I discussed sometime back how the project maturity framework can be applied to Section 404 project. At a recent conference in San Jose, which was themed on "Section 404 - A Project Approach", experts from various companies discussed how a project plan can be made for Section 404 compliance. The speakers discussed the various key things which should form part of the 404 plan. I am summarizing the key steps in the 404 project plan.

1. 404 project plan should include a walkthrough of all significant processes in the first quarter of th year.

2. Plan should be such that all key controls are tested by the middle of the year. This way, even the external auditors can start their work early on. The second advantage of this approach is that, in case any deficiencies turn up, same can be remediated in a timely mannner.

3. A 404 projecct plan should include fraud risk assessment, assessment of SAS 70 Type I and Type II report if applicable, ITGCs etc.

4. Plan should detail all the resources who would be involved in the project. These could be IT auditors, Tax specialists, application control specialists etc.

5. Plan should lay out how reporting would be done to the senior management on project issues and progress. Senior management is normally interested in metrics such as percentage of controls tested against total controls, failed controls which can have an impact on 404 assessment, actual costs vs estimates, progress against project schedule etc. All these metrics should form part of the project plan.

Related Posts

SOX Internal Controls Documentation
Role of Process Owners in SOX Compliance
Section 404 Best Practices
Indirect Company Level Controls