Q&A With Jefferson Wells CEO Owen Sullivan

Earlier this month, the SEC extended the compliance date for the internal control provisions of Sarbanes-Oxley. Accelerated filers will now need to comply for their first fiscal year ending on or after Nov. 15, 2004. The original compliance date was June 15.

This week, we talk to Jefferson Wells CEO Owen Sullivan — whose firm provides internal auditing and compliance services for hundreds of companies — about the implications of the delay, and the status of most companies' compliance efforts.

Rumors of a Section 404 delay recently became fact. How do you think it will impact company processes?

This delay affects only those companies with June through October year-ends. These companies should use the additional time to effectively address remediation and ensure that everyone in the organization is adequately educated on which processes have been documented, the status of testing and the types of remediation that are surfacing.

Companies with November and December year-ends should not have to do anything differently provided they already have good game plans in place.

Where are most (June 30) companies when it comes to the SOX 404 process? Are companies generally behind schedule?

The February 2004 survey we conducted with the Institute of Internal Auditors found that most of the 200 respondents were deep into the documentation process and a significant portion were already well into testing and remediation.

Our experience with companies that were granted an extension by the SEC last year is that they often stopped or reduced their readiness efforts to a greater extent than was appropriate. Many of these companies are now finding themselves somewhat behind schedule as a result of slowing down their activities.

The skills and resources needed to identify and evaluate controls are in great demand and simply not available in most companies; many need to rely on external resources to get the job done. Based upon lessons learned, it would be in a company's best interest to remain focused and diligent in proceeding with their Sarbanes compliance.

Do you think a delay will make any difference in the quality of company controls, or the systems they utilize to monitor them?

The delay will provide some companies the opportunity to address the quality of their project — but not all will take advantage of the additional time.

Those who do should use it to work closely with outside auditors in identifying areas that require remediation and to focus on process improvement opportunities that have been identified through their documentation and testing.

In our February survey, more than 50 percent of respondents noted they are using some sort of software tool to support Section 404 compliance. While software tools can be valuable, they require time for configuring, testing and training.

Everyone is saying that the SOX 404 test is likely going to be a hard test to pass. What are your thoughts? Are there any areas that Jefferson Wells has consistently identified as trouble spots among clients?

The Public Company Accounting Oversight Board has just issued additional guidance to external auditors that should help to clarify exactly what is expected.

Ultimately, however, the test is a pass or fail proposition.

Companies that narrowly pass the test should question whether they have caught everything. In addition, a laundry list of remediation items raises a red flag.

The main trouble spots our experts are addressing right now include technology-control weaknesses and gaps in documentation.

According to CW research, recent disclosures of "material weaknesses" and "significant deficiencies" in public filings generally refer to four issues: revenue recognition, misapplication of GAAP, finance department understaffing and insufficient inventory/operational controls. Have you seen similar types of issues?

We have seen issues with finance department understaffing and, to a slightly lesser extent, revenue recognition concerns. We have not seen as much evidence of misapplication of GAAP.

Our survey respondents identified three areas as the largest challenges confronting their compliance efforts:

Lack of process control-related documentation;

Inadequate formal reviews and approvals; and

Segregation of duties.

Companies have undergone significant staff reductions in the past several years. Understaffed finance departments limit the ability to effectively segregate duties throughout the organization. These constraints make it challenging to establish sufficient checks and balances and often result in an inadequate amount of documentation on the duties and internal controls attached to specific positions.

What types of controls generally need to be scrubbed, revised or redesigned?

Links between business-unit controls and IT-related controls need improvement. The delay gives some companies time to strengthen those links and to develop strong controls around specific weak points in IT, such as systems accessibility.

We see recurring problems with accessibility controls around IT applications that are in development. Those applications often "go live" while too many individuals still have the access and the ability to make changes to the software.

We are also seeing that controls within the tax area, a complex piece of Section 404 compliance, tend to receive short shrift. Federal taxes, state sales taxes and state property taxes, for example, usually originate from a diverse range of feeder systems. Each of these information sources, as well as the subjective judgments used to determine tax exposure, require effective controls and processes.

Can you give us some examples of typical "worst practices" Jefferson Wells has seen, with insights on how Jefferson Wells recommended fixing?

Beware when business process owners say, "Internal audit will take care of it."

Internal audit can, for example, document how a sales force treats commissions. But documentation, testing and any subsequent remediation requires collaboration if it is going to ultimately pass muster. The business process owners must be engaged.

Although everyone speaks about the importance of "tone at the top" these days, we still see instances where senior-level management isn't really on board with compliance. They may be too focused on other projects. Companies that fail to incorporate compliance considerations into operations (such as M&A due diligence) may encounter significant problems in the future.

Any other tips or recommendations as companies take a deep breath (whew!) and relax over the extension?

Don't relax! Slowing down the process suggests that this is only about compliance at one point in time. In the true spirit of solid corporate governance, initial compliance is just the beginning. Companies will face additional compliance issues that arise long after the initial Section 404 deadlines have passed. Future mergers and acquisitions, larger outsourcing deals and major technology implementations will have compliance implications.

Companies that are interested in high standards of corporate governance should keep their Sarbanes-Oxley project management structure firmly in place and maintain their compliance stamina over the long term.

Thank you, Owen.

This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.