Sarbanes-Oxley section 404, Internal control testing
The Issue
With regard to US SEC rules, the Sarbanes-Oxley Act,
signed into United States Law on 29 July 2002, established
a new paradigm for corporate responsibility, accountability,
transparency and behavior.
The section 404 of the Act requires a company's annual
report to include a formal management assessment of
its internal controls and procedures relating to financial
reporting and have this assessment audited.
In that context, a major bank in Luxembourg that
is part of an international group subject to section
404 requirements requested our assistance in performing
the management assessment.
The main assistance provided was in the following
areas:
- Definition of adequate testing plan in coordination
with internal audit, risk management and the external
auditor,
- Performing the testing of controls on behalf
of the management,
- Reporting and documentation of the testing and
deficiencies identified to the management.
Our Approach
We provided systems and process assurance specialists
with extensive experience in the area of banking and
Sarbanes Oxley matters. These specialists are part
of our internal control group and spend the majority
of their time working on documenting procedures and
controls, evaluating the design of controls and testing
their effectiveness. To ensure that our controls specialists
are up-to-date on current SEC matters and more specifically
issues relating to section 404, these individuals
follow training on a periodic basis, which is developed
by and nourished by the experiences of our PwC US
colleagues.
The project was carried out in the following phases:
- In a first phase, we defined the test plan based
on the design of the controls for each key process
as documented by the bank's process owners (i.e.
business heads), as well discussions with relevant
banking personnel. During this process, deficiencies
in the control descriptions were identified, discussed
with management and amended as deemed necessary.
- In conjunction with the first phase, the test
plans of the controls were reviewed and validated
by both the internal and external auditors.
- The second phase consisted mainly of performing
the testing of the effectiveness of controls using
the policies defined by the group and the external
auditor in relation to sample sizes, sampling
methods, type of testing and reporting.
- Finally, the results of the testing and the
knowledge gained through the exercise were transferred
to the bank's section 404 specialists.
The Outcome
At the end of the project, the bank will provide
a report to group management on the quality of the
design of its controls and the effectiveness of its
controls in order for the group to perform its management
assessment on controls over financial reporting. The
external auditor will then review management's assessment
and perform his own assessment on the group's controls
over financial reporting.
Through this process, the bank has gained a greater
understanding of its internal controls, including
the identification and remediation of control deficiencies,
has more fully appreciated the obligations and technical
aspects of section 404 and has generally improved
its overall control environment.
