At an annual conference last week sponsored by Financial Executives International on current financial reporting issues, panelists shared tips and best practices gleaned from their first-year experience complying with Section 404 of Sarbanes-Oxley.
Hanish
“The No. 1 key to sustainability for our company is the tone at the top,” said Arnold Hanish, chief accounting officer at Eli Lilly and Co. He said Lilly has established a culture in which 404 compliance is not just a financial exercise, but an issue for the entire business to address.
David Richards, president of the Institute of Internal Auditors, agreed that tone at the top and the environment encouraging ethical behavior are among several Year Two issues that need work at many companies. He also pointed to the need for better fraud detection and deterrence, and greater direction and focus for the new responsibilities of audit committees. Richards also noted that identification and monitoring of key controls, improved analysis of results under tight reporting deadlines, and enterprise-wide training were areas that still needed attention.
Brod
Those sentiments were echoed by corporate executives, who acknowledged that the operationalization of SOX was critical to compliance. Frank Brod, vice president and controller for Dow Chemical Co., noted that Dow has already conducted training in various functional areas, including operations, to assure the entire organization understands the SOX imperatives associated with what they do.
Marsha Hunt, vice president and controller for $8.4 billion engine maker Cummins, said she’d seen firsthand the clash that can occur when, for example, operations wants to make systems improvement, but the SOX implications make it impractical or impossible. “It’s difficult to explain to the operations people why we can’t make improvements to their systems because of the way it would affect financial reporting,” she said.
Control Selectivity
FEI issued two reports at its conference last week on Section 404 issues. In the first, titled “Sarbanes-Oxley Section 404 Compliance: From Project to Sustainability,” FEI’s Committee on Corporate Reporting says companies are adopting a more risk-based, top-down approach to internal control assessments in their second year of testing and reporting.
“While the effort to comply with Section 404 has provided some valuable insights, the time redeployment of people and other costs associated with the implementation in 2004 are generally viewed by [committee] members,” the report said.
The Committee convened a special session in September to review first-year compliance and examine ways to apply Year One lessons to the Year Two compliance process, ultimately to make the compliance process more sustainable for the long-term.
Companies said that for the second round, they are establishing a hierarchy of internal controls, and are being more selective in the controls they test. For example, companies said they are identifying lower risk areas where reliance on testing of company level controls is sufficient, reducing the need to test routine transactions. During the FEI conference, Hanish said Eli Lilly has reduced by 25 to 40 percent the number of controls it regards as “key,” and it’s not finished culling the list.
Companies also are assessing the transaction-level controls to determine where some may be redundant, and therefore combined or eliminated without sacrificing control coverage, the committee report said. In addition, companies are taking some lower-risk accounts out of the scope of internal control testing, increasing reliance on automated over manual controls, and finding a balance between effective internal control and the number of key controls.
Voluntary Disclosures
Beyond key controls, companies also are looking for process improvements in risk assessment, segregation of finance-function duties, information systems, relationships with the auditor, and management testing of controls.
In a separate study titled “Management’s Reports on Internal Controls,” the Financial Executives Research Foundation reviewed nearly 200 10-K and 10-K/A filings to look for predominant practices in management’s reports on internal controls. It found every company used the same, commonly accepted framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and that most audit firms, except PricewaterhouseCoopers, issued separate audit reports for financial statements and internal controls.
FERF found companies following different approaches, however, when it came to management’s reports. “While all included statements required by the SEC, many also included statements regarding limitations of internal controls, references to specific SEC statutes, descriptions of the purpose of internal controls, and definitions of material weaknesses, or other internal control assessment terms,” the report said. “Many firms added specific voluntary disclosures about internal control and ethics initiatives.”
The analysis revealed about half of the sampled issuers, 102 companies, reported no control deficiencies while 93 companies reported material weaknesses. Only three companies reported control deficiencies only.
No comments yet