Observations from the Sarbanes-Oxley trenches

A lot has transpired since I last wrote about the “Technology Implications of Sarbanes-Oxley” earlier this year. With Section 404 effective dates right around the corner, the emotions of CEOs, CFOs, audit committee members and external auditors are in high gear as many of them are closing in on their first round of reporting.

Wide speculation is that many companies’ material weaknesses will be tied to IT deficiencies. IT has traditionally been viewed as overhead burden by organizations. Now IT is rightfully being recognized as a key foundation of an effective internal control system and therefore very relevant to the ultimate success of the Section 404 initiative.

(Not) ready to report?

Virtually everyone from the board room, executive management and audit firms is apprehensive, perhaps even paranoid, about those two little paragraphs of Section 404 of the Sarbanes-Oxley Act of 2002, or SOX, titled “Management Assessment of Internal Controls.” Section 404 requires public companies to report annually on the effectiveness of their internal controls over financial reporting. It also requires their independent auditor to attest on management’s conclusions, as well as render a separate opinion on the effectiveness of management’s controls.

Both of these new audit opinions must be performed in accordance with auditing standards set by the Public Company Accounting Oversight Board. Here lies the big fear, as the board is a non-profit organization newly created by SOX and is under the wings of the SEC. PCAOB’s new standards have no track record behind them since the first Section 404 audit has yet to be concluded or tested, so companies and auditors alike have no luxury of precedence.

A common cry among companies is “we wish we had more time.” The reality is the SOX-404 process must be treated like a “project” thus requiring executive sponsorship, diligent planning, adequate resource commitment, and the expertise to execute the project plan. A misstep anywhere can doom the project.

The SEC has twice postponed 404 effective dates. It is unlikely that the current timeframe, requiring large companies to comply for their fiscal year ending on or after November 15, 2004, will change. But companies have underestimated their requirements, causing them to now scramble for resources. Financial Executive International conducted two surveys this year showing “year-one” compliance costs for Section 404 increased from almost $2 million in January to over $3 million in July per company. Corporate America is waking up to the reality that it may not be ready. Companies may have to report an internal control material weakness in their annual report to the SEC and shareholders. This could trigger a stock valuation decline, public relation challenges, increased SEC scrutiny or lawsuits. Some Big-4 audit firms are predicting as many as 20 to 25 percent of companies may have qualified or disclaimed opinions for their first-year 404 audit reports.

The importance of IT

Perhaps the biggest 404 concerns involve general IT controls such as data backup, recovery procedures, access security, and change management to protect the integrity of the business record as it rolls up into the financial statements. The SOX 404 attestation process requires confidence in the IT systems that house, move, and transform data.

This creates challenges since now more than ever the accounting side of the house must closely work with the IT shop on the intricacies of internal control documentation, risk assessment, testing and remediation. A common tool for addressing both IT controls and non-IT controls, while also facilitating a continuous monitoring environment for periodic management certifications (Sections 302 and 906) and current reports (Section 409), is emerging as a best practice.

Many companies have not adequately documented their IT controls prior to SOX. The PCAOB has made it clear that inadequate documentation in itself is likely to lead to a material weakness, or even worse, a scope limitation thus preventing the auditor from issuing a clean opinion.

Now is crunch time

The verdict is still out on the ultimate success of SOX in repairing the battered image of corporate America. However, many CEOs, CFOs and directors are now voicing their favor as they realize benefits including improved efficiencies, better risk mitigation, sounder IT controls, timelier reporting and stronger governance environments. In addition, other parts of the world are now considering SOX-like requirements for their own countries as they realize the crisis that hit us a few years ago is truly a global issue.

With a good head start on many of these countries, perhaps some of this current pain will pay long-term dividends in terms of competitive positioning. However, for now we are in the midst of 404 crunch time. Stay tuned as we will start seeing 404 management and audit reports in early 2005.

-----
Ronald Kral is the Founding Partner of Candela Solutions, a public accounting firm working with boards and management teams to help them reach their objectives through governance, internal auditing, technology, strategic planning, and change management. Ronald can be reached at rkral@candelasolutions.com or 608-204-0122, ext. 23.