In the Sarbanes-Oxley business forums, some resources were shared that can help companies meet these regulatory requirements in an effective manner. These links are "must reads" for anyone having to support SOX 404 requirements.
Sarbanes-Oxley compliancy - PCAOB Audit Standard 5 resourceshttp://www.pcaob.org/Rules/Docket_021/2007-05-24_Release_No_2007-005.pdf http://www.sec.gov/rules/interp/2007/33-8810.pdf http://en.wikipedia.org/wiki/SOX_404_top-down_risk_assessment http://en.wikipedia.org/wiki/Auditing_Standards_Board http://www.itcinstitute.com/display.aspx?ID=3600 http://www.google.com/search?hl=en&q=pcaob+as5
QUOTE: In financial auditing of public companies in the United States, SOX 404 top-down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404). The term is used by the U.S. Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC). The TDRA is used to determine the scope and required evidence to support management's testing of its internal controls under SOX404. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.