Audit & Assurance Services: Case Study
Sarbanes-Oxley section 404, Internal control testing
The Issue
With regard to US SEC rules, the Sarbanes-Oxley Act, signed into United States Law on 29 July 2002, established a new paradigm for corporate responsibility, accountability, transparency and behavior.
The section 404 of the Act requires a company's annual report to include a formal management assessment of its internal controls and procedures relating to financial reporting and have this assessment audited.
In that context, a major bank in Luxembourg that is part of an international group subject to section 404 requirements requested our assistance in performing the management assessment.
The main assistance provided was in the following areas:
- Definition of adequate testing plan in coordination with internal audit, risk management and the external auditor,
- Performing the testing of controls on behalf of the management,
- Reporting and documentation of the testing and deficiencies identified to the management.
Our Approach
We provided systems and process assurance specialists with extensive experience in the area of banking and Sarbanes Oxley matters. These specialists are part of our internal control group and spend the majority of their time working on documenting procedures and controls, evaluating the design of controls and testing their effectiveness. To ensure that our controls specialists are up-to-date on current SEC matters and more specifically issues relating to section 404, these individuals follow training on a periodic basis, which is developed by and nourished by the experiences of our PwC US colleagues.
The project was carried out in the following phases:
- In a first phase, we defined the test plan based on the design of the controls for each key process as documented by the bank's process owners (i.e. business heads), as well discussions with relevant banking personnel. During this process, deficiencies in the control descriptions were identified, discussed with management and amended as deemed necessary.
- In conjunction with the first phase, the test plans of the controls were reviewed and validated by both the internal and external auditors.
- The second phase consisted mainly of performing the testing of the effectiveness of controls using the policies defined by the group and the external auditor in relation to sample sizes, sampling methods, type of testing and reporting.
- Finally, the results of the testing and the knowledge gained through the exercise were transferred to the bank's section 404 specialists.
The Outcome
At the end of the project, the bank will provide a report to group management on the quality of the design of its controls and the effectiveness of its controls in order for the group to perform its management assessment on controls over financial reporting. The external auditor will then review management's assessment and perform his own assessment on the group's controls over financial reporting.
Through this process, the bank has gained a greater understanding of its internal controls, including the identification and remediation of control deficiencies, has more fully appreciated the obligations and technical aspects of section 404 and has generally improved its overall control environment.
- Pascal Rakovsky
Audit & Assurance Leader - Tel: +352 49 48 48 5746
Related Challenges
Email to a colleague
Print-friendly version