The Right Approach for Your First 404 Audit

Large companies have had five years of hard-earned experience complying with Sarbanes-Oxley and its dreaded Section 404 provisions about internal controls over financial reporting. Now compliance looms for non-accelerated filers, and I’d suggest leaning on that experience as much as you can.

Based on my observations and experience (as the leader of SOX compliance for Viacom), despite the sophistication of many large filers, a lack of clarity initially surrounded Section 404 implementation. As a result, companies used external advisers extensively in the first few years to help them develop program management capabilities and implementation strategy and assist with documentation and testing. Consultants also assisted in negotiating with external auditors, since we had scant guidance about how to apply the rules and most companies had limited internal expertise in this area. Many companies struggled to achieve compliance during their initial compliance periods, often barely making it over the finish line.

Over the past few years, the Securities and Exchange Commission and the Public Company Accounting Oversight Board have recognized these struggles and have worked hard to clarify the requirements of Section 404 and issue new guidance. Now non-accelerated filers are required to comply with Section 404 effective for fiscal years ending on or after Dec. 15, 2007 (with the external auditor’s attestation starting one fiscal year later). So let’s start sharing some of that hard-earned experience.

The Point Person

Planning is the most important phase in any implementation as significant as Section 404, since efficiencies are best realized when they are anticipated in advance. Many companies have found that one of the key elements of SOX compliance planning includes creating a dedicated program management office (PMO) to guide and administer the compliance function. Numerous SOX compliance activities can benefit from a single authority that sets policies and monitors results. While non-accelerated filers may find it difficult to justify resources specifically allocated to program management, the savings in cost, time and effort will typically outweigh what you spend to maintain a PMO.

Companies can devise many ways to achieve their SOX compliance goals, so the PMO (whether in the form of a single person, or a small staff) should set standards and issue instructions (and other relevant guidance) to avoid confusion and promote consistency.

The PMO will interface with the auditors regarding policies and interpretations of guidance and standards, as well as any external consultants hired to assist with compliance. The PMO can also monitor documentation and testing to ensure that those activities are on track and keep senior management apprised of progress. Finally, the PMO can play a significant role evaluating issues and discrepancies to create a consistent interpretation and ensure that properly qualified individuals participate, since evaluating control deficiencies is often highly subjective.

The Rest of the Team

In addition to having a point person oversee SOX compliance, remember that a key principle of the COSO framework that underlies internal controls is setting the proper tone at the top of the organization. Since senior management may be unfamiliar with Section 404, executives should be educated about the requirements, the compliance effort across the organization, and the implications of failing to maintain effective internal controls over financial reporting; only then will they truly understand the importance of compliance. Once this objective has been achieved, it may be helpful to draft communication from senior management to the people who will be involved with Section 404 implementation, to make clear that this is not merely a finance-driven exercise and to demonstrate senior management’s commitment to achieving compliance.

Along similar lines, the executives and managers who oversee various business processes must be accountable for maintaining current and accurate documentation, ensuring that key controls are operating effectively, and taking appropriate steps to remediate identified control deficiencies. You can reinforce this accountability with a periodic sign-off process such as representation letters or other certifications. Tying them into bonus programs will give compliance efforts even more weight.

Since the SOX process may still be new to some people, and others will not know the COSO internal controls framework, some organizations may find it helpful to provide relevant training and educational materials to anyone involved with SOX compliance. A program that monitors completion of training may even be a useful company-level control that can be tested and relied upon as part of the overall internal control environment. Training and educational materials may encompass general internal controls training as well as specific training on the company’s prescribed methodologies. You can use online training or instructor-led training, as well as dissemination of reference guides and other training materials. Be warned: instructions and other guidance should be comprehensive but may be time-consuming to use on a regular basis. Supplemental “one-sheets” can provide targeted reference materials for process-owners, test performers, and reviewers that can easily help them perform their roles effectively.

Working With Guidance

Some good news resulted from the recent SEC approval of Auditing Standard No. 5, which auditors will use to guide them as they evaluate the effectiveness of your internal controls. AS5 supersedes Auditing Standard No. 2, which required much more pervasive testing. It also is more practical to apply than AS2 because it explicitly advocates taking a top-down, risk-based approach to determining which controls need to be evaluated.

Intuitively, controls that relate to significant judgments or estimates or that address the risk of management override of other controls are critical and should be incorporated into management’s evaluation.

The common interpretation of AS2 was that it required documenting and testing controls relating to every material account and process, irrespective of whether or not controls posed a significant risk of misstatement. AS5's risk-based approach gives companies the ability to assess size and complexity as part of the evaluation process, and to exclude from scope controls that do not present a reasonable possibility of material misstatement to the financial statements. Emphasis on company-level controls and controls that are designed to prevent or detect fraud may help to alleviate testing of some process level controls.

Intuitively, controls that relate to significant judgments or estimates or that address the risk of management override of other controls are critical and should be incorporated into management’s evaluation. Additionally, controls designed to monitor the effectiveness of other controls may also help to limit process-level testing if they are considered to be effective, since they are in essence higher-level controls. Some examples to consider include group-level or corporate reviews of business unit activities, closing checklists, account reconciliations, or specific account analyses for subjective areas like sales returns reserves or inventory obsolescence reserves. Monitoring and other company-level controls should be tested as early in the process as possible to avoid the need to perform additional process-level testing.

I know firsthand how daunting the SOX compliance process can be, especially the first time through.You can anticipate an approach that will evolve over time due to changing guidance, the complexity of the initiative and the formidable effort required across the organization. While there are many other ways to create an efficient and effective SOX compliance process, start off with a strong foundation in the planning process and build from there—and then the effort required won’t seem quite as insurmountable.