It’s been said before, but it bears repeating: Companies preparing to comply for the first time with the internal controls reporting provisions of Section 404 need to get moving now.
That was the advice to non-accelerated filers from a panel of experts at Compliance Week’s annual conference.
Brounstein
“Get started,” said Rick Brounstein, executive vice president of non-accelerated filer Calypte and a member of the Securities and Exchange Commission’s Advisory Committee on Smaller Public Companies. “Do your risk assessment and get going.”
Brounstein warned that the flood of non-accelerated filers complying with the management requirements of 404 for their fiscal years ending on or after Dec. 15, 2007, means that consultants to help those companies will be in demand. Wait too long, he said, and you not only risk running out of time to remediate, but “It may cost you double or triple and you may not find people to help you.”
Former Tenet Corp. chief executive Janet Dolan, who headed the SEC Advisory Committee’s Section 404 subcommittee, advised that, “Unless people are very thoughtful in the way they go about it and do everything they can to plan upfront to minimize wasted effort, it’s going to be a dramatic burden on them.”
Dolan
Dolan, who led Tenet through its first year of 404 compliance and who now serves on two audit committees, recommended companies “get a very competent audit chair who is very proactive—not someone who questions everything, but who knows how to bring the external auditor and the internal team together with the committee and get a good work plan to start with.”
Sharon Thomas Parrott, chief compliance officer at DeVry, which is entering its third year of Section 404 compliance, warned smaller companies to infuse compliance into all the business operations.
“Don't hire someone from outside who doesn’t understand what you do and how you work and the company culture to tell you what your compliance program should be,” she said. “Have someone who knows your business and understands the control environment.”
Parrott admitted that at DeVry, “We weren’t ready—not because we didn’t do things financially—but because we didn’t think of it initially as an enterprise-wide activity.” The first year of compliance was “overwhelming” to the part of the organization that didn’t deal with the regulatory environment “on a day-to-day basis,” she said.
“Budgets just got blown away. If we thought it would cost X amount, it was going to triple that,” she said. DeVry, which operates in the highly regulated education industry, was extremely risk-adverse in its first year. The company developed an internal audit department, augmented by consultants, and created the compliance officer position. In addition, it already had a separate group related to its compliance as an education company.
Parrott said the firm “went overboard” documenting its controls the first year. “We were documenting every step of every process we ever might do to the point our external auditors said, `Out of the 17 things you documented, we think two are key controls.'”
“Do your risk assessment, determine your key controls and make sure that’s what you document,” she said.
In addition, Parrott urged smaller companies to automate, centralize, and standardize as much as possible to mitigate segregation-of-duties issues—something DeVry struggled with at its smaller locations in the first year.
“The first year, everybody did everything,” she said. The following year, the company reduced its number of key controls. “We standardized and centralized things and then as much as we could, we automated.”
Brounstein urged companies to leverage their monitoring activities. “Companies do a lot of monitoring today naturally in their operations,” he said. “Take advantage of it.”
In addition, he advised companies to take advantage of the one-year grace period before external auditors must make attestations on internal controls, which will begin with fiscal years ending after Dec. 15, 2008. Use that time to work with their auditors on their 404 approach, Brounstein said.
“Involve your auditors,” he said. “I think you’ll find them more willing and able to talk to you now than they were in the early stages.”
Dolan urged companies to form partnerships with companies that have already been through Section 404, if possible. “You have limited resources,” she said. “Steal with impunity. Learn as much as you can from every one else. Plan, plan, plan. Then, just like you’re packing for a trip, go through and take out the stuff that’s absolutely not necessary.”
No comments yet