The rule also requires the company's registered public accounting firm to attest to, and report on, management's assessment. Management's internal control report and the independent auditor's related attestation report are required to be included in the company's annual report filed with the SEC. For most public companies, certain human resource accounts are significant, necessitating management to document and assess the related processes and controls impacting those accounts.

Finance departments should be working in conjunction with HR departments to coordinate a company-wide Section 404 effort to determine whether HR accounts should be considered significant accounts and to gain an understanding of the level and form of required documentation. This effort will require HR departments to gain a full and comprehensive understanding of these new reporting requirements and for Finance departments to fully understand the impact of HR programs in order to comply with Section 404.

Evaluation of internal controls related to HR accounts should be consistent with the methodology used throughout the entire organization. The following sample methodology describes the steps for evaluating HR as part of the enterprise-wide compliance initiative:

1. Understand the Definition of Internal Control

The most widely accepted definition of internal control, promulgated by the Treadway Commission of Sponsoring Organizations (known as "COSO"), is: "a process - effected by an entity's board of directors, management and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in three categories: 1) effectiveness and efficiency of operations, 2) reliability of financial reporting and 3) compliance with laws and regulations." Section 404 requirements focus on controls that address financial reporting objectives.

2. Organize a Project Team to Conduct the Evaluation

Companies should form cross-functional project teams to plan and conduct the internal control evaluation. The HR function should be appropriately represented on this team, particularly if HR accounts are expected to be significant.

3. Evaluate Internal Controls at the Entity Level

The project team should review the five components of internal controls that have a pervasive effect at the top level of the organization. These include:

• Control environment
• Risk assessment
• Information and communication
• Control activities
• Monitoring
  

4. Understand and Evaluate the Internal Control at the Process, Transaction and Application Level

Major transactions and processes related to significant accounts, including HR accounts, should become the primary focus for the evaluation of internal controls over financial reporting. While certain HR accounts have a direct correlation to the financial statements - such as pension and other post-employment benefits (OPEB) liabilities - it is important that all HR accounts are reviewed to determine their significance. The project team should determine the financial statement assertions that are relevant to each of the significant HR accounts or groups of accounts and identify the major classes of transactions and related processes and accounting activities that influence these significant accounts. The following factors should be considered:

• The likelihood of errors
• Size and composition of HR accounts
• Susceptibility to loss or fraud
• High transaction volume
• Complexity of transactions
• Subjectivity

5. Document Significant Transactions and Processes

The objective of this step is to document how major classes of transactions are initiated, recorded, processed and reported for those HR accounts deemed significant. In certain companies, one or more of the following functional processes overseen by the HR department may be deemed significant. These include:

• Defined Benefit Pension Plans
• Defined Contribution Plans (401(k), etc.)
• Health and Welfare Plans (medical, dental, vision, disability, etc.)
• OPEBs (retiree medical programs, supplemental executive retirement plans, etc.)
• Stock Compensation Programs (stock options, restricted stock, stock appreciation rights, phantom shares, etc.)
• Workers Compensation

Each of these functional processes can have a significant impact on a company's cash flow, tax liability and P&L. For example, the funding status of a pension plan can have a dramatic impact on a company's earnings. A 2002 Milliman survey of 100 large companies demonstrated that the pension assumptions and accounting methods resulted in a collective income increase of $3.3 billion. However only a slight modification could have resulted in a reduction in the collective pre-tax earnings by $5.7 billion.

For each significant process, the project team should identify the points where data is initiated, transferred or otherwise changed and where there can be a failure to achieve financial statement assertions. That is accomplished by asking, "What can go wrong?" in the processing stream. This will help identify where controls may be needed to reduce risks of material error.

It is important to remember that the HR department of each enterprise is different with different responsibilities. Some departments are centralized, while others are decentralized in both geography and responsibilities. Moreover, there are potential global implications based on the HR department structure. Therefore, it is crucial to analyze each functional process and document the determination of its significance.

Appropriate documentation may include input sources, data files, processing procedures, key output files and reports, process models, flow charts, narratives, procedure manuals, job descriptions, key assumptions and check lists.

The objective is to identify the controls that provide reasonable assurance that errors are prevented or detected and corrected. The project team's documentation of controls should provide a description of each control; how the control is performed; who performs the control; what data reports, files or other materials are used in performing the control; and what physical evidence, if any, is produced as a result of performing the control.

Project teams should also walk through each process and the related controls from the point at which the major classes of transactions are initiated to the end of the recording process, to confirm their understanding and the accuracy of the documentation obtained.

6. Evaluate the Overall Effectiveness of the Internal Control, Identify Matters for Improvement and Establish an Effective Monitoring System.

The final phase is an overall assessment of the effectiveness of controls based on the results of the detailed evaluation performed at the process level. The controls that will be selected for testing will be those controls that provide reasonable assurance that financial statement errors are prevented or detected. The team should identify any needed enhancements and agree upon a plan of action for addressing any control deficiencies.

Finally, the company should put mechanisms in place to continually monitor and maintain the system of internal controls on an ongoing basis, with the full cooperation and participation of the HR department.