Skip to main content

Sarbanes-Oxley Section 404
A Guide for Small Business

July 14, 2017

For 2007 annual reports, smaller public companies need to assess their internal control over financial reporting.

It doesn't have to be a chore.

Beginning Your Evaluation

Step 2 — Do Your Controls Work in Practice?

Determining the effectiveness of the controls you've identified requires that you gather evidence about how the controls actually operate. What kind of evidence you need, and how much of it, depends on your assessment of two kinds of internal control risk:

  1. The risk of a material misstatement in the financial reports
  2. The risk that the control will fail to operate as designed

The greater the internal control risk, the more evidence you'll need to support a conclusion that the control is effective.

Chart: How much evidence do you need to establish that internal controls are effective?

In a smaller company, you may not need to assign any special personnel to the task of gathering evidence on how internal controls are operating. Likewise, the procedures you follow to obtain evidence of operating effectiveness may be integrated with the daily responsibilities of the employees. As internal control risk increases, however, you may need to consider:

  • Using personnel who are more objective
  • More extensively validating the controls
  • Testing over longer periods

The SEC's newly issued guidance provides examples of financial reporting elements that ordinarily would be considered higher risk, such as critical accounting policies. It also provides examples of controls that have higher risk, such as those that are subject to override by management, involve significant judgment, or are complex.

The SEC guidance also describes circumstances in which managers can rely on their own knowledge and supervision of controls — a common situation in smaller companies — as a way to limit the additional procedures, if any, that might be needed to gather evidence of operating effectiveness.

Once the evidence is gathered, you then determine whether the control is operating effectively. In making your assessment, you should consider:

  1. Whether the control operates as designed
  2. How it is applied
  3. Whether it operates consistently
  4. Whether the personnel responsible for the control have the authority, and the competence, to do the job

If management determines that the control is not operating effectively, then a control deficiency exists. As described below, each control deficiency must be evaluated to determine if it is a material weakness.

Return to Top