Now that most accelerated filers are coming down the homestretch regarding Section 404 of the Sarbanes-Oxley Act, it’s worth looking at what companies have experienced, and how they’re building on lessons they learned from last year’s efforts. And though there’s still work to do, patterns and trends are emerging that show how companies are dealing with what continues to be viewed as an onerous, burdensome requirement.
An Evolving Mindset
Aside from the frustration and annoyance still prevalent among those involved with 404 compliance, at least four psychological shifts are observable:
- Acceptance—The first is grudging acceptance that the requirements of Section 404 are here to stay. Despite outcries of excessive and unnecessary cost, it has become clear that legislators and regulators—while willing to slightly shift effective dates—continue to believe that the benefits of internal control reporting to the investing community outweigh the costs.
- Isolation—Second is a recognition that there will be little help, at least in the near term, from the SEC or PCAOB in significantly reducing the impact of the existing rules. While hopes were high before the May 2005 issuances by those regulatory bodies, there was general disappointment in the result. Yes, emphasis on taking a top-down and risk-based approach has helped to rationalize scope decision-making, and clarity around the relationship between IT general controls and application controls has allowed more efficient controls testing; however, the rules and direction previously in place continue on.
- Comfort—While frustration persists, it also appears that a growing number of corporate officers may be realizing the benefit of 404. That’s according to one study, that showed executives were more comfortable signing the required financial statement certifications in part because they have more confidence in their company’s internal control over financial reporting.
- Benefit—With more executives realizing that 404 is not going anywhere, many are looking to see how they can use the process to work smarter, and to do so with less cost and greater benefit. I know, I know: experts have been talking about “getting ROI from 404” for the past two years. But now some companies actually are taking it seriously.
As companies have contended with the 404 compliance exercise, they have changed their tactics in significant ways.
The first regards adequate resources and effective leadership. For the most part, the mistakes of “Year One”—which had many companies late to the party—were not made this time around. That wasn’t always the case; management at some companies was so frustrated with the time and effort expended in Year One that—soon after filing their 2004 reports—they went back to their “day” jobs, and eventually found themselves behind the eight ball once again. But many companies recognized the need for timely planning and resource allocation with dedicated leadership. A significant number allowed the chief audit executive to return to his/her important responsibilities, appointing a 404 leader—sometimes called “chief internal control officer”—to manage the ongoing 404 compliance efforts, with internal audit providing a support and monitoring role.
The second major shift regards clarity around ownership; namely, who in the organization owns internal control over financial reporting, with primary responsibility for control effectiveness. It now has become more commonplace for leaders of line operations and functional units to take on this responsibility, with a chief internal control officer, corporate controller, chief audit executive and compliance officers each having important support and coordination roles. In many cases it’s now the line that is responsible for documenting and testing business process controls in their spheres of responsibility, with additional testing and monitoring performed by others.
And the third shift regards discipline, specifically as it pertains to board oversight and involvement. When it comes to SOX 404, it’s difficult to say that audit committees were more deeply involved in 2005 than in 2004, because, indeed, most were actively involved in Year One. But we have seen a more disciplined focus, with periodic check points and discussions of progress, status, and ongoing needs to get the job done effectively.
Many companies have also done a better job of tackling the minutiae of the 404 compliance process. That’s partially because chief internal control officers are viewing 404 compliance as more of a journey, instead of a one-time destination. With such an outlook, the 404 leaders anticipate gaining greater knowledge over time, resulting in more effective planning, better coordination, and making incremental improvements over the course of several years.
Among the areas of improvement thus far are:
- More Effective Project Planning—Decisions on scoping are being made earlier in the year, resource commitments have accelerated, and assignments and schedules are more fully developed and—importantly—adhered to.
- Better training— Project team members are receiving deeper education on the company’s business processes, on the design of the 404 plan, and its implementation. They’re also getting better training on the internal control framework published by the Committee of Sponsoring Organizations of the Treadway Commission. Additionally, line and functional staff personnel are being more thoroughly trained in their responsibilities, particularly on internal control concepts and methodologies for documentation and testing.
- Uniform Language—A key prerequisite to effective training—as well as an important topic to be covered in the training—is having common terminology. Companies have learned that communicating across the organization is hampered when employees have very different meanings for the same words.
- Centrally Developed Protocols—Organizations with multiple business units, especially those with foreign or widely-dispersed operations, are developing methodologies, tools, and guidance on what is expected during the 404 process, and how employees throughout the organization are expected to carry out designated responsibilities. Further, more of the scoping decisions are being made centrally.
- Common Process Documentation—Another series of decisions being made at the corporate center relates to process documentation. Some companies are looking at commonalities across business units—such as procure-to-pay or order-to-cash processes—to identify and highlight one unit with particularly good documentation. That corporate “best practice” is then provided as an effective starting point to other business units.
- Integration With Audit—The 404 leader is coordinating early with both internal and external auditors, ensuring that responsibilities and commitments are fully understood and agreed to. As a result, some of the strain in client-auditor relationships has begun to dissipate, as both have gained conceptual and practical knowledge about internal control and what needs to be done.
With a better understanding of a company’s internal control systems—combined with the guidance from the SEC and PCAOB—many companies have found they can reduce the number of controls that need to be tested. And while some continue to use the low threshold of “significant deficiencies” in determining which controls to test—on the basis that a series of significant deficiencies taken together can result in a material weakness—there’s a trend towards raising the bar to the “material weakness” level.
As noted, there has been more testing by the business process owners. While this strengthens the sense of ownership by the line managers, there is a downside: decreased auditor reliance. That’s because, as the independence of the individuals doing the testing decreases (where “decreased independence” is a shortened distance between the individuals who designed and executed the controls and those who tested them) so too does the auditor’s ability to rely on that work.
Another key change this year was companies’ ability to get to the remediation process earlier. Lessons learned in Year One, during which remediation sometimes wasn’t done in time for retesting by management or the auditor, are paying dividends in 2005.
A quick word on smaller public companies. With the recent deferral until the 2007 timeframe, executives of non-accelerated files are breathing a collective sigh of relief; they’ve gotten a reprieve, and many suspect they can focus on the core business throughout 2006 and worry about 404 the following year.
But the more knowledgeable of these executives knows two things. First, they will need a significant amount of time to understand the rules, digest the lessons of accelerated filers, and outline their own compliance plans. And, second, they recognize that despite efforts initiated by the SEC, there’s likely little real help on the way. The forthcoming guidance from COSO for small businesses is not going to be a “COSO lite”; rather, it will simply be guidance on how the COSO internal control framework may be applied in a small business environment. The standard for internal control effectiveness is not going to change, even if guidance on its application may be forthcoming.
Though we’ve just looked at some of the emerging thinking and changes in direction that companies are taking in connection with 404 compliance, we’ve yet to address some of the most critical matters. In Compliance Week’s December edition, we’ll take a look at what companies are doing to shift SOX 404 from a yearly project to an ongoing, readily sustainable process. We’ll also review the search for a “technology solution,” and will look at how companies are—for better or worse—shifting their focus to Section 302 of SOX. And, finally, we’ll look at what’s happening with the cost of 404 compliance, and will see what some companies are doing to leverage their investment in 404 to gain business benefit. Impossible you say? Perhaps, but some believe they’re doing exactly that …
The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.