How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control

I have not finished reading this but I like it so far. It is very technical and seems to be very accurate. It could be slightly dated with the new SEC guidance and AS-5, but from what I see so far, the author's approach was a little ahead of his time as he seems to propose methodology similar to the new guidance. Novices and seasoned pros should also read Sarbanes-Oxley For Dummies (For Dummies (Business & Personal Finance))

Sarbanes-Oxley is now a couple of years old. In that time companies have struggled to understand not only the letter of the law, but what it really means in terms of what the Government and the courts really want. This book is not a primer on Sarbanes-Oxley, in fact it presumes that you have some understanding of what that's all about. Only the first three chapters have an overview of what is required with particular attention to the internal control aspect. It is at the same time it is a summary of the internal control requirements, a guidebook to their implementation, and a reference based on practical experience. While you could probably get all of the information contained in this book from a seminar or two, spending a bit of time on the web, and talking to associates, in this book everything is collected together in a single, quite readable volume that presents a well thought out coherent review of what Section 404 is all about.

Author Michael Ramos provides comprehensive, meticulously detailed information. He offers a detailed guide to evaluating your company's internal controls. He addresses Sarbanes-Oxley Section 404 legislation, as well as associated Security and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) regulatory requirements, even covering the COSO and COBIT reporting frameworks. While expert and exhaustive, the book suffers from a dense, academic writing style. We suggest it to those who seek a very detailed compliance overview and who already have experience with understanding auditing standards and related governmental regulations.

Let's face it. Most people think that auditors are lifeless, unemotional drones who move with a single minded efficiency in reviewing financial records, controls and other sundry items to ensure that the financial statements of a company are free of material misstatements and that they are accurate. In fact, Andersen auditors were often referred to as "Andersen Androids". But for most people in a corporation, that was fine because they had no real need to worry about or understand accounting and business control concepts. Put an auditing textbook in front of them and you could watch their eyes glaze over. Section 404 of the Sarbanes-Oxley (SOX) Act changes all of that, especially for line of business managers and information technology professionals. Every day I talk to people who are faced with trying to understand SOX and implementing systems to support SOX requirements. There is often frustration in their voices or emails as they lack an effective roadmap. In How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Controls (290 pages, John Wiley and Sons, Inc, 2004. 290 Pages), Michael Ramos sets out to provide an understanding of how Section 404 of SOX came to be, what it requires, what is not required, and a roadmap for assuring compliance. It is not an easy task to present a comprehensive guide to aid with Section 404 compliance, but Ramos delivers in this book in ways that many others have tried and failed. Ramos is a CPA and an auditor by training and background. He starts from the explaining the responsibilities of an information systems auditor and very basic concepts of business controls, which allows every reader of the book to start with a common framework. His writing leads a reader to integrate, weave and understand what controls are and how they fit into the compliance process. He writes it in a way that does not talk down to the reader, but engages them in a thoughtful conversation as a good teacher would in a classroom. The book is intended to be a guidebook and a reference and its utility for this purpose will not disappoint. After laying the groundwork, Ramos leads the reader through every step of the audit processes associated with Section 404 compliance. He helps the reader understand what the auditor will be looking for and reviewing. He examines the role of automated compliance tools, including the pros and cons of their use. He helps the reader to understand the different types of controls, the different kinds of risk and what "materiality"means when reporting deficiencies. In fact, if there is one lesson to take from this book for non-auditors, materiality is not based on what YOU think is a deficiency that will impact your view and acceptability of a system, but the view of the users of a system and/or any information generated by the system. Who should read this book? It should be read by ALL C-level officers of an organization so they understand the concepts and the processes. I

This book does not much dwell on the details of Sarbanes-Oxley - the reader is assumed to have an understanding of the salient details - but, instead lays out a comprehensive action plan for complying with Section 404.The author begins with three chapters covering the overall goals and objectives, roles and responsibilities, assessment issues, and an excellent chapter about internal control criteria. Each of these chapters ends in appendices that support the compliance initiative. Milestones, covered in Chapters 3 through 7, are clearly defined with respect to what it will take, key issues, and appendices that provide examples, guidelines, checklists and other material that support compliance. I was impressed by the straightforward approach, the complete and clear identification of all issues - and especially so regarding IT, developing documentation, and testing the controls - and the fact that the control objectives were carefully mapped to the COSO Framework.If you want a realistic view of the scope and complexity of Section 404 compliance this book will provide it. If you are an IT professional I strongly recommend visiting Information Systems Audit and Control Association (ASIN B00006BW74), which makes available a free 84-page document titled "IT Control Objectives for Sarbanes-Oxley". For more general information, there is a commercial site that provides news and updates on Sarbanes-Oxley issues (ASIN B0000AM23N), as well as the Public Company Accounting Oversight Board (ASIN B00013Y80Y), which provides rule making information and a means to comment on proposed rules. You can reach these sites by pasting the ASIN numbers in the search box at the top of this page, selecting all products and clicking GO.