Ramos_16204_2p_ffirs.v.qxd 2/27/08 3:57 PM Page i THE SARBANES-OXLEY SECTION 404 IMPLEMENTATION TOOLKIT, Second Edition Practice Aids for Managers and Auditors MICHAEL RAMOS John Wiley & Sons,Inc. Ramos_16204_2p_ftoc.v.qxd 2/28/08 9:46 AM Page vi Ramos_16204_2p_ffirs.v.qxd 2/27/08 3:57 PM Page i THE SARBANES-OXLEY SECTION 404 IMPLEMENTATION TOOLKIT, Second Edition Practice Aids for Managers and Auditors MICHAEL RAMOS John Wiley & Sons,Inc. Ramos_16204_2p_ffirs.v.qxd 2/27/08 3:57 PM Page ii This book is printed on acid-free paper.(cid:1)∞ Copyright © 2008 by Michael Ramos.All rights reserved. Published by John Wiley & Sons,Inc.,Hoboken,New Jersey. Published simultaneously in Canada. No part ofthis publication may be reproduced,stored in a retrieval system,or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 ofthe 1976 United States Copyright Act,without either the prior written permission ofthe Publisher,or authorization through payment ofthe appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www .copyright.com.Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons,Inc.,111 River Street,Hoboken,NJ 07030,201-748-6011,fax 201-748-6008,or online at http://www.wiley.com/go/permission. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book,they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose.No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation.You should consult with a professional where appropriate.Neither the publisher nor author shall be liable for any loss ofprofit or any other commercial damages,including but not limited to special,incidental,consequential,or other damages. Designations used by companies to distinguish their products are often claimed as trademarks.In all instances where John Wiley & Sons,Inc.is aware ofa claim,the product names appear in initial capital or all capital letters. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. For general information on our other products and services,or technical support,please contact our Customer Care Department within the United States at 800-762-2974,outside the United States at 317-572-3993 or fax 317- 572-4002. Wiley also publishes its books in a variety ofelectronic formats.Some content that appears in print may not be available in electronic books. Library ofCongress Cataloging-in-Publication Data: ISBN:978-0-470-16931-5 Printed in the United States ofAmerica 10 9 8 7 6 5 4 3 2 1 Ramos_16204_2p_ftoc.v.qxd 2/27/08 3:57 PM Page iii Contents About the Author vii Preface ix Acknowledgments xi Part I Tools for Management 1 ADM-1 General Work Program 3 ADM-2 Project Planning Summary 17 ADM-2a Checklist for Summarizing Project Team Competence and Objectivity 31 ADM-2b.1 Worksheet for Determining and Documenting Significant Accounts and Disclosures 34 ADM-2b.2 Mapping of Business Processes to Significant Accounts and Disclosures 40 ADM-2c Example Inquiries to Identify Changes to Internal Control 45 ADM-3 Senior Management Review Checklist 47 ADM-4 Checklist for Preparation of Management’s Report on Internal Control Effectiveness 52 Part II Documentation of Internal Control Design 57 DOC-1 Work Program for the Review of Documentation of Entity-Level Controls 59 DOC-1a Assessment of Internal Control Effectiveness: Overall Approach to Review of the Documentation of Entity-Level Controls 62 DOC-1b Assessment of Internal Control Effectiveness: Checklist for the Review of the Documentation of Entity-Level Controls 66 DOC-2 Work Program for the Review of Documentation of Activity-Level Controls 80 DOC-2a Assessment of Internal Control Effectiveness: Overall Approach to Review of the Documentation of Activity-Level Controls 82 DOC-2b Assessment of Internal Control Effectiveness: Checklist for the Review of the Documentation of a Significant Transaction or Business Unit/Location 85 DOC-3 Documentation Techniques and Selected Examples for Routine Transactions 87 DOC-4 Checklist for Evaluating SOX 404 Software 110 iii Ramos_16204_2p_ftoc.v.qxd 2/27/08 3:57 PM Page iv iv Contents Part III Internal Control Testing Programs 113 Entity-Level Controls Testing Tools 115 TST-ENT-1 Summary of Observations and Conclusions about Entity-Level Control Effectiveness 119 TST-ENT-1a Checklist for Small Business Entity-Level Controls 135 TST-ENT-2 Work Program for Testing Entity-Level Control Effectiveness 143 TST-ENT-3 Index to Tests of Entity-Level Controls:Inquiries and Surveys 171 TST-ENT-3a Entity-Level Tests of Operating Effectiveness:Inquiry Note Sheets—Management 176 TST-ENT-3b Entity-Level Tests of Operating Effectiveness:Inquiry Note Sheets—Board Members 187 TST-ENT-3c Entity-Level Tests of Operating Effectiveness:Inquiry Note Sheets—Audit Committee Members 193 TST-ENT-3d Entity-Level Tests of Operating Effectiveness:Inquiry Note Sheets—Employees 200 TST-ENT-3e Example Employee Survey 207 TST-ENT-4 Index to Tests of Entity-Level Controls:Inspection of Documentation 215 TST-ENT-4a Worksheet to Document Inspection of Documentation of Performance of Entity-Level Controls 217 TST-ENT-5 Index to Tests of Entity-Level Controls:Observation of Operations 220 TST-ENT-5a Worksheet to Document Observation of Operation of Entity-Level Controls 222 TST-ENT-6 Index to Tests of Entity-Level Controls:Reperformance of Controls 225 TST-ENT-6a Worksheet to Document Reperformance of Entity-Level Controls 227 TST-ENT-7 Work Program for Reviewing a Report on IT General Control Effectiveness 230 TST-ENT-7a Planning and Review of Scope of Tests of IT General Control Effectiveness 235 TST-ENT-8 Work Program for Performing an ITGeneral Controls Review 241 Guidelines for Testing Activity–Level Control Effectiveness 245 TST-ACT-1 Guidelines and Example Inquiries for Performing Walkthroughs 253 TST-ACT-2 Example Testing Program for Activity-Level Tests of Controls 261 TST-ACT-2a Example Testing Program for Control Operating Effectiveness:Revenue 262 TST-ACT-2b Example Testing Program for Control Operating Effectiveness:Purchases and Expenditures 267 TST-ACT-2c Example Testing Program for Control Operating Effectiveness:Cash Receipts and Disbursements 271 TST-ACT-2d Example Testing Program for Control Operating Effectiveness:Payroll 275 Ramos_16204_2p_ftoc.v.qxd 2/28/08 9:46 AM Page v Contents v TST-ACT-3 Work Program for the Review of a Type 2 SAS No.70 Report 279 TST-ACT-3a Type 2 SAS No.70 Report Review Checklist 282 TST-ACT-4 Process Owners’Monitoring of Control Effectiveness 289 Part IV Example Letters and Other Communications 295 COM-1 Example Engagement Letter for Outside Consultants to Management 297 COM-2 Example Management Representation Letter 301 COM-3 Example Management Reports on Effectiveness of Internal Control over Financial Reporting 303 COM-4 Example Subcertification 305 Appendix A 307 About the CD-ROM 385 Index 389 Ramos_16204_2p_ftoc.v.qxd 2/28/08 9:46 AM Page vi Ramos_16204_2p_fbetw.v.qxd 2/27/08 3:58 PM Page vii About the Author Michael Ramos was an auditor with KPMG and now works as an author and consultant. He is the author of How to Comply with Sarbanes-Oxley Section 404:Assessing the Effec- tiveness of Internal Control,Third Edition.This is his book. vii Ramos_16204_2p_fbetw.v.qxd 2/27/08 3:58 PM Page viii