Sarbanes Oxley Section 404

Project Management

To enable the project to be focused and on-track, we provide leadership and coordination throughout our Sarbanes-Oxley assistance projects. Our responsibilities typically include monitoring and reporting the progress of the project against milestones and the ongoing modification and monitoring of a detailed work plan. We coordinate resources, prepare status reports, update the project plan, and present at Steering Committee meetings.

Risk Assessment, Scoping & Materiality

Following recent guidance issued by the SEC and PCAOB, we understand that compliance with Section 404 should be risk based. Accordingly, we perform a financial statement risk assessment that includes identifying the specific financial reporting risks, mapping of the financial statement accounts to the financial statement processes and identifying the specific control objectives associated with the identified risks. As part of this process, we would also identify the in scope locations and financial statement accounts based on an appropriate materiality threshold.

Entity Level Assessment

We believe that compliance with Section 404 should be based on a top down approach which involves assessing the overall entity-level control environment. We assist in the identification, documentation and testing of entity-level controls using an entity-level control catalog which is based on the COSO framework and, if applicable, incorporates the guidance for smaller companies.

Process & Controls Documentation

Using the risk assessment, we can help you prepare your Section 404 documentation of the identified processes and control activities that are in scope and identify the key controls. As part of the key control selection effort, we will focus on ensuring that the scope of the key controls addresses only those processes and activities which cover internal controls over financial reporting and not operational or compliance activities, which are outside the scope of Section 404. We will also focus on selecting key controls that are, wherever possible, automated and preventive versus manual and detective. Typically, automated and preventive type controls are more reliable and less costly to test. We will also emphasize the importance of being economical in the selection of key controls, which should also result in lower future costs for testing. Our standardized approach produces just the right amount of documentation for your management assessment and your external auditors.

Our multidisciplinary teams ensure the documentation addresses all of the necessary elements, such as entity-level, IT and financial disclosure controls. Moreover, our “Big-4” experience keeps the project focused on what is really required by Section 404 and provides you with suitable integration with your external auditors.

Controls Testing

Our control experts are well trained in testing techniques and documentation standards. We provide testing results that meet the requirements of the public accounting firms without the high cost. We believe that control testing is repetitive and can be performed more efficiently with resources that have the appropriate skills and training.

We will develop testing plans, test scripts and templates to ensure that your external auditor can place maximum reliance on the work performed by our team. We will also coordinate testing activities and prepare work papers documenting testing results.

IT Controls Documentation & Testing

Assessing IT controls requires highly specialized skills. Although many public companies have an Internal Audit capability, many lack the skills in-house to effectively document and test IT controls. eGRC.COM possesses the entire breadth of technical skills required to work with ERPs, databases, networks and websites as well as IT processes. Our professionals are experts in COBIT for Sarbanes-Oxley and most have completed many IT general controls work paper sets for “Big-4” audit firms. Furthermore, IT is one of our core specialties.

Controls Remediation

Fixing control design and operating effectiveness gaps often requires changing existing processes and technologies. To do so successfully, a change agent must understand how to gain acceptance by the organization for the change as well as know the many process and technology alternatives to consider. Unlike a typical auditor, our professionals are capable of helping your organization implement new practices and modernize your technologies.

Throughout the SOX effort, we identify, track and report any internal control deficiencies. We will coordinate any necessary remediation activities related to the correction of specific control deficiencies. eGRC.COM possesses specialists from across a broad spectrum of disciplines skilled in fostering organizational change, preparing policies and procedures, and designing new processes and controls. We provide as much guidance on remediation as possible during the documentation and testing effort.

Improving Section 404 Compliance

Today, many companies rely on manual, detective controls that are costly to operate and test and are prone to error. We can help you replace those controls with automated controls that are more reliable and cost-effective. We have the expertise to help you get the most from your existing ERP systems by utilizing functionality already embedded within them. In addition, we can deploy emerging controls automation software, such as Approva, or controls monitoring/ self-assessment programs to make controls testing and monitoring more efficient. We also help organizations consolidate disparate compliance efforts into a single, integration compliance program.