Last week, the SEC extended the compliance date for the internal control provisions of Sarbanes-Oxley. Accelerated filers will now need to comply for their first fiscal year ending on or after Nov. 15, 2004. The original compliance date was June 15. (Click here for details). This week, we talked with Lynn Edelson, the Global Leader for the Systems and Process Assurance practice at PricewaterhouseCoopers, about the implications of the delay, and the status of most companies' compliance efforts.

Last week, rumors of a Section 404 delay became fact. How do you think it will impact company processes?

I would not think this delay will impact company processes in a significant way.

During the past few months, most organizations have realized that the amount of work required is substantially more than originally anticipated. There is still relatively little time for accelerated filers — and prudent organizations will continue to move forward.

Of course, those companies that had June 30 year ends can now breath a little easier as they are:

Not first out of the block; and

Will have some time to digest the final rules before their first assertion.

Are companies generally behind schedule?

It is difficult to say whether companies are generally behind schedule.

Two companies could be in exactly the same place in their project plan. As design evaluation and/or testing of operating effectiveness occurs, one company could find significant deficiencies which could potentially put them behind in their schedule.

Companies should be factoring in remediation time to be on the safe side.

Do you thing a delay will make any difference in the quality of company controls, or the systems they utilize to monitor them?

Companies that were filing first (June - Oct year ends) may have some time to optimize their control structure.

We, like others, see that technology has a role in making compliance processes more efficient. Our survey in January 2004 of Sarbanes-Oxley 404 project leaders attending a conference in New Jersey indicated that nearly 90 percent of the companies had acquired or were planning to acquire new technology for compliance with Sarbanes-Oxley.

Further, more than 45 percent of executives responding viewed technology as an essential facilitator of compliance with Sarbanes-Oxley.

Where are most (June 30) companies when it comes to the SOX 404 process?

This process is definitely iterative in nature.

Most companies that I personally have dealt with are significantly complete with their documentation. But, as design evaluation or testing identifies gaps or exceptions, more documentation is needed.

The important point is that companies need to be conscious of remediation time — and the need to have a stable system of internal controls that they can assert to and their external auditors can attest to.

About two or three months before year end, we expect companies to have finished their testing and be ready for their management's assertion.

Not all companies are on track with this time line.

Ones that are behind will likely have to apply more effort to complete on time. Again, in that January survey, 95 percent of the executives responding expected their companies to meet the deadline for Section 404 compliance, but more than half of those expected it would be difficult to do so.

From the looks of PwC's November white paper titled, "Key Elements of Antifraud Programs and Controls," the SOX 404 test is likely going to be a hard test to pass. Is that true?

The views expressed in the white paper are based on our reading of SAS 99, the [SOX] Act, the Proposed [Internal Control] Standard, and the SEC final rules.

The proposed standard includes the word "fraud" and refers to anti-fruad programs numerous times. Our firm takes the subject of fraud very seriously. We believe the drafters of the rules referred to above do as well.

As to companies having a hard time in "passing" it will entirely depend on how significant the threat of fraud is within the enterprise and how active the company's management and the audit committee are in assessing and addressing the risk of fraud that could lead to a material misstatement in the financial statements.

According to CW research, recent disclosures of "material weaknesses" and "significant deficiencies" in public filings generally refer to four issues: revenue recognition, misapplication of GAAP, finance department understaffing and insufficient inventory/operational controls. Have you seen similar types of issues?

We see all of those issues but do not track the incidence of them across our client base in a way that would be meaningful to your readers.

One point of interest from the January survey, however, is the executives' responses about the kind of remediation they are doing or will have to do to comply with Sarbanes-Oxley Section 404:

Manual controls over significant transactions (72 percent)

Computer controls, not including security (65 percent)

Security controls (54 percent)

Fraud programs (44 percent)

Financial reporting process (35 percent)

Audit committee oversight (13 percent)

What types of controls generally need to be scrubbed, revised or redesigned?

Security controls — and the refinement of those — continue to be a large task for many organizations.

Ensuring that only authorized people have been granted access to systems and data — and the protocol to ensure those rights remain appropriate — is one area. A second deals with end-user computing systems. (I am referring to those systems that were developed outside the normal development process by IT, like actuarial reserve systems in an insurance company,).

Organizations are identifying where those type of systems or reports exist in their organization within a significant financial process, and are determining how to ensure that they are as controlled as a system developed in a normal system-development life cycle.

What are some typical "worst practices" and solutions?

Don't know if I have worst practices, but the end-user scenario is particularly problematic. These system are usually developed by an expert in an area — like an actuary — and there is no one else in the organization that could review the work, calculations, etc.

The simplest recommendation is to move the system into a controlled production environment. But, before that happens, suggest that someone in the organization needs to ensure that the calculations are being performed properly — and thus is controlled.

Any other tips or recommendations as companies take a deep breath (whew!) and relax over the extension?

Make it a very quick breath.

Again, most organizations are realizing that there is significantly more work to be done than anticipated. I would recommend that they take the time to clean up and refine areas that may have been rushed to completion.

If they haven't done so already, sit down with their external auditors, review their documentation, make sure it is sufficient for the external auditor to understand the process.

Review their test plan with their auditors and make sure there is alignment.

The point is to use the time to keep moving with the project — not to stop.

Thank you, Lynn.

This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

Topics