When engaged in an ambitious effort, be it climbing a mountain, building a house, or writing a novel, many people have a tendency to quicken their pace once the long-sought goal finally comes into view. The same holds true for Sarbanes-Oxley Section 404 compliance projects. Many months have gone into documentation, testing, and remediation, and now the first reporting deadline lies just ahead, looming like a summit after a lengthy and difficult ascent.
But this urge to accelerate on the final approach, while understandable, should be resisted. A stumble over the last few meters can undermine all the work and effort of the miles that preceded it. You don’t want to break an ankle before you get a chance to plant the flag.
Where are the loose rocks and treacherous patches that have sent some companies sprawling? Deloitte & Touche’s field experience with over 700 Section 404 readiness projects, coupled with our analysis of over 400 corporate disclosures filed with the Securities and Exchange Commission, has identified ten hazards that you should highlight on your compliance trail map.
Shallow And Narrow Approaches
If your 404 project isn’t deep—driven from the boardroom all the way down to the loading dock—and long—built for both short-term compliance and long-term sustainability—and wide—extending to every far-flung corner of your organization—then it’s insufficient. You should infuse your good governance message throughout the culture, while remembering that it’s people who make it happen. Pay particular attention to your project’s human resource component: You should hire, develop, and effectively manage enough staff with knowledge of internal control to achieve continuous and ongoing compliance.
Risk (Assessment) Aversion
Considering risk assessment’s prominent place in the COSO internal control framework, it’s surprising how many companies give this area short-shrift. But be forewarned that your independent auditors aren’t likely to suffer a similar lapse. Establishing a formal, systematic risk identification and management program is a nonnegotiable element of Section 404 compliance. Try looking at it this way: If you haven’t undertaken a risk assessment process, then how can you design effective procedures to address those risks?
Unaccountable Accounting
Controls over routine bookkeeping and accounting chores—payroll, accounts payable, and the like—generally present fewer challenges to effective internal control. Problems can arise, however, when underqualified staff tackle unusual, highly complex transactions. Mergers and acquisitions, divestitures, plant closures, complex compensation plans, and more all require technical accounting knowledge that many organizations lack. Errors in recording such transactions can obligate you to restate your reported results, with the predictable negative repercussions.
Clashing Cultures
A merger or acquisition presents a particularly challenging environment for maintaining effective internal control. Every facet of the integration effort—employee training, system integration, data migration, process redesign, and more—carries potential internal control risks. Unfortunately, organizations whose resources are already stretched thin by the other demands of integration frequently relegate internal control to the back burner, which can result in significant control deficiencies that may not be discovered until late in the 404 compliance process.
Not Getting “IT”
Due to the ubiquity of information technology in business today, flaws in IT controls design, execution, and governance can easily sabotage reliable financial reporting. The more complex your company’s IT environment, and the less attention you have previously paid to IT controls, the more IT control gaps are likely to exist—and the more challenging they will be to fix. Add to the mix the need for specially trained individuals to maintain and upgrade IT systems and their controls, and you have a situation that demands particular attention and significant resources.
Disorderly Disclosures
The regulatory and legal changes imposed on business in the past few years have been substantial, if not unprecedented.
Among the more daunting challenges is the increased frequency and complexity of required financial disclosures, which may necessitate technical accounting skills beyond those available in-house. To pass Section 404—and 302—muster, your company needs a rigorous process for collecting and organizing the information required to prepare the disclosures, as well as qualified personnel (either in-house or outsourced) to execute the procedures.
Closing Without Closure
The financial closing process is an inherently high-risk activity. You must obtain, analyze, and consolidate information from multiple sources, carry out reconciliations, make adjustments, and perform other complicated, often highly judgmental tasks, all within a compressed timeframe. Under such circumstances, the process can easily degenerate into a fire drill in which internal control procedures become an afterthought. The solution? Create formal, well-documented procedures for executing and recording both the financial closing process and its associated control activities. And carry them out religiously.
Problematic Procedures
Most established companies have well-documented accounting policies and procedures, but far fewer consistently review and revise them. Unfortunately, while your manuals remain stagnant, the regulatory and business environment continually evolves, leaving your company with outdated or irrelevant information. Other related problems include policies and procedures that are inconsistently designed and/or applied, that fail to cover the full set of processes relevant to financial reporting, or that lack the necessary range of guidance and direction. Any of these weaknesses can be fatal to your Section 404 compliance efforts.
Out-Of-Sight Outsourcing
If your company outsources payroll, order fulfillment, or other business functions, you may have relieved yourself of the burden of performing these activities, but you haven’t relinquished the responsibility for internal control over them. As far as Section 404 is concerned, an outsourced business process is no different from one handled internally—if it impacts your financials, you are responsible for ensuring that the controls are effective. In certain favorable circumstances, you may be able to get a SAS 70 (type 2) report from your provider, which documents the design and operating effectiveness of their internal controls over financial reporting. If you are less fortunate, you may need to directly test the controls at your outside service provider yourself. It’s a tricky distinction; if you are unsure, consult your business advisor.
Boards Not On Board
Not so long ago, board and committee memberships were considered plum assignments rather than true labor. But Sarbanes-Oxley and other regulations have significantly altered that perception. Today, the requirements and qualifications have been raised. Members are expected to understand the nature of financial reporting risks and the function of internal control; they must be prepared to ask tough questions; they must attend many more meetings of longer duration. Auditors and regulators will be scrutinizing your membership because they know that weak boards are both a cause and a symptom of poor corporate governance.
While the above is by no means a comprehensive listing of the hazards you might encounter in your Section 404 project, in our experience these items are among the most common. Attention to these issues will keep you surefooted on the path to compliance.
The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.
No comments yet