Skip to content
BOL Conferences
Thread Options
#132958 - 11/20/03 07:58 PM SOx Sec 404 Documentation of Internal Controls ???
NancyF Offline
100 Club
NancyF
Joined: Dec 2001
Posts: 173
PA


For those banks subject to Sarbanes-Oxley, how are you planning on documenting your internal controls? Who in the bank is doing the documentation project or are you out-sourcing it? if outsourcing, to whom? How long do you think this project will take? Are you putting it off until further guidance?

Return to Top
Audit
#132959 - 11/21/03 03:12 PM Re: SOx Sec 404 Documentation of Internal Controls ???
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 83,227
Galveston, TX
If you are subject to SOX and haven't started the process and your fiscal year is over at the end of December - you have serious problems unless you're already subject to FDICIA, in which case you should already have your internal controls documented and you can leverage off of them. If you haven't already had this discussion with your independant auditor - shame on both of you. What additional guidance are you waiting for???
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#132960 - 11/21/03 05:44 PM Re: SOx Sec 404 Documentation of Internal Controls ???
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
A few comments...

The PCAOB's Proposed Auditing Standards for Internal Controls over Financial Reporting were issued 10/7/03 and I believe the comment period ends today. Rules will probably be finalized in the Feb - Apr 2004 timeframe. Most of the questions have to do with the external auditor's role, however, rather than what we as bankers must do. We know we have to document the internal controls over financial reporting, and the PCAOB is not going to dictate specific documentation requirements; rather, they will leave it up to the company. However, for all significant financial statement accounts, we will need to document how transactions / entries are initiated, approved, recorded, processed, and ultimately recorded on the financial statements.

If you are a FDICIA bank, you have an excellent start on the process. We are a first time FDICIA bank this year and are relying on an extensive database of internal control questions, which includes the risk assessment and testing documentation. I envision that once SOX 404 rolls around, we will have to expand our documentation to include more process documentation (i.e. flowcharts) to better show the flow of transactions from initiation to ultimate recording in the financial statements.

If you are not a FDICIA bank, you have a much more extensive row to hoe; however, if you are not a FDICIA bank (>$500 million), you probably don't have market cap in excess of $75 million; therefore, you are probably not an accelerated filer and won't be subject to SOX 404 until your first FYE after 4/15/05 (probably 12/31/05 for you). Accelerated filers are subject to SOX 404 their first FYE after 6/15/04.

My advice would be to get started now. Start documenting your internal controls (ICQs, flowcharts, narratives, cross references to procedure manuals, etc.). Leverage what your internal auditor does in regards to this...nearly every audit should include an evaluation of internal controls...start with this documentation and start building a central database of your internal control documentation. Going forward, the internal auditors can use and update it on an ongoing basis in the audit process as well as for FDICIA / SOX.

All significant controls must be independently tested under both FDICIA and SOX 404. Be sure and plan for the testing phase. Once you get you internal control documentation in place, you can work the required testing of internal controls into your normal audit process (or other independent testing mechanism) rather than wait until the last minute to document your testing. Therefore, the earlier you get your internal controls documented the better. Document the testing in your central internal control database!

I'm rambling, so I'll stop. If you want to discuss it further, PM or email me and we'll go from there.
_________________________
My opinions are just that...my opinions.

Return to Top
#132961 - 11/24/03 01:56 PM Re: SOx Sec 404 Documentation of Internal Controls ???
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
Ernst & Young has some very good internal control related documents available for download from their web site. Go to their Assurance Library and scroll down to their internal control documents. There are four documents available:

- A guide for management's assessment under SOX 404

- Considerations for evaluating internal control at the entity level

- Considerations for documenting controls at the process, transaction, or application level

- Evaluating overall effectiveness, identifying matters for inprovement, and ongoing assessment of controls

I would also suggest that you thoroughly read COSO's Internal Control - Integrated Framework; an executive summary is available at www.coso.org. The printed publications may be ordered at www.aicpa.org or www.theiia.org.
_________________________
My opinions are just that...my opinions.

Return to Top

Moderator:  Andy_Z