A few comments...
The PCAOB's Proposed Auditing Standards for Internal Controls over Financial Reporting were issued 10/7/03 and I believe the comment period ends today. Rules will probably be finalized in the Feb - Apr 2004 timeframe. Most of the questions have to do with the external auditor's role, however, rather than what we as bankers must do. We know we have to document the internal controls over financial reporting, and the PCAOB is not going to dictate specific documentation requirements; rather, they will leave it up to the company. However, for all significant financial statement accounts, we will need to document how transactions / entries are initiated, approved, recorded, processed, and ultimately recorded on the financial statements.
If you are a FDICIA bank, you have an excellent start on the process. We are a first time FDICIA bank this year and are relying on an extensive database of internal control questions, which includes the risk assessment and testing documentation. I envision that once SOX 404 rolls around, we will have to expand our documentation to include more process documentation (i.e. flowcharts) to better show the flow of transactions from initiation to ultimate recording in the financial statements.
If you are not a FDICIA bank, you have a much more extensive row to hoe; however, if you are not a FDICIA bank (>$500 million), you probably don't have market cap in excess of $75 million; therefore, you are probably not an accelerated filer and won't be subject to SOX 404 until your first FYE after 4/15/05 (probably 12/31/05 for you). Accelerated filers are subject to SOX 404 their first FYE after 6/15/04.
My advice would be to get started now. Start documenting your internal controls (ICQs, flowcharts, narratives, cross references to procedure manuals, etc.). Leverage what your internal auditor does in regards to this...nearly every audit should include an evaluation of internal controls...start with this documentation and start building a central database of your internal control documentation. Going forward, the internal auditors can use and update it on an ongoing basis in the audit process as well as for FDICIA / SOX.
All significant controls must be independently tested under both FDICIA and SOX 404. Be sure and plan for the testing phase. Once you get you internal control documentation in place, you can work the required testing of internal controls into your normal audit process (or other independent testing mechanism) rather than wait until the last minute to document your testing. Therefore, the earlier you get your internal controls documented the better. Document the testing in your central internal control database!
I'm rambling, so I'll stop. If you want to discuss it further, PM or email me and we'll go from there.
_________________________
My opinions are just that...my opinions.