Ten Steps for Making SOX 404 Compliance Easier
Help your colleagues, customers, or friends be well-informed.
Time may not be on your side. After a number of delays over the past three years, non-accelerated filers are now facing the prospect of having to fully comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) that will now require that external auditors review management’s assessment of their internal controls, complete their own assessment and report on the results.
Here’s the bad news: at the time I’ve recorded this podcast at the beginning of April 2010, for companies that file on a calendar year basis that will be relying on key quality controls you’ve got less than 90 days to begin your testing, and to make matters worse, it can be a complex, time consuming, and costly chore. But today, I’m here to help. I’ve outlined ten steps based upon the experience of accelerated filers that can help you achieve compliance quickly, cost effectively and in line with the intent, spirit, and requirements of the legislation.
Since December 15, 2007, non-accelerated filers have been required to assess the effectiveness of their internal controls and for the CEO and CFO to certify those results and include them in the company’s annual report. Many companies believed that compliance with Section 404 was only a distant possibility and may not have critically reviewed and documented their assessment of internal controls to the extent necessary to meet the standards of their external auditor. The Securities and Exchange Commission’s recent announcement of the final extension of SOX 404(b) for non-accelerated filers has moved the deadline six months, effectively ending the uncertainty regarding the timing of the compliance effort.
As SEC Chairwoman Mary L. Shapiro recently emphasized, “it is important for all public companies to act with deliberate speed to move toward full Section 404 compliance.”
It’s likely that you, as well as other non-accelerated filers, will be resource-constrained to meet your Section 404 compliance obligations, but we can look to the experience of accelerated filers as they navigated the uncharted waters of SOX compliance.
What did the accelerated filers learn? First, what went right?
The most successful companies utilized a top-down approach and developed a risk driven scope. They started early and honestly evaluated their own environment. Finally, they held individuals accountable for the implementation.
So what went wrong? No surprises here-- they started late. Management significantly underestimated the amount of work required and the amount of time it would take. They had limited collaboration with their external auditors. Companies attempted to self-test using internal resources and did not effectively involve the business process owners. And the big one-- they did not take into account the impact of Information Technology.
So now you’re facing the deadline and what should you do? Here is a step-by-step approach that will help you achieve a successful implementation.
1. Don’t Delay
No explanation needed on that one.
2. Implement a top-down, risk based approach
Don’t document all of your controls. This is a “bottom-up” approach that results in unnecessary documentation, excessive cost and a lack of focus on your key risks. Make the most of monitoring to reduce direct testing of controls. Familiarize yourself with COSO’s Guidance on Monitoring Internal Control Systems. By using the right balance of information and monitoring, a company can watch a process or specific risk more effectively, and reduce the need for add-on testing.
3. Get the most out of your controls
Identify the most effective and efficient controls to address risk. Automated controls are often more effective since they are not prone to human error and more efficient as they result in smaller samples to be tested. Focus on direct and precise entity-level controls that can directly prevent or detect misstatements.
4. Focus on financial reporting risk
Focus solely on the primary task of SOX which is reducing the risk of a material misstatement in the financial statements and disclosures. You can consider operations and other areas in future years.
5. Get your Audit Committee involved
The Audit Committee has oversight responsibility for your internal control assessment, so inform them early and often as to your plan and progress.
6. Communicate frequently with your external auditor
While they cannot advise you regarding your internal controls, your external auditor can provide some counsel on how to design your evaluations of your controls so that they can maximize reliance on your work and reduce overall costs. Keep them informed of your progress.
7. Integrate fraud considerations into your assessment of internal controls
This is a requirement of SOX that is often overlooked.
8. Get buy-in from the top
You must have the commitment and support of the CEO, CFO, and Audit Committee. Without this support, compliance with SOX will be more difficult and more costly.
9. Plan to address deficiencies
If you are like most companies, it is likely that you will identify significant deficiencies and possibly even a material weakness the first pass through. It will be critical that you have a plan to prioritize and remediate deficiencies quickly.
10. Plan and allocate resources realistically
If you underestimate the amount of work required, the number of people required, and the impact on your ongoing business, you may not complete your assessment on time. Consider the impact of deficiencies and the time and cost of remediation.
Now is the time to begin planning for SOX compliance. By getting started now, most companies can save time and money while realizing more reliable results. The process won’t be painless but by putting to good use the experiences of the accelerated filers and the steps I have outlined, the process can be managed.