Internal Control Strategies: A Mid to Small Business Guide

Praise for Internal Control Strategies A Mid to Small Business Guide "Internal Control Strategies is an excellent field guide for the implementation and maintenance of efficient and effective internal control systems. The book provides a practical approach to interpreting guidance from oversight agencies and integrating it with industry practice in a real-world environment. This handbook is an essential tool for managers and professionals going through the day-to-day struggle of managing auditor expectations and permitting business to proceed in the most efficient manner." -Michael Rodriguez, former senior manager of finance, Qualcomm Incorporated "Internal Control Strategies is the clearest path forward for middle-market SEC registrants and their independent registered public accounting firms as they streamline the SOX 404 compliance process in 2008 and beyond." -Stephen G. Austin, MBA, CPA, Managing Firm Partner,Swenson Advisors, LLP, Regional PCAOB Accounting Firm "Clearly written and practical, Internal Control Strategies is a must-read for every chief audit, finance, or compliance executive." -Jeff Miller, Partner-in-Charge, Business Risk Services,Squar, Milner, Peterson, Miranda & Williamson, LLP "As a CFO of small to mid-sized publicly traded and privately held companies, one is usually faced with the challenge of developing and implementing the right levels of internal controls and compliance within the restrictions of limited financial and human resources. Internal Control Strategies presents the relevant topics in a clear and concise manner, allowing the reader to understand the internal control framework and specific underlying requirements quickly. The author's vast experience with SOX compliance ensures a targeted and pragmatic approach for the successful implementation of internal controls. Her recommendations are 'to the point' and eliminate some of the guesswork we all have experienced while working towards SOX compliance." -Robert S. Stefanovich, Chief Financial Officer, Novalar Pharmaceuticals, Inc. The SEC requires all publicly traded companies to attest to theeffectiveness of their internal controls. Is your business ready? Internal Control Strategies: A Mid to Small Business Guide clearly explains the latest PCAOB, SEC, and COSO guidance, providing you with an effective tool and reference guide for successful implementation of sections 302 and 404 of the Sarbanes-Oxley Act. Extremely knowledgeable and insightful, author Julie Harrer brings practical clarity to this complex topic, leading you step by step in addressing the challenges associated in bringing your business in compliance with SOX.

Table of Contents:
Preface ix Chapter 1 Understanding the SEC’s Guidance for Management 1 Purpose of Internal Control over Financial Reporting 1 Evaluation Process 5 Reporting Considerations 12 Rule Amendments and other SEC Guidance Related to Internal Control over Financial Reporting 14 Chapter 2 The PCAOB’s Auditing Standard No. 5 19 Eight Concepts to Focus the Audit on Matters Most Important to Internal Control 20 New Emphasis on Entity-Level Controls 28 Importance of a Fraud Risk Assessment 29 Tips to Eliminate Unnecessary Procedures 30 Scaling Audits for Smaller Companies 36 Chapter 3 SEC’s Guidance on a Risk-Based Approach 39 Highlights of the SEC Staff Statement 40 Staff’s Emphasis on Reasonable Assurance 41 Comments on Evaluating Internal Control Deficiencies 45 Disclosures about Material Weaknesses 46 Information Technology Comments from the Staff 47 Communications with Auditors: An Unintended Consequence 48 Message for Small Business Issuers and Foreign Private Issuers 50 Chapter 4 Highlights of the PCAOB’s May 2005 Policy Statement 51 Policy Statement Highlights 52 Integrating the Financial and Internal Control Audits 52 Importance of Professional Judgment 55 Top-Down Approach and Role of Risk Assessment 56 When Auditors Can Use the Work of Others 57 Auditors’ Ability to Provide Advice to Audit Clients 57 How the PCAOB Inspections Help Drive Improvements 59 A Final Comment 59 Chapter 5 Starting at the Top: Using Entity-Level Controls to Create Efficiencies 61 What are Entity-Level Controls? 61 How Strong Entity-Level Controls Can Reduce the Scope of Your Program 62 How to Apply COSO’s Recent Internal Control Guidance 65 How to Create a Winning Control Environment 66 Steps for Creating a Useful Risk Assessment Process 76 Control Activities 85 Creating an Effective Information and Communication Program 85 How to Implement Successful Monitoring Controls 90 How to Assign Roles and Responsibilities to Enhance Internal Controls 94 Small-Company Issues for Implementing Entity-Level Controls 98 Summary of COSO’s Guidance for Smaller Public Companies 103 Chapter 6 Minimizing Excess through Proper Scoping and Planning Practices 105 Scoping Analysis: Event or Process? 106 How to Determine Materiality for Scoping Purposes 106 How to Use a Top-Down, Risk-Based Approach to Reduce the Scope of Your Program 111 Methods for Determining Significant Locations 116 Specific Areas Included and Excluded by the PCAOB 120 PCAOB and SEC Guidance on Other Common Scoping Issues 123 Tips for Resource Planning and Developing Useful Timelines 124 Chapter 7 Advantageous Project Management Techniques 127 11 Areas of Focus for the Second Year and Beyond 128 How to Increase Productivity with a Sound Management Approach 129 Aim for the Target Instead of the Way to Get There 130 More Project Management Tips 135 Staffing Strategies 138 Restructuring the Organizational Chart for Sustainability 144 How to Communicate Effectively through Emails, Meetings, and Advisories 148 Tactics for Dealing with Business Changes for Sections 302 and 404 Compliance 150 Chapter 8 Streamlining Documentation 155 Three Ideas to Improve Your Overall Documentation Process 157 Clearing the Clutter: How to Create and Maintain Meaningful Control Matrices 159 Using Relevant Financial Assertions for Planning Purposes 161 Financial Assertion Help for Nonauditors 162 Techniques for Scrutinizing the Number of Key Controls 163 How to Reduce and Improve Controls with Standardization 166 Practical Ideas for Documentation at International Locations 168 How to Create an Effective Spreadsheet Control Program 169 How to Create Strong Financial Reporting Controls 172 Tools for Assessing Control Design 175 An Alternative to Gap Remediation 176 Three More Ideas for Improving Documentation 177 Chapter 9 Economical Testing Techniques 181 Testing Control Design and Operating Effectiveness 181 Practical Steps to Applying Guidance on the Nature, Timing, and Extent of Testing 182 Suggestions for Testing Significant Manual and Nonroutine Transactions 184 Using Update Tests to Ease the Burden of Testing at Year-End 186 Five Ideas for the Timing of Control Tests 190 Types of Control Tests and When to Use Them 194 Why You Should Minimize the Use of Self-Assessment Tests 197 Maximizing Your Auditors’ Reliance on the Work of Others 199 More Inspiration on Efficient Testing 210 Chapter 10 Methods for Remediation Madness 215 Do All Controls Have to Be Remediated? 216 For-Now Approach to Remediation 217 Creating Meaningful Remediation Plans 218 Nine Practice Tips for the Remediation Phase 218 Sufficient Periods for Remediated Controls 221 Steps to Prepare for Retesting 222 Project Management Tools for Remediation 223 Chapter 11 Taking the Mystery out of Evaluating Deficiencies 227 Deficiencies Defined 228 Analytical Steps for Evaluating Deficiencies 230 Are All Exceptions Considered Deficiencies? 235 Techniques for Aggregating Deficiencies 237 Typical Material Weaknesses 239 Unique Nature of IT General Control Deficiencies 240 Market’s Reaction to Process Specific versus Pervasive Material Weaknesses 242 How to Improve Material Weakness Disclosures 244 AS No. 4 and Reporting Whether a Previously Reported Material Weakness Still Exists 245 Successful Communication of Deficiencies to Management and the Audit Committee 246 Suggestions for Management’s Final Assessment Report 247 Chapter 12 Common Areas of Concern and How to Address Them 251 Control Options for the Use of Service Organizations 252 What to Do with Mergers and Acquisitions Activities 258 A Unique Solution for Managing the Tax Process 261 How to Minimize IT Developer Access to Production Issues 263 What to Do When Your ERP System Is Not Compatible with Your Access Controls 264 Tips for Changing ERP Systems and Staying SOX Compliant 266 Practical Ideas for Document Retention Requirements 267 Thoughts on Changing Accounting Firms 269 Appendix A Simplified Sample Entity-Level Control Matrices 271 Appendix B COSO’s Internal Controls Checklist for Entity-Level Controls 279 Appendix C Standardized Period-End Process Control Matrix 283 Appendix D PCAOB Staff Question-and-Answer Index 287 Appendix E SEC Office of the Chief Accountant Frequently Asked Questions Index 291 Appendix F Summary of Changes Made to Auditing Standard No. 2 and the Related New Guidance 295 Index 301

About the Author :
Julie Harrer, CPA, is the President and founder of Hamlet Auditing Corporation, a consulting firm that provides Sarbanes-Oxley, management advisory, process improvement, and accounting services. She managed the Sarbanes-Oxley section 404 project for Qualcomm Incorporated, the first company to comply with section 404 in November 2004. Since then, she has managed several compliance projects as both an external auditor and internally working with management of large and small public companies. Prior to creating her own firm, she was vice president of finance for eAssist Global Solutions and Controller for MarDx Diagnostics. She began her career in public accounting as an auditor with Cairns, Eng & Applegate, LLP and Carter Polito Muscio, Inc.