|
Article Excerpt
The Sarbanes-Oxley Act of 2002 (SOX) was enacted in the wake of many egregious corporate scandals involving fraud, greed, and breakdowns in internal controls. This landmark legislation has helped the United States do what no other country in the world has yet attempted to do: improve the standards for corporate accountability from the very top (the board of directors and senior management) to the lowest levels of the company, where business transactions and related activities are performed. It is the new internal control requirements of Section 404 of the Act where this law has its biggest impact on publicly traded corporations. Specifically, Section 404 requires management to take ownership of internal controls over financial reporting (ICFR) by assessing and publicly reporting on their effectiveness. To add more teeth to these requirements, this Section also requires external auditors to attest to management's assessment by independently opining on the effectiveness of a company's ICFR.
Large accelerated filers are in their third year of Section 404 compliance. In spite of this, controllers, their staffs, and many SOX compliance specialists admit that it is still very easy to get lost in the maze of identifying, testing, and continuously monitoring key controls, maintaining relevant documentation, and rolling up the individual process-level assessments being conducted throughout the company to form an overall opinion on the effectiveness of a company's ICFR.
Regardless of a company's size, there is no doubt that planning, executing, and sustaining an internal control assessment under Section 404 is a challenging and costly project. Initiating and sustaining this project requires massive coordination among a large number of employees throughout the organization as well as ensuring that appropriate documentation is maintained to support management's conclusions. Given the experiences of large accelerated filers, smaller public companies and other temporarily exempted entities (foreign as well as domestic) are legitimately anxious because they will soon be required to comply with the internal control certification and assessment requirements under Section 404.
Much has been written about the cost and difficulty of complying with the new internal control certification requirements under Section 404, but very few articles have focused on providing guidance on how to sustain compliance with Section 404 requirements in a cost-effective manner. Although a majority of companies have followed the Public Company Accounting Oversight Board's (PCAOB) "infamous" Auditing Standard No. 2 (AS2) to design and execute their internal control assessments, there is no single, cookie-cutter approach or methodology that a company can take to "walk through" this maze in real life. The previous two years of experience suggest that there are some "better practices" that a company can employ to organize, document, and track the SOX 404 compliance project in a cost-effective manner. Our experiences from working with many companies suggest that a number of issuers are implementing processes and putting appropriate structures in place that are proving to be quite adept at handling the challenges of Section 404 compliance. The purpose of this article is to share some of these better practices to help other companies manage this project cost effectively.
GETTING STARTED
While the biggest challenge for accelerated filers is to sustain this huge effort in a cost-effective manner, the biggest compliance challenge for smaller public companies is deciding where to begin. We recommend that all companies focus on the following three aspects as they work to initiate and sustain compliance with Section 404: tone at the top, scoping decisions, and establishing a SOX steering committee.
TONE AT THE TOP
Regardless of a company's size, the most important step to starting and sustaining a SOX 404 compliance project is setting the right "tone at the top." A company's board of directors, CEO, and CFO are the most influential people in that company, and their buy-in and continued commitment for this endeavor is absolutely essential for its success. Without their explicit support, employees throughout the organization will continuously challenge the value and relevance of this work and give it less attention and due care than it requires. With the full support of the highest levels of management, SOX compliance teams can be formed across the organization, and specific tasks can be delegated throughout the company with a clear understanding that company management truly believes in producing reliable financial reporting and disclosure for its stakeholders. Starting with the right tone at the top also sends the message that senior leaders are committed to control excellence by managing risks in a cost-effective manner and that good internal controls are everyone's business. It fosters a positive attitude that motivates employees to extract value out of this compliance activity by either reengineering the underlying business processes or identifying and eliminating nonvalue-added controls.
SCOPING DECISIONS
Determining the scope of the SOX compliance project year after year is one of the most important decisions that a company makes because the scoping is what drives the direction of the entire effort. Based on the feedback received through two roundtable meetings and hundreds of comment letters, both the Securities & Exchange Commission (SEC) and the PCAOB made it very clear that companies--as well as their external auditors--should take a top-down, risk-based approach to assessing and certifying internal controls. During the first two years of Section 404 compliance, neither the companies nor their external auditors followed this approach. Instead, the external auditors drove the process, and the majority of internal control assessments were conducted in a nonintegrated, checklist manner. Excessive focus was placed on documenting and testing as many controls as possible. It is this approach that led many critics of Section 404 implementation to conclude that internal control assessments under Section 404 will not stop future Enrons and WorldComs from occurring. In light of the May 2006 guidance issued by the SEC and PCAOB, it is critical that a company's senior leadership insists on a top-down, risk-based assessment approach. This is the only way that a company can sustain Section 404 compliance in the future while remaining cost effective.
A top-down approach to designing a Section 404 compliance program (and designing the actual internal control structure) forces senior management to start with the entity-level controls that set the organization's tone at the top. When designed robustly and implemented...
|
