Browse Skills

SOX Section 404 — Internal Control over Financial Reporting Narrative

    Compliance SOX ICFR COSO PCAOB Audit Internal Controls
    Get Started with This Skill

    Overview

    Draft and validate management’s assessment of Internal Control over Financial Reporting (ICFR) per SOX §404, aligned to the COSO 2013 framework and PCAOB AS 2201. Produces process narratives, risk-control matrices (RCMs), and control descriptions for each significant account and business process.

    Example Conversation

    You: We need to draft the SOX 404 process narratives and RCM for our revenue/order-to-cash cycle. We want COSO principle mappings and ITGC coverage. Can you draft and validate?

    Agent: I’ll draft the process narrative for the order-to-cash cycle (order entry, credit, shipping, invoicing, cash receipts, close), identify key risks and controls (preventive and detective), build the RCM with assertion linkage, frequency, type, and COSO principle mappings, and include ITGC controls for change management, access, operations, and SDLC. Then I’ll run rcm_coso_coverage_check.

    Agent: Created revenue-rcm-draft.md. Running rcm_coso_coverage_check

    Agent: Check FAIL — COSO Principles 8 (fraud risk) and 15 (external communication) have zero mapped controls. I’ll add a fraud risk control (REV-010, detective, quarterly management review of credit memo patterns) mapped to Principle 8, and an external communication control (REV-011, quarterly investor/auditor communication) mapped to Principle 15.

    Agent: Re-ran rcm_coso_coverage_check: PASS — all 17 COSO principles covered, all controls have assertion linkage, frequency, and type, and all four ITGC domains are referenced.

    What the Tools Validate

    The skill includes one extension tool:

    rcm_coso_coverage_check validates the RCM and process narratives across four dimensions:

    • COSO principle coverage (1–17) — Every COSO 2013 principle must be referenced by at least one mapped control. Reports which principles have zero controls.
    • Assertion linkage — Each control ID (e.g. REV-001) must include a financial statement assertion keyword (existence, completeness, valuation, rights, accuracy, cutoff, etc.).
    • Frequency and type — Each control must specify an operating frequency (daily, monthly, quarterly, etc.) and a type (preventive or detective).
    • ITGC domain coverage — All four ITGC domains must be addressed: change management, access, operations, and SDLC.

    Output: Per-check PASS/FAIL with an overall result. For each failing check, the report lists specific control IDs or principles that need attention. Run on the RCM draft; fix gaps and re-run until the overall check passes.

    Output Excerpt

    Excerpt from a generated RCM and sample validator report.

    Risk-control matrix (excerpt):

    ## Revenue / Order-to-Cash — Risk-Control Matrix

| Control ID | Description | Assertion | Risk | Frequency | Type | COSO Principle | Owner |
|-----------|-------------|-----------|------|-----------|------|----------------|-------|
| REV-001 | System validates order against credit limit before processing | Existence, Accuracy | Unauthorized shipment | Per transaction | Preventive | P10 | Order Mgmt |
| REV-002 | Three-way match (PO, receipt, invoice) before payment release | Completeness, Valuation | Duplicate/erroneous payment | Per transaction | Preventive | P10, P12 | AP Manager |
| REV-003 | Monthly reconciliation of AR sub-ledger to GL | Completeness, Existence | Misstatement of receivables | Monthly | Detective | P16 | Controller |

## ITGC — Change Management
| ITGC-CM-01 | Change advisory board approval for production changes | — | Unauthorized change | Per change | Preventive | P11 | IT Director |

    rcm_coso_coverage_check report (excerpt):

    === COSO Principle Coverage (1–17) ===
Result: PASS
All 17 COSO 2013 principles are referenced.
Covered (17/17): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17

=== Assertion Linkage ===
Result: PASS
All detected controls have assertion linkage.
Controls with assertions: 12
Controls without assertions: 0

=== Frequency & Type ===
Result: PASS
All detected controls have frequency and type specified.

=== ITGC Domain Coverage ===
Result: PASS
All four ITGC domains are referenced.
Covered: change management, access, operations, sdlc

OVERALL: PASS — All coverage checks passed.

    Getting Started

    Add your source materials to the project workspace (prior-year RCMs, process documentation, audit findings), then activate the SOX Section 404 — Internal Control over Financial Reporting Narrative skill. The agent will guide you through scoping, narrative drafting, RCM population, COSO mapping, and running rcm_coso_coverage_check to validate completeness.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started