An excellent article outlining SOX 404 compliancy testing and controls

Sarbanes-Oxley – How to assess Company Level Controls

QUOTE:  What are company-level controls? How do CPAs go about evaluating their effectiveness? As the compliance deadline for section 404 of the Sarbanes-Oxley Act approaches for some companies, many have yet to face a critical hurdle: the assessment of their company-level controls. The Public Company Accounting Oversight Board says public companies must assess the design and operating effectiveness of company-level controls in addition to examining detailed control activities at the process and transactional levels.


* THE ASSESSMENT OF COMPANY-LEVEL CONTROLS is a critical part of complying with section 404 of Sarbanes-Oxley. The PCAOB says public companies must assess the design and operating effectiveness of these controls in addition to examining detailed process- and transactional-level control activities.
* COMPANY-LEVEL CONTROLS ARE THOSE THAT PERMEATE an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself including the tone at the top, corporate codes of conduct and policies and procedures.

* CPAs CAN FOLLOW SIX STEPS TO HELP ENTITIES comply with company-level control requirements. These steps are defining the project plan and key milestones, building a structure to assess the controls, obtaining input on the design of company-level controls, documenting and assessing the controls, testing their effectiveness, and engaging in gap remediation and continuous improvement.

* THESE STEPS ARE REQUIRED OF PUBLIC COMPANIES, but private companies and not-for-profit organizations also can benefit by looking at the process as a best practice that leads to stronger governance and better financial results.