financial reporting

are the instances of management’s

override of existing controls that

have come to light in recent years.

In assessing the control environ-

ment, fraud prevention programs,

and the operating effectiveness of

controls, management should be

particularly sensitive to any

instances where an override of con-

trols is indicated. Auditors will be

alert to any instances identified and

the corrections taken by manage-

ment to address the issue.

Good Practice. The testing and

monitoring of these programs to

provide the support for manage-

ment’s assertion that these controls

are operating effectively will be

challenging, as the assessment of

their effectiveness is largely subjec-

tive. However, some best practicesevolving to date regarding testingand monitoring the effectiveness ofcorporate policies involve inter-views or questionnaires with a sam-ple of management and non-man-agement employees that focus ontheir awareness of the policies andtheir perceptions of compliancewith and management’s attitudetowards corporate policies and pro-cedures.

InformationTechnology GeneralControls IT General controls are intended to

establish a framework of control

over all aspects of computerized

processing, and therefore will affect

many applications. General controls

also provide assurance about the

effective operation of the controls

throughout the period. For reliance

on the automated operation of con-

trols over routine transaction pro-

cessing, these controls need to be

in place and effective.

While defined differently in vari-

ous resource materials, general

controls cover the following areas:

• IT control environment

• Systems development and imple-

mentation

• Program changes

• Access and security

• Computer operations (schedul-

ing, daily backup, day-to-day

issue management, etc).

General controls over the infor-

mation systems (IS) organization

and division of duties are designed

to ensure that the IS organization

meets the needs of the company, is

responsible to management, and

that adequate segregation of duties

is maintained within the IS organi-

zation.


Financial Reporting

All of the elements of general

controls may not be relevant to all

companies. For example, if no new

systems are being implemented or

if there are no customizable soft-

ware options, controls over systems

implementation and program

changes may not be relevant in a

reporting period.

IT professionals and organiza-

tions have developed detailed

frameworks of the controls environ-

ment, which may help management

define appropriate control objec-

tives for controls, including general

controls. For example, the Infor-

mation Systems Audit and Control

Association (ISACA) has developed

an IT controls framework, COBIT.

Also see IT Control Objectives for

Sarbanes-Oxley – A Discussion Docu-

ment, www.itgi.org and www.isaca.org.

However, these frameworks may be

more complex and detailed than

currently envisioned as necessary to

meet the requirements of Section

404, and may be primarily useful as

company background resource

material.

Some IT professionals note that

weaknesses in access and security

controls are a widespread problem

for many companies. Careful reme-

diation of weaknesses should per-

mit reliance on the general controls

and reduce the level of testing

required on the controls that rely on

general controls to operate effec-

tively.

In established companies,

“legacy” systems, implemented long-

ago, may still perform critical pro-

cessing procedures and implement

significant controls. These systems

may have a long history of perceived

effective operation, but may lack

robust documentation. Manage-

ment should nevertheless docu-

ment the system and test the

embedded controls as a basis for

their assertion on the effectivenessof internal controls. It may beimpossible in some instances to gobackwards in time to assess the ini-tial implementation process oversuch systems, but the related appli-cation controls over the processingof significant transactions shouldbe tested on an annual basis.

Information technology profes-sionals are key in today’s environ-ment in ensuring the effective oper-ation of general controls. Manage-ment must assess its general con-trols. Unfortunately, the individualswith the extensive information tech-nology skill sets required to under-stand and test these controls inmany companies may be limited tothe individuals already performingthe controls. Thus, many companiesmay be forced into a “self assess-ment” process when assessing, doc-umenting, and testing these impor-tant controls, and thus little or noindependent auditor reliance will beable to be placed on management’stests.

Multiple significant deficienciesidentified in company general con-trols will often lead to a conclusionthat a material weakness exists inthe internal control due to the per-vasive role of general controls.

Extent and Timingof ManagementTesting Management and the auditors arerequired annually to monitor andtest the controls over significantaccounts and processes as well asgeneral controls. BDO Seidman’scomment letter to the PCAOB out-lined our recommendation thatcompanies be given guidance bythe SEC on the nature and extent ofrequired documentation and test-ing. Neither the PCAOB nor the individ-

ual auditing firms can specify the com-pany’s responsibility to meet the require-ments under Section 404 of the Sarbanes-Oxley Act.

In the absence of further com-

pany guidance from the SEC, the

determination of the sufficiency of

testing rests initially with manage-

ment. However, the judgments of

independent auditors regarding the

adequacy of management’s assess-

ment will be guided by Standard

No. 2, so management needs to

consider the guidance in Standard

No. 2 when developing their plans.

The following guidance is directed

at helping companies understand

the judgments required, and the

implications of those judgments

when determining sample sizes. It is

focused on company considerations

when determining sample sizes for

testing manual controls that oper-

ate frequently. Many companies are

surprised at the number of controls

that rely on human (manual) opera-

tion, despite the extensive comput-

erization of certain transaction pro-

cessing operations.

How Much ShouldManagement Test? In response to issues raised in

questions and in speeches, repre-

sentatives of the SEC and PCAOB

have publicly stated that they

expect that the company’s testing

generally will be greater than that

performed by the auditor. Auditing

Standard No. 2 indicates that man-

agement should not consider the

required auditor testing as evidence

when determining the extent of its

own required testing in support of

its assertion that its controls are

operating effectively. Thus, manage-

ment’s testing should stand alone

in providing management with a

high level of assurance that its con-

trols are operating effectively.


Financial Reporting


Financial Reporting

Companies should plan to test

robustly to confirm the effective

operation of the controls. Auditors

are required by Standard No. 2 to

test “a large portion” of the com-

pany’s operations or financial posi-

tion to meet their professional

responsibility. Our view is that

between 60% and 75% of the entity

would constitute a “large portion” in

this context. This guidance was

developed for auditors, not compa-

nies. Considering the expectation

that management should not test

less than the auditor, the targeted

testing scope for companies should

exceed this range. Management

should consider that portions of

significant accounts and processes

that remain untested, even though

they are documented and assessed

regarding design, constitute a risk

to the company.

Substantially all of the com-

pany’s relevant controls should be

documented as a result of the

analysis of significant accounts,

processes, and locations. Even

though management may have

tested a sufficient portion of their

controls to constitute a basis for

their assertion about controls effec-

tiveness, they may not have tested

all controls at all locations. Thus, we

recommend that when manage-

ment does not test all controls and

locations, they should develop a

testing strategy based on rotation

or sampling theory that causes

them to visit and test controls at

locations that are individually

immaterial, but may be part of a

material aggregate.

Good Practice. To support the

auditor’s opinion on internal con-

trols, auditors may test any account,

process, or location to ensure con-

trols are operating effectively.

Management is required to assess,

document, and test controls, andassert their effectiveness through-out the company, except for animmaterial portion. Auditors arenot precluded from testing loca-tions or accounts not tested bymanagement. The lack of operatingeffectiveness identified by tests ofsignificant local controls andasserted “company-wide controls”at one location may call into ques-tion the assertion regarding theeffective operation of controls atother locations that were not testedby the auditor.

Parameters For DeterminingSample SizesThe following two sections discussimportant parameters for determin-ing appropriate sample sizes.

How Effective Do Controls Needto Be? To be considered effective, acontrol should operate at a highdegree of effectiveness. When acontrol is first designed, a very highlevel of “expected” performance isoften targeted. In operation,though, controls, particularly man-ual controls, may not alwaysachieve the targeted performancelevel. While a goal, perfection is nota realistic expectation for the oper-ation of a manual control. Auto-mated (programmed) controls, as atype of control, are most likely toconsistently operate as designed. Inmany cases, a control that operatescorrectly 95% of the time would beconsidered by many to be “highlyeffective.”

How Much Assurance is Neededthat the Controls OperatedEffectively? To be certain that thecontrols operated at the desiredeffectiveness level, you would needto test most, and maybe nearly all,of the instances of the control’soperation. This is not practical, so

there is a risk, when sampling is per-formed, that the testing will notreveal the condition in the true pop-ulation. This risk is controlled whendetermining a statistically sup-ported sample size, by setting alevel of required “confidence” forthe test. Confidence levels of 90% to95% are consistent with the highlevel of assurance that is soughtregarding the test’s conclusions.

Determining a Sample SizeSample sizes can be computed byreference to statistical tables or pro-grams that will provide the desiredconfidence level that the actual rateof deviation in the population doesnot exceed the tolerable rate (i.e.,the greatest deviation rate thatmanagement will tolerate beforeconcluding that the control is notoperating effectively). There is norequirement to use statistical sam-pling, but its principles can be help-ful when setting sample sizes inarticulating the assurance and accu-racy of the sample.

For example: A sample designedto achieve a 90% assurance (confi-dence) level with a high effective-ness (no more than a true deviationrate of 5%) leads to a sample size of45 items. To achieve a 95% confi-dence level, the sample would needto be around 60 items. These sce-narios assume zero deviations willbe identified from testing from alarge population.

With such a sample, the deci-sion rule is simple:If no deviations are found in the sample, thecontrol passes the test. If one or more devi-ations are found, then the control “fails.”

Deviations should always be evalu-ated for the cause of the deviation.The identified deficiency must alsobe evaluated for its significance – asa deficiency, significant deficiency,or material weakness.

In general, the required sample

size increases when more devia-

tions are expected and also when

the tolerable deviation rate is low-

ered.

Where companies wish to allow

for a deviation to occur without

“failing” the test, a sampling plan

can be developed so the sample

size initially allows for one deviation

without “failing” the test, or a two-

stage plan can be developed such

that if a deviation is found in the

first sample, an additional sample

can be validly added to the first.

Since some types of sampling plans

allow for an occasional deviation, a

deviation may not as quickly be cat-

egorized as a significant deficiency

based on incidence alone. After a

deviation is identified it is often

appropriate for the company to con-

sider whether it needs to strengthen

the control before proceeding with

any further testing. Of course, if the

deviation identified at the first stage

indicates a material weakness exists

(e.g., management override of con-

trols), then a second stage sample

would not be performed.

These plans that allow for the

occurrence of one deviation as part

of the sampling plan are more effi-

cient than the alternative of taking

two full independent samples when

unexpected deviations are found.

You may wish to consult with your

BDO Seidman engagement team to

provide you with more detailed,

specialized guidance for developing

a sampling plan consistent with

management’s stated objectives.

Illustrative sample size tables

that relate confidence levels, tolera-

ble deficiency rates, and expected

deficiency rates and an illustrative

two-stage sampling plan (for large

populations) are illustrated in an

Appendix to this Financial Report-

ing Letter.

Tests of Automated ControlsWhen testing automated (pro-grammed) controls, often examiningone or just a few instances of theoperation of the control is sufficient.This assumes that the relevant gen-eral controls are assessed to bestrong. When general controls areless effective, sample sizes tendingtowards the manual control envi-ronment sample sizes should beused if the general controls weak-ness could impact the reliability ofthe control being tested. Because oftheir importance to testing plans ofautomated controls, general con-trols should be documented, testedand assessed as effective at an ear-lier project stage than the testing ofautomated controls.

The Risk of PerformingMinimal Testing when SettingCompany Sample Sizes When considering the testingrequirements, companies need tobe cognizant of the risks they facefrom under-testing. Under-testingexposes the tester to the risk thatinternal control weaknesses will notbe exposed until the auditor teststhe control, or in the near or postyear-end substantive testing phaseor the closing phase of the audit,when such weaknesses are difficultor impossible to correct. Worse yet,such weaknesses, if they exist, couldbe detected in future periods, rais-ing questions about the adequacyof the work supporting the previ-ously made internal controls asser-tion. Restatements of financialstatements will likely imply that cer-tain controls were not effective in apast period.

Furthermore, since only theimportant controls are being tested,a deviation identified may quicklyrise to the level of a significant defi-ciency when a deviation is found ina small “minimum sample size” test.

Good Practice. We believe thatduring this period of uncertaintyand initial implementation, “mini-mum” testing could be a very costlystrategy to an issuer. Some compa-nies have indicated that they intendto test some controls initially morethan 100 times, to form an effective“base line” for any required remedi-ation and further risk assessment.When the company objectively andadequately documents and robustlytests controls, auditors can makemeaningful reductions in the testlevels they perform. However, com-panies that have designed “mini-mum” testing plans will probablyincur additional audit costs, asindependent auditor sample sizereductions will not be supportable.

It is always important to remem-ber that the cost of testing is notonly associated with the number ofitems examined. There is a “fixed”cost of setting up the test in the firstplace. Additionally, there is a dimin-ishing cost of examining additionalitems as the tester becomes morefamiliar and proficient with the pro-cedure. Thus, doubling a samplesize from 20 items to 40 will notnecessarily double the cost of thetest.

Early, robust testing provides aneffective “base line” of understand-ing the state of current controls andidentifying remediation opportuni-ties before the auditor begins toevaluate and test.

A Minimum Sample Size?There is no “bright line” minimumsample size, but companies mayhave to explain how they haveattained a high level of assurancethat controls are operating effec-tively if they are testing very fewitems (e.g., 20 items or less on anannual basis) for a frequently oper-ating manual control.


Financial Reporting

If the auditor concludes that thelevel of testing by the company isinsufficient to enable the companyto conclude with a high level ofassurance that the controls areoperating effectively, the auditorwill consider this a deficiency. Ifdeemed serious enough, the issuecould be elevated to the level of amaterial weakness, which wouldpreclude the auditor from conclud-ing that management had an ade-quate basis for its assertion. Theauditor would have to state this inthe auditor’s report on manage-ment’s process. Obviously, the audi-tor in this situation would be ableto place little reliance on the proce-dures that the company performedwhen determining the requiredscope of the auditor’s procedures.

Independent AuditorReliance on TestingPerformed by OthersIt is an auditor judgment as to theextent of reliance that can be placedon company procedures. Unless theauditor is required to rely solely onits own tests in a particular areasuch as the control environment,the auditor may place significant,little, or no reliance on companytests, depending on the extent ofmanagement’s testing and theobjectivity and competence of man-agement’s work.

Therefore, the independent audi-tor can, subject to some limitations,rely on the company’s testing toreduce its own testing that is neces-sary to issue an opinion on internalcontrols. However, there are severalcaveats that are explicit in AuditingStandard No. 2. The auditor mustperform sufficient procedures overthe control environment to reach con-clusions on its effectiveness withoutreliance on the company’s tests, andthe auditor must also perform suffi-cient procedures so that most of the

evidence obtained on which the

auditor’s opinion is based is from

procedures the auditor performed.

Additionally, the auditor must per-

form tests of controls over highly

judgmental areas such as certain

allowance and reserve calculations,

and can place limited reliance on

the tests of others. In other cases,

the extent of testing by manage-

ment and others may be a greater

factor to be considered in reducing

the extent of auditor procedures.

There are obvious cost savings

when the independent auditor can

rely on company tests to the great-

est extent allowed.

In order to consider the testing

the company performs, the auditor

will need to assess the objectivity

and competence of the work per-

formed that supports the company’s

assertion of controls effectiveness.

The greatest objectivity of com-

pany testing may be present when

an objective third party or internal

auditor performs the tests. When

testing using company employees,

objectivity can also be improved by

testing controls using employees

from unrelated functions or differ-

ent departments. Competence is

often assessed by examining the

procedures employed, and reper-

forming some of the procedures. It

is further corroborated when the

independent auditor tests the con-

trol and observes similar results.

However, the auditing standard

requires that company procedures

that result from a “self assessment”

cannot be relied on by the inde-

pendent auditor. A self assessment

is where the employee performing

the test of the control is also the

employee responsible for the oper-

ation of the control. The obvious

problem is that in such a case, the

objectivity of the employee in

selecting the test items or perform-

ing the test is questionable. Never-theless, such tests are acceptablefor the company to perform to sup-port its own assertion.

The Timing of Company TestsThe “as of” date of the company’sassertion regarding internal con-trols is the year-end balance sheetdate. Performing significant testingearly in the year places greatreliance on the continuity of thecontrols throughout the year. Also,management will need to considerhow it will extend the conclusionsof its tests performed earlierthrough year-end by some means(e.g., further testing, observations ofcontrol operations, walk-throughs).

Planning to perform tests ineach quarter throughout the year isa strategy that that some compa-nies are considering for controllingthe level of effort expended duringthe year. However, recall that thecost of performing a test alsoincludes the cost of test set-up,sample selection, and evaluation.Thus, designing numerous smallsamples is likely to be less efficientthan designing fewer larger sam-ples. Other companies are consid-ering testing strategies that concen-trate the annual testing in fewerperiods, with some testing beingperformed in the last quarter toextend the earlier conclusions. Forexample, on a continuing basis thecompany may plan to test most ofits controls during the third quarter,followed by some testing in thefourth quarter.

Another complexity introducedby early period testing is that devia-tions identified in early testing willstill require follow-up to assesstheir nature and possible extent,and may have implications for quar-terly SEC attestations and financialreporting. For example, if an annualsample size of 60 items is split into


Financial Reporting

4 equal samples per quarter, a devi-

ation found in a sample of 15 items

during a quarter may loom larger

than if it was the only deviation

found in the context of the larger

sample.

Good Practice. In this first year of

implementation, companies are

urged to test controls robustly as

soon as possible after the documen-

tation of the controls and assess-

ment of the effectiveness of the

design of the controls is made for

each significant location, process,

etc. This provides the best possibil-

ity of identifying documentation and

operating problems and remediat-

ing them in a timely manner in

advance of auditor testing.

Certain controls can only be

tested in the timeframe in which

they are operating. Quarterly clos-

ing controls can only be examined

at the interim quarters. Controls

over the accrual process, valuation

allowance accounts, the year-end

closing process, etc. can only be

observed and tested during specific

periods, which may actually be at or

after the “as of” year-end date. In

such cases, remediation of devia-

tions is often not possible, so sig-

nificant attention must be devoted

to “getting it right” the first time.

The shortening of the filing dead-

lines for accelerated filers will exac-

erbate the problem of focusing

attention on the control reporting

requirement this year. Any issues

arising in this process will likely be

identified as significant deficiencies

and, more likely, as material weak-

nesses.

Good Practice. In this first year of

implementation, companies may

wish to simulate the year-end clos-

ing process using their most recent

closing process as a reference inorder to assist them in the assess-ment of the design, documentation,and testing that will be required atthe next closing date.

Testing Considerations inOther SituationsModified guidance is needed whentesting infrequently operating con-trols (e.g., daily, weekly, monthly,quarterly). A table of small popula-tion sampling guidance is providedin an Appendix to this FinancialReporting Letter.

Judgment needs to be exercisedand documented about the extentof reliance being placed on any gen-eral controls that are determined tocontain significant deficiencies orweaknesses. For example, a weak-ness in data backup proceduresmight have no impact on thereliance on certain general controlswhen testing transaction levelapplication controls. However,weaknesses in program change con-trols or weaknesses in user accesscontrols might often have a signifi-cant impact on automated applica-tion control sample sizes.

When examining informationtechnology general controls, thesampling framework is sometimesapplicable. For example, one couldselect a sample of program changeauthorizations to examine the man-ual aspects of the process andproper granting of approvals for thechange made. On the other hand,the performance of certain regularbackup procedures may only needto be corroborated with personsperforming the procedures andobserved on a surprise basis a fewtimes to confirm their effectiveoperation. In cases where docu-mentary documented evidence ofthe operation of the control is notgenerated, such as the physicallocking of a room containing sensi-tive equipment or program informa-

tion, observation of the operation ofthe control a few times during theyear is a logical procedure.

Final Testing CommentsAs the implementation date for

expressing management’s assertion

regarding internal controls approaches,

we hope that further guidance will

be forthcoming from the SEC. This

interim guidance has been devel-

oped to assist companies strug-

gling to document and test internal

controls in this period of uncer-

tainty. There are many more sub-

jects relating to the extent of test-

ing (e.g., testing controls over cor-

porate governance) that are not

included herein.

Provided that the company

determines the approach and crite-

ria it wishes to use for its testing of

controls, both initially and continu-

ing, we believe the independent

auditor can assist the company,

internal auditors, or independent

consultants in designing a sampling

plan that will meet those criteria.

Independent auditors are some-

times more familiar with tables and

computer software that can com-

pute a sample size from specific cri-

teria, or develop two-stage sam-

pling plans to meet management’s

stated needs.

Good Practice. When the company

robustly tests its controls and when

the tests were objectively and com-

petently performed, it obtains sig-

nificant evidence that the control

operates as designed and can per-

mit the maximum reductions in

procedures by the external auditor.

Companies may wish to discuss

some of the sample size trade-offs

with their independent auditors to

better understand how the extent of

company testing can result in

reduced levels of auditor testing.


Financial Reporting

Managing theCompliance Costs Total projects costs have two keycomponents – company costs andauditor costs.

Preparing the initial detaileddocumentation and company test-ing as a basis for its assertion on theeffectiveness of internal controls isa significant effort, particularly inthe first year. The extent of effort willdepend on the prior extent of con-trols, their documentation, andeffectiveness, and will vary greatlyamong companies. Early projecteffort estimates of time and cost tocomplete the first year of companycompliance continue to rise.

Good Practice. Company costs canbe best controlled by:• Assembling the right manage-

ment team• Making timely, objective, and

critical assessments of potentialweaknesses

• Testing robustly, particularly inthe first year, to identify poten-tial weaknesses for remediation

• Remediating control weak-nesses early in the process

• Preparing documentation that iscomplete, accurate, and clear

All these elements will facilitatethe review by the independent audi-tor of management’s process andpermit the auditor to rely, to theextent possible, on the underlyingwork supporting management’s

assertion regarding controls. Theyalso provide management with thestrong foundation to “roll-forward”the documentation into future peri-ods, as well as provide a basis forreducing the extent of future testingand monitoring costs in low riskareas.

Communication between com-pany project management and theindependent auditor will facilitateearly identification and resolution ofissues. Such conversations shouldinclude the intended scope of thecompany’s assessment, documenta-tion, and testing procedures.

When the auditor can rely to themaximum extent permitted byAuditing Standard No. 2 on thework of others underlying manage-ment’s assertion, audit costs arereduced. This should be a consid-ered when setting out the initialoverall project plan.

Companies should be confidentthat they have adequately fulfilledtheir responsibilities under theexisting rules before indicating tothe independent auditors that theyare ready to have them performtheir required detailed reviews andtesting. Once the independent audi-tor begins work towards issuing anopinion on management’s assertionand internal controls, they will beresponsible for evaluating the doc-umentation and testing of manage-ment’s data, and are required toassess observed deficiencies inmanagement’s process or executionand communicate significant defi-

ciencies in documentation and test-ing to the audit committee.

Concluding RemarksCompanies should understand thatneither their own project team, theiradvisors, nor their independentauditor possess all the answers toall the possible issues that will arisein the process of implementing theSection 404 requirements. It isimportant to make the best effortspossible to comply with the require-ments and identify issues whereclarification is necessary.

Implementation working groupshave been established by the PCAOBto assist in identifying issues arisingfrom the company and auditor per-spectives. Current practice has beenevolving since the enactment of theSarbanes-Oxley Act in 2002 andthrough various exposure drafts ofauditor guidance.

Additional guidance is antici-pated in 2004 and 2005 that mayclarify or modify our understandingof the intent and requirements ofthe Act and SEC rules as they relateto company responsibilities. We willkeep you apprised through variousBDO Seidman publications andthrough communications from yourBDO Seidman engagement team asissues are clarified.

Please contact your BDO Seidmanengagement team representative forquestions that are specific to yourcompany circumstances.


Financial Reporting

Important References and Company ResourcesThe COSO Internal Control Integrated Framework. AICPA product order number 990012kk at www.cpa2biz.com

SEC Rules on Section 404 www.sec.gov/rules/final/33-8238.htm

PCAOB Standard No. 2 www.pcaobus.org/rules/Release-20040308-1.pdf

Sarbanes-Oxley Act of 2002 The United States Congress (2002), The Sarbanes-Oxley Act

(H.R. 3763). http://www.law.uc.edu/CCL/SOact/toc.html

AICPA Antifraud & Corporate Responsibility Center www.aicpa.org/antifraud/

AICPA Audit Committee Effectiveness Center http://www.aicpa.org/audcommctr/homepage.htm


Financial Reporting

“Internal control over financial reporting” is definedby PCAOB Standard No. 2, paragraph 7 and SecuritiesExchange Act Rules 13a-15(f) and 15d-15(f). The SECrules use the word “registrant” rather than company.

“A process designed by, or under the supervision of,the company’s principal executive and principal finan-cial officers, or persons performing similar functions,and effected by the company’s board of directors, man-agement, and other personnel, to provide reasonableassurance regarding the reliability of financial reportingand the preparation of financial statements for exter-nal purposes in accordance with generally acceptedaccounting principles and includes those policies andprocedures that:• Pertain to the maintenance of records that, in rea-

sonable detail, accurately and fairly reflect thetransactions and dispositions of the assets of thecompany;

• Provide reasonable assurance that transactions arerecorded as necessary to permit preparation offinancial statements in accordance with generallyaccepted accounting principles, and that receiptsand expenditures of the company are being madeonly in accordance with authorizations of manage-ment and directors of the company; and

• Provide reasonable assurance regarding preventionor timely detection of unauthorized acquisition, useor disposition of the company’s assets that couldhave a material effect on the financial statements.”

“A control deficiency” (PCAOB Standard No 2, para-graph 8) “exists when the design or operation of a con-trol does not allow management or employees, in thenormal course of performing their assigned functions,to prevent or detect misstatements on a timely basis.• A deficiency in design exists when (a) a control nec-

essary to meet the control objective is missing or(b) an existing control is not properly designed sothat, even if the control operates as designed, thecontrol objective is not always met.

• A deficiency in operation exists when a properlydesigned control does not operate as designed, orwhen the person performing the control does notpossess the necessary authority or qualifications toperform the control effectively.”

“A significant deficiency” (PCAOB Standard No. 2,paragraph 9) “is a control deficiency, or combination ofcontrol deficiencies, that adversely affects the com-pany’s ability to initiate, authorize, record, process, orreport external financial data reliably in accordancewith generally accepted accounting principles suchthat there is more than a remote likelihood that a mis-statement of the company’s annual or interim financialstatements that is more than inconsequential will notbe prevented or detected. “

The term “remote” as used here has the samemeaning as in Financial Accounting Standards BoardStatement No. 5, Accounting for Contingencies, “ the chance ofthe future event or events occurring is slight.”

Guidance in PCAOB Standard No. 2 notes that the“inconsequential” threshold references the expecta-tions of a “reasonable person” that any misstatementas a result of a noted deficiency, either alone or in com-bination with other misstatements, would not be mate-rial to the financial statements. Note that in our viewthis indicates a low threshold for classifying a defi-ciency as a significant deficiency.

Note: The threshold for a significant deficiency isvery low and will likely result in a large number of sig-nificant deficiencies being identified by managementand the auditor. For example, while specific exampleshave not been cited, a projected impact of no less thansay 5% of financial statement materiality would be apractical rule of thumb for identifying a deficiency assignificant, since allowance should be made for theaccumulation of such deficiencies before reaching themateriality threshold (e.g., a material weakness).Accumulation of all deficiencies projected to be 1% ormore of materiality for consideration as to their naturemay be a conservative first year practice.

A material weakness is a significant deficiency, orcombination of significant deficiencies, that results inmore than a remote likelihood that a material mis-statement of the annual or interim financial statementswill not be prevented or detected.

Glossary - The Definition of Key Terms


Financial Reporting

Assurance (Confidence, Reliability) Level – 95%Large Population

Tolerable Deviation Rate (%)

Expected Deviation Rate (%) .5 1 2 3 5 8 10

0 598 299 149 99 59 36 29

.5 1181 313 157 93 58 46

1.0 590 257 93 58 46

1.5 2257 392 124 58 46

2.0 846 181 77 46

3.0 361 95 61

4.0 1348 146 89

Small Population Sample Size Guidance – High AssuranceFor Manual Controls Operating Quarterly, Monthly, Weekly, and Daily

Frequency Sample Sizes

Daily 16 – 25

Weekly 7 – 10

Monthly 3 – 5

Quarterly 2

Companies may wish to initially test controls at the higher end of the range, and reduce testing to the lower end ofthe range when the effectiveness of the operation of the controls is clear.

Assurance (Confidence, Reliability) Level – 90%Large Population

Tolerable Deviation Rate (%)

Expected Deviation Rate (%) .5 1 2 3 5 8 10

0 460 230 114 76 45 28 22

.5 738 194 129 77 48 38

1.0 398 176 77 48 38

1.5 1463 265 105 48 38

2.0 590 105 48 38

3.0 233 65 52

4.0 873 98 65

APPENDIX – Sample Size Plans


Financial Reporting

Two Stage Sampling Plan – Decision Rules and PlanTwo Stage Sampling Plan – Decision Rules

No Deviations One Deviation Two or More Deviations

Stage 1 Pass, Stop Go to Stage 2 Fail

Stage 2 Pass Fail Fail

Two Stage Plan Sample Sizes – Large Population

Tolerable DeviationRate Stage 1 Stage 2

Confidence % (Maximum Allowed) % Sample Size Sample Size

95 5% 65 42

90 5% 51 39

The COSO Internal Control Integrated FrameworkThis framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission and waspublished in 1992. It was an outgrowth of the Commission on Fraudulent Financial Reporting studying fraudulentfinancial reporting. The focus of the Act is internal control over financial reporting.

The basic framework consists of five integrated compo-nents, which should be considered as a whole when eval-uating the effectiveness of internal control. • Control environment. This element is the “base” of the

framework and includes senior management setting anappropriate “tone at the top” regarding controls andfraud prevention.

• Risk assessment. Companies must identify risks that itscontrol objectives might not be satisfied, and developresponses to manage these risks.

• Control activities. These constitute the “nuts and bolts” ofthe company’s controls including the implementationof effective general and application controls.

• Information and communication. This element is essentialin providing management with the timely and relevantinformation needed for effective company manage-ment, risk identification and developing effectivereporting, including disclosures.

• Monitoring. To ensure effective controls, they need tobe monitored on a continuing basis. Monitoring mayinclude inquiries, observations, management over-sight and review and testing the effectiveness ofcontrols.

The framework is flexible, and requires adaptation tospecific industries or types of business organizations.

Material discussed in this Financial Reporting newsletter is meant to provide general information and should not be acted upon without first obtaining professional advice appropriately tailored to your

individual facts and circumstances.

Financial Reporting

Documents

reporting requirements

internal control pcaob

audit of internal control

reporting tation

assessment of controls

financial cial reporting

managements report

control deficiencies