Documente Academic
Documente Profesional
Documente Cultură
TABLE OF CONTENTS
2
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
1. Introduction / Background
Section 404 of the Sarbanes-Oxley Act of 2002 (the Act) requires management of every public Company to file
an internal control report with the annual report. In May 2003, the Securities and Exchange Commission voted to
adopt final rules governing managements reporting on internal control over financial reporting.
Company X. (Company) is required to include a management report on internal controls over financial reporting
that contains the following elements:
A statement of managements responsibility for establishing and maintaining adequate internal controls and
procedures for financial reporting
A statement identifying the framework used by management to evaluate the effectiveness of internal control
over financial reporting
Managements assessment of the effectiveness of internal control over financial reporting as of the end of the
Companys most recent fiscal year; and A statement that this annual report does not include an attestation
report of the companys registered public accounting firm regarding internal control over financial reporting.
(Managements report was not subject to attestation by the companys registered public accounting firm
pursuant to temporary rules of the Securities and Exchange Commission that permits the company to provide
only managements report in this annual report.)
The Section 404 certifications are signed by the CEO and CFO. Management will be required to make its own
assessment for fiscal year ended December 31, 2017.
3
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
4
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
Design and implement solutions for control gaps, if any, which may be identified during the testing of operating
effectiveness of controls
Final Evaluation
- Identify, understand and assess deficiencies, including compensating controls
- Assess the likelihood / potential magnitude of misstatement
- Determine classification of deficiencies, if any
- Project Conclusion Memorandum will be prepared to conclude on managements assessment of internal
controls over financial reporting
Reporting
- Reporting of managements assessment on internal controls over financial reporting
5
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
In addition to the above, based on qualitative considerations, management also decided to include into the scope
of internal controls, the process around covenant compliance.
6
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
4. Compliance Structure
The Companys compliance structure along with the roles and responsibilities of individuals is listed below:
Executive Officers (CEO, President and CFO)
- Ultimate ownership of the project
- Ensure continuous support and visibility for SOX compliance
- Provide day-to-day support and an executive point of contact for project issues and deliverables review /
feedback
- Oversee the project and provide assistance for on-going compliance efforts
- Provide assistance in gaining access to internal or external resources needed to successfully complete the
SOX compliance project
- Continuously appraise the progress of the SOX compliance project
Process Owners
- Provide subject matter expertise and representative input regarding internal control process design and
operation for the functional area they represent
- Responsible for documentation update and control assessment
- Monitor and report changes on a quarterly basis
External Consultants
- Support management in the following:
o Project planning and scoping
o Guidance on SOX compliance and developments
o Review of design, testing controls and operating effectiveness assessment
o Review of changes, document updates and development of overall policies
Audit Committee
- Oversee the Companys Sarbanes Oxley Compliance Program
7
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
Adequate evidence will be obtained to support managements assertions on the effectiveness of the entity level
controls. This will include completing questionnaires based on inputs / responses received from select members of
senior management.
8
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
6. Documentation
The Company will review its documentation of key processes and make an effort to identify and optimize key
controls while making sure that control objectives are met effectively. The steps that will be followed are as follow:
Update procedures and controls for significant processes
Review mapping of control objectives to financial statement line items and ensure that relevant assertions are
addressed
Ensure that control objectives are met effectively within each process / sub-process
Establish new controls where necessary to meet key assertions
9
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
10
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
Sampling Guidance
The following is the guidance for sample sizes relative to the frequency of the performance of the control activity,
irrespective of the risk rating of the process.
Number of
Frequency of Control Performance
samples
Quarterly 2
Monthly 4
Weekly 8
Daily 25
Continuously / Recurring 30
Exceptions
When exceptions are noted, management will either expand the extent of testing or identify and test other
compensating and complementary controls.
11
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
9. Remediation
In the event that control testing results in certain control gaps between the desired and actual control performance,
design deficiencies or other exceptions, the Company will identify such gaps and exceptions and design control
improvements and / or new controls as appropriate.
All exceptions identified during the course of testing will be updated on a summary sheet for each process subject
to tests. Management will identify compensating / complementary controls and ascertain that such controls are
functioning properly.
12
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
_______________________________________
CEO
_______________________________________
Chief Financial Officer
13
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
11. Exhibits
Exhibit 1: Materiality
Application of Materiality
In determining materiality, the Company considers the guidance provided in the summary to Staff Accounting
Bulletin No. 99, Materiality, which states, This bulletin expresses the views of the staff that exclusive reliance on
certain quantitative benchmarks to assess materiality in preparing financial statements and performing audits of the
financial statements is inappropriate; misstatements are not immaterial simply because they fall beneath a
numerical threshold. Thus, due significance is being placed on the non-quantitative factors also.
Under Section 302 / 404, the Company shall review the disclosure controls and procedures, identify all control
exceptions and
Determine which are internal control deficiencies
Assess each deficiencys impact on the fair presentation of their financial statements
Identify and report significant control deficiencies or material weaknesses to the Board of Directors, Audit
Committee and to the Companys independent auditor
14
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
Small uncorrected / unrecorded misstatements having no consequence on the financial statements would not be
considered, based on the premise that only a small number of these items exist. A large number of like errors would
be accumulated and be considered as a single error.
15
Company: Company X
Procedure: Planning Sarbanes Oxley Compliance FY 2017
Available information
Industry norms
Review and approval of the management and independent auditors
As long as the estimation process is reasonable, it shall not be concluded that a control deficiency exists when the
actual amount is compared with the estimate, regardless of how large the variance.
Only if the estimation process is flawed, broken or unreasonable would a control deficiency be deemed to exist.
Exception 4: Fraud
Managements intent is to be able to fairly present in all material respects the results of operations and condition of
assets when recording any accounting entries into the Companys books and records. Any frauds shall be disclosed
in accordance with the requirements prescribed in Sarbanes Oxley Act section 302.
Section 302 paragraph 5 (b) requires disclosure of any fraud, whether or not material, involving the management
or other employees who have a significant role in its internal controls to be reported to the independent auditors
and the Audit Committee, with a disclosure to this effect.
Sarbanes Oxley Section 303(a), Improper Influence on Conduct of Audits, says it is unlawful for any officer or
director of an issuer, or any other person acting under their direction, to take any action to fraudulently influence,
coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an
audit of the financial statements of that issuer for the purpose of rendering such financial statements materially
misleading.
Staff Accounting Bulletin No. 99 explains, a material misrepresentation is not tied to the amount of the
misrepresentation but rather occurs whenever there was intent to misrepresent the registrants financial position
and results of operations and such a misrepresentation occurred.
Section 303(a) concerns fraud performed for the Company by management or employees who intended to
materially misrepresent the entitys financial position and results of operations.
A fraud on the part of an employee(s) or management that is against the Company follows the normal uncorrected
/ unrecorded misstatements and control deficiency materiality rules and levels. A fraud by management or
employee(s) that is for the Company falls under section 303(a).
http://www.sec.gov/interps/account/sab99.htm
16