Entity Level Controls sub-processes and required activities for SOX 404 readiness
Entity Level Controls - SOX 404 Readiness
What internal control or SOX 404 activities are required and recommended for the Entity Level Controls process of a company preparing for an IPO or public company readiness?
Sub-processes include:
- Audit Committee
- Authority matrix, organization structure
- Board of Directors composition
- Disclosure Committee
- Policies and procedures
- Tone at the top (culture of integrity)
- Whistleblower policies and procedures
Recommended Scope of Work for Each Process:
- Assess control gaps (interviews)
- Document process and controls (narrative or flowchart)
- Create a Risk Control Matrix
- Conduct a walk-through (test of design or TOD)
- Perform testing (test of effectiveness – time permitting)
Notes:
- Most external auditors now require flowcharts instead of narratives to document processes and controls. Flowcharts with separate swim lanes allow you to easily see proper segregation of duties (or not).
- Concentrate your focus and resources on designing controls, training process owners, and doing a walk-through to make sure the controls are performed accurately and timely. If time allows, then perform testing.
- The walk-through is a hands-on way to assess the control gaps that might only be found through an actual example. The walk-through lets you refine your process and evaluate your actual risks as you tailor your controls to suit your needs.