RE: Sarbanes-Oxley 404 Project Information (LONG)

Subject: RE: Sarbanes-Oxley 404 Project Information (LONG)
From: "Lisa Wright" <liwright -at- earthlink -dot- net>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Wed, 10 Mar 2004 15:23:08 -0800

Good question! I'll try to answer. Note that where I say "controls" I'm
talking about internal controls that the company exercises.

Controls are basically checks that companies put in place to ensure that
fraud is not likely to take place such that financial statements could be
"materially" affected.* The idea is to prevent the Enron, Tyco, Qwest types
of misstatements that went on. For example, if the sales department claims
$4 million in new contracts during a financial quarter, then part of the
process of preparing the financial statements might be that the internal
audit department compares actual signed sales documents to the claims. The
comparison is the "control" that ensures the financial statements are
accurate. Different areas of financial statements can present different
risks, and different controls are needed to mitigate those risks.

Companies can have "Operational" controls such as standard operating
procedures, checklists, and so on, but Sarbanes is concerned with
"Financial" controls. Financial controls can reside in IT systems (e.g., one
person can create Journal Entries in the General Ledger system, but a
different person must post the entries); they can be approvals to incur
expenses; they can be audits of revenue, etc. Words that signal control are
things like "review," "audit," "verify," "count," etc.

Controls can PREVENT fraud, or they can DETECT fraud at a later date. If
approved invoices are filed, the filing creates a DETECTIVE control because
I can go back into the physical documents later and detect something.
Controls can also be manual or automatic (system). The type of control
determines the extent of testing that must take place to determine if the
control is effective. Controls performed by humans must be tested more
thoroughly than controls that are enforced in a computer system.

Part of the initial SOX effort for most companies is determining whether
controls are effective. Controls that are not effective need to be
remediated. If the outside auditors come in and determine a control is not
effective, they may give an adverse opinion, which must be included in the
financial statements and will not be looked upon kindly by analysts and
investors. Companies that resist change may experience problems in this

There are several types of Financial assertions: Completeness (did I report
all sales), Accuracy (did I accurately report all sales), Valuation (did I
count and value my inventory correctly), Existence / Occurrence (I'm not
clear on how this is different from completeness), Rights & Obligations (did
I report all property ownership or all debt), Presentation & Disclosure (did
I accurately represent all information and risks). A control can address
any/all of these. Management is responsible for ensuring the effectiveness
of the controls.

Hope this helps. This is a complex topic that I am only starting to
understand, so I apologize if my information is incomplete.


* Financial statements can contain a significant deficiency, defined as a
single deficiency that adversely affects the company's financial data, and
results in a more than remote likelihood that a misstatement of the
annual/interim financial statement will not be prevented or detected. Such
deficiencies can be: a restatement; material misstatement, not detected;
ineffective audit committee; ineffective internal audit or risk management
function; ineffective regulatory compliance functions; fraud of any
magnitude; uncorrected significant deficiencies.

A material weakness is a significant deficiency alone or combined with other
significant deficiencies that results in more than a remote likelihood that
a misstatement of the annual/interim financial statement will not be
prevented or detected. This will require an adverse opinion of the internal

-----Original Message-----
From: John Posada [mailto:JPosada -at- isogon -dot- com]
Sent: Wednesday, March 10, 2004 1:17 PM
To: Lisa Wright; TECHWR-L
Subject: RE: Sarbanes-Oxley 404 Project Information (LONG)

Lisa...I'm very interested in this, However, I need for you to define thing
more basics.

"these are the controls that ensure these assertions are true"


John Posada


New RoboHelp X5 includes all new features such as,
content management, multi-author support, distributed
workforce support, XML and PDF support, and much more!

Purchase new Macromedia RoboHelp X5 by March 31st and receive a
$100 mail-in rebate.

You are currently subscribed to techwr-l as:
archiver -at- techwr-l -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit for more resources and info.

RE: Sarbanes-Oxley 404 Project Information (LONG): From: John Posada

Previous by Author: Sarbanes-Oxley 404 Project Information (LONG)
Next by Author: RE: Sarbanes-Oxley 404 Project Information (LONG)
Previous by Thread: RE: Sarbanes-Oxley 404 Project Information (LONG)
Next by Thread: RE: Sarbanes-Oxley 404 Project Information (LONG)

What this post helpful? Share it with friends and colleagues:

Sponsored Ads