404 documentation 744

  • I was wondering if somebody could help me figure out what documentation is needed to be compliant with section 404. I’m an intern at an insurance company, and my job is to basically revise the documents they’ve come up with if necessary, and suggest improvements in order to optimize them if possible. Basically, what they have so far is a risk assessment document that includes a long list of risks, the internal controls used to address those risks, and a number of other details about the impact and likelihood of the risks. They also have a pretty general description of different business processes in their respective departments, but the descriptions do not provide any real information about the flow of information or description of IT repsonsibilities.
    I understand that documentation is supposed to address the control environment, risk assessment, control activities, information and communication, and monitoring, but I’m pretty confused as to how I go about doing that. Are company level assessment questionaires a good idea? I’m trying to find something worth documenting, and I’d really appreciate any input that somebody might have. Thanks.

    • Chris

  • Hi CD,
    From my experience and based on what you said, I believe that you almost in a acceptable shape. Let s
    1 analysis of the risks inherent, likelihood of occurence and the internal controls addressing such risk - done
    2 - documentation on the flow of information - a split by processes/transactions that impact your financial statements. Not all the controls need to be hightlighted and tested but only the ones that are critical and material to the production of the FS and Disclosures. KEEP REASONABLENESS IN MIND.
    3 -Testing to be performend by management (process owners or internal auditors) on the efficiency of the control design and operativeness. whether the critical control identified is appropriate to mitigate the risk and works properly. Evidences of this testing to be documented and kept for review by the external auditors…
    While documenting the processes, do not hesitate to refer to the environement controls (training, ethics, written policies and procedures …)that you might have in place that impacts that process and pervasive controls (segregation of duties, assigned responsibilities, passwords, safeguard of assets…).
    I believe that is it - at least what we have done so far - result clean certifications by the end of 2004.

Log in to reply