Lessons Learned from Section 404 of the Sarbanes-Oxley Act
A Conversation with Compliance Officers

By Shih-Jen Kathy Ho and Alfonso R. Oddo

E-mail Story Print Story

This article examines compliance with SOX section 404 from management’s perspective. The authors interviewed compliance officers from two U.S. Fortune 500 companies, referred to as LMN and UVX for the sake of confidentiality. The authors are very grateful to the compliance officers who participated in this study. These individuals were the managers of the SOX compliance project at their respective companies and have been involved in compliance since 2002. Each presented his or her company’s experience in implementing SOX section 404, at a summer conference in 2005. Two separate follow-up interviews were conducted, in December 2005 and in January 2006. The interviewing style incorporated a hybrid of the focused interview, using specific questions, and the in-depth interview, permitting the
interviewee to direct the interview. The interviewees were asked to describe the project, the implementation steps, facilitating factors, major challenges, key benefits, training provided, unresolved issues, and their experiences of implementation. Most important, as early adopters, the
interviewees were asked to share the lessons they learned.

Compliance Cost and Resources

LMN: The company has roughly 50,000 employees globally, with annual sales of $14 billion. In terms of SOX compliance, approximately 50 people globally were involved in the project. Outside consultants were also engaged from two other Big Four accounting firms in addition to LMN’s external auditor. The total compliance cost in 2004 was $18.1 million, of which $7.1 million was paid to the external auditor for its work related to SOX. LMN had a loss in 2004.

UVX: UVX has annual sales of $25 billion. The company spent well over $20 million in the implementation phase of SOX and, like most companies, its audit fees went up during that time period as well. UVX also hired consultants, independent contractors, and some smaller regional accounting firms to work directly on areas needing cleanup. Additional Big Four accounting firms were used as consultants in specific areas to assist with the initial review period. These consultants were engaged for about one year, after which the work was integrated into staff responsibilities, with some minimal hiring, mostly at the clerical level.

Implementation

The implementation of the compliance project was very similar for the two companies interviewed. Both used the Committee of Sponsoring Organizations (COSO) model in looking at risk and internal control, and began with an interpretation phase of figuring out what the law meant. (See David R. Campbell, Mary Campbell, and Gary W. Adams, “Adding Significant Value with Internal Controls,” The CPA Journal, June 2006.) Part of the problem at this step was that the law itself was not quite established. About midway through 2004, the companies began to really understand what compliance meant.

Step 1: Plan and scope the evaluation. Make initial scope of business cycles, functions, and legal entities.

Management’s assessment is based on the effectiveness of internal controls taken as a whole, not on the individual components of controls or individual controls. This holistic approach assumes that some individual controls are more significant to the overall operating effectiveness than others. (See Michael J. Ramos, How to Comply with Sarbanes-Oxley Section 404; Assessing the Effectiveness of Internal Control, second edition, Wiley, 2006.) The objective of this phase is to answer the following questions: What are the significant areas of risk? What are the significant business processes? Which portion of the global operations is in scope?

LMN: This took place in the later part of 2003. LMN did a fairly formalized risk-assessment process. It had a two-day brainstorming session with the external auditors, looking at the overall business operation, financial statement exposure, and past problems, and identifying “control weakness” and “control breakdown opportunities.” The company identified 11 key business processes.

UVX: A SOX core team was established. Its responsibility was to come up with the process design, which then would be implemented across the company. The team, a group of about a half-dozen people, was an interesting mix of corporate accounting and internal audit. One member had training in education as his key functional capability, and database management experience. UVX had a “black belt” assigned to use the Six Sigma methodology as much as possible. [According to the American Society for Quality website (www.asq.org), a certified Six Sigma black belt is a professional who can explain Six Sigma philosophies and principles and who demonstrates team leadership and understands team dynamics.] As a result of this phase, the company identified 10 processes and 73 subprocesses.

Step 2: Document the controls. Document significant controls and identify links to financial statements.

UVX: To document these controls, UVX did the following:

• Identified significant financial statement accounts;
• Identified key business processes and subprocesses that impact those accounts;
• Identified control objectives, risks, and controls for each subprocess; and
• Created an internal control catalog for financial reporting.

The control catalog is a streamlined version of controls that should be in place and operating effectively throughout the company. The control catalog is different from the old internal control documentations. In the past, different auditors could have different interpretations, because much of the audit was based on interview and discussion. That is no longer the case because a clearly defined roadmap exists around all of the controls, and very specific documentation supports it. No guesswork is involved. Many other important controls were not included because they have considerably less potential to impact the company’s financial information.

LMN: The company developed an inventory of expected key internal control activities for 11 different business cycles and corporate functions, ensuring adequate coverage of financial statement accounts and financial assertion categories. It documented and validated the design and operational effectiveness of controls for more than 55 global locations. The documentation consisted of process narrative, framework, and flowcharts for these controls. At the completion of this step, more than 9,700 key controls had been documented and reviewed. More than 350 key spreadsheet applications were reviewed to document and validate key internal controls.

Step 3: Evaluate effectiveness. Evaluate the controls through verification and testing, and document the results.

LMN: The company adopted the testing methodologies used by its external auditor to ensure the consistency of the approach and the ability for partial reliance on management testing. Testing ranged from performing “inquiry and observation” and walkthrough reviews to full-sample detailed transactional testing. On a cumulative basis, more than 18,000 individual tests were performed by LMN personnel for the initial compliance period in 2004. Testing included visits to major third-party service provider locations to validate control structure for key control-point interfaces.

UVX: Observation and examination of controls, performance of controls over time, and the documentation of controls are all important. Documentation must exist to support the control owner’s certification that the control activity has been executed and is readily available for audit review. The documentation should contain the following:

• Identification of the control owner and job title
• Description of the specific control activity performed
• Specific evidence/documentation that supports that the control was performed, including reference to the specific documents evaluated and their time periods
• Frequency that the control is executed (e.g., annually, semiannually, quarterly, monthly, weekly, daily)
• Actions taken as a result of the control execution

Step 4: Identify and correct deficiencies. Communicate findings and correct deficiencies.

UVX: For controls evaluated as not effective, the control owner must provide details of a remediation plan to fix the control weakness. Remediation plans are tracked to ensure that corrective action is taken and that controls are operating effectively. Concurrently, appropriate corporate and business management jointly evaluate all controls rated as ineffective, to ensure that proper prioritization and attention are given to the remediation task.

LMN: Testing results were comparable to peer companies; that is, initial control deficiencies approximated 12% to 15% of the total controls’ inventory. Retesting was performed to validate remediation for initial control deficiencies noted. Control deficiencies included items as simple as a missing date on an approval report; an issue requiring reporting to the audit committee of the board of directors as “significant deficiencies”; and a control weakness requiring external disclosure as a “material weakness.” In its report on internal controls over financial reporting as of December 31, 2004, LMN reported two instances of material weaknesses: one about accounting for income taxes, the other involving accounting for pension and other postretirement benefit plans. These material weaknesses were corrected by September 30, 2005.

Step 5: Management’s report on internal controls. Prepare management’s written assertion of effectiveness.

UVX: Senior management uses the results of the management evaluation and subsequent remediation efforts to prepare a written report on the effectiveness of the controls.

Step 6: Prepare audit of internal controls by independent auditor.

UVX: The external auditors perform their audit and issue two opinions: one on management’s assessment process, and the other on whether the company maintained, in all material respects, effective internal controls over financial reporting.

Lessons Learned

What is necessary for the project’s success?

UVX: Like anything in a corporation, top leadership must drive the project for it to be successful. UVX has 65,000 employees, and to make this kind of legislation felt and embraced throughout the organization, top leadership must say, “You will concentrate on this,” and that happened at UVX. The CEO and CFO were very specific in that employees had to implement the project, and as a result the project was successful.

LMN: There are two major issues. First, the company must set strict requirements in terms of completion dates. Employees had to perform their work and complete it on time. The report needs to be done on the same day the company issues the 10-K, no exceptions or extensions. Second, the company must follow the documentation guidelines and testing guidelines established. If we do not follow those guidelines, the external auditors won’t give us the approval, and we fail automatically because we cannot make our own assessment, either.

What are the major challenges of the compliance project?

LMN: The biggest challenge was how to control project costs. If the company is having a bad year, it can cut back on some other budget areas, but not the compliance work. And there are no low-cost alternatives to do this, so this is really a challenge and impedes the process. Another challenge was how to take the level of documentation and testing to a higher level; then it became, What processes can be implemented to get it done, and how can the compliance process be simplified? Other challenges included keeping people’s interest in the project. Employees understand that it’s important, it’s a regulation. But getting an operational manager’s interest when the manager is concerned with meeting sales targets is difficult. To keep this on the radar screen is the real challenge. Another challenge is getting the internal audit and finance staff to stay focused and excited about the project.

UVX: A significant challenge was that resources—everyone working together to be successful and recognizing that it is important to the company, like continuing the SAP journey and doing implementations or driving key corporate programs—had to take a backseat to the implementation project. There were some inefficiencies in the compliance project, especially in the early stages, and the company had to work cooperatively to move the project to a more efficient stage.

What are the key benefits of the compliance project?

UVX: The benefits include better discipline in the company’s financial processes; improved documentation around all of its key controls; a more thorough understanding of controls and risks; and a very clear demonstration of control activities through to financial exposure, which provides the company with a more direct understanding of how a control impacts the financial risk of the company.

LMN: One benefit is more enhanced documentation of business processes and business controls. Also, the company has a better understanding, a more-detailed linkage of how its business operations relate to its financial statements and financial reporting. The compliance project also pointed out some opportunities for operational efficiencies. The concepts of enterprise risk management, governance structure, and organizational design follow from SOX implementation. Like many corporations, LMN didn’t have a formalized ERM process, but the SOX project helped develop the ERM process.

What kind of training does your company provide for the compliance project?

UVX: The company did a series of training on SOX 404, ensuring that employees understand the requirements and how it impacts their work. UVX has internal control coordinators whose job is to work with every control owner in the platform and ensure they understand their responsibilities. If a new person comes in and another person leaves, companies need to ensure a smooth transition. Control owners also go out and train staff onsite about the audit process so they understand what the new audit process will look like, and what their audit responsibilities are. The company also has a great deal of online training. Control owners have an online SOX course to help them understand what is required.

LMN: Perhaps the biggest challenge was to educate the entire corporation about the basic nature of the new compliance project, and what the specific requirements were. The company experienced some resistance from business managers who questioned whether this was their responsibility. The company established a formalized educational program to clarify expectations, roles, and responsibilities. A big challenge was getting nonfinancial people to understand the control activity. LMN found that employees could describe their business process, but they didn’t understand it in the context of the controls.

Does your company have any training in ethics?

UVX: The company has a large compliance structure that includes both ethics and compliance—not just compliance with laws, but making the right choices about areas of responsibility. Compliance officers in each of the company’s platforms ensure that ethics programs are in place. An annual business ethics survey is required of all employees to attest to their responsibilities and disclose areas where there might be conflicts. The company has an online training course, with 16 modules on everything from the Foreign Corrupt Practices Act to safety, health, and environmental issues. The company’s risk-assessment process includes a formalized process to understand exposures and mitigating controls. The company also has an annual ethics day where the top 250 leaders across the company come together with the CEO and outside speakers to work on cases, talk with outside experts, and reflect on the ethical and core values of the company.

LMN: Top management support and buy-in are important for internal controls to be effective. In addition, the organization’s ethical and business practices are also very important. The company has something called “six values” that run its business, such as ethical behavior and ways of doing business. A business-conduct policy is reinforced through corporate accountability and reputation training. All employees have to take a refresher course once a year, and a case study addresses some potential wrongdoings and problems.

How do you manage the size of key control activities?

LMN: One real challenge was to identify key controls. This was a new experience for both the company and the external auditors, and we spent a lot of time debating among ourselves. When we started on this journey we went too far and too deep. All of us had too many controls; we didn’t concentrate on key financial statement accounts; we looked at some operational issues we really didn’t need to; and as a result we did a lot more work than necessary. As the law evolved, the PCAOB got involved and made it clear that the focus of the compliance project is the controls over financial reporting and not the operational controls. We are now looking at a 50% decrease in the number of control activities that we’re documenting and testing. That was one key lesson.

UVX: A lot of the reduction of key control activities is done through standardization of internal controls, and simplification and automation. UVX reduced key control activity by one-third from 2004 to 2005 and had a target of another 20% reduction in 2006. Much of that happened through centralizing and efficiency in using a database or technology tools. For example, the SAP process has been greatly simplified. One person can flag exceptions and notify those people where the exceptions exist rather than having 40 people do that, so now that control owner is one person instead of 40 people.

Can you talk more about the information system that has grown out of the compliance project?

UVX: The company uses a tool called VIRSA, which is manufactured by SAP. UVX also developed internally a documentation database so its auditors can get documentation online for any of the activities in the platform. It allows them to do much of their work centrally and then go out to the sites only for sample testing and validation. The company’s control database allows it to do validation testing on all of the reports that need to be run in SAP, to verify that key controls are operating effectively.

LMN: The company has a system that links into its human resources (HR) hierarchy and its information technology (IT) systems, and forces documentation updates, summarizes reports, and prepares reports for management. LMN also created a formal SOX website on its intranet, so anyone with questions about Sarbanes-Oxley can get answers quickly. Its employees do not need to be SOX experts, but they should be familiar with its requirements and how SOX applies to their jobs.

What are the most important lessons you have learned so far?

LMN: Extensive time is required in implementing the process, and the remediation process has to happen much sooner and with much more effort. Companies must continually keep their employees aware of this. After initial implementation, employees may not think it’s important anymore, so they need to be reminded that the process is ongoing.

UVX: Discipline is required in meeting the financial requirements, and evidence must support it. Companies must have discipline and must go through all the documentation because it places requirements on the organization, and meeting those requirements creates the institutional discipline around what’s needed and required under SOX.

Are there any unresolved issues in your compliance project?

LMN: SOX needs to address the broader issue of management governance and controls, the higher-level issues.

UVX: More research is needed. The implementation project provides a disciplined approach to looking at internal controls and audits, but it will not guarantee the prevention of fraud.

What are some opportunities for improvement?

LMN: Year one was a learning opportunity for all parties involved in terms of expectations, approach, and results. In the future, more focus should be on a risk-based approach versus simply “executing the audit program.” Implementation of COSO II and its risk-based approach will help. In addition, SOX section 302, about the disclosure control procedure, is just as important but is more or less being overlooked.

What are your SOX section 404 “leading” practices?

UVX: Senior leadership was actively engaged through a SOX steering committee. Routine meetings were scheduled among finance, IT, business unit, and operations personnel. There was a clear agreement about corporate and operations responsibilities. The design, the control catalog, the evaluation process and definition, and the documentation template are the responsibilities of the corporate unit. On the other hand, the actual evaluation, documentation, and remediation are the responsibilities of the operations section. The company integrated internal and external audit plans in 2005. There were improvements in the audit process, with more reliance on testing and joint audits. UVX also created numerous networks for communication, which include a global SOX coordinators’ network, regularly scheduled internal audit and external auditor meetings, a controllers’ network, a remediation network, and a SOX 404 website for education and training. The controllers are responsible for the initial deficiency analysis and the initial likelihood/magnitude rating, but the final classification is senior financial leadership’s responsibility.

LMN: Separate from the internal control group, we created a dedicated global internal controls organization charged with the coordination of ongoing SOX compliance by 1,100 global business process control owners. To eliminate internal controls conflict, we had one full-time individual spend a year analyzing the “internal controls conflict matrix” and reviewing them conflict by conflict (e.g., an IT control fix or a manual control fix). In the context of governance and setting policy relative to SOX compliance, we also have a SOX steering committee that consists of the corporate controller, the corporate legal secretary, the chief information officer (CIO), the director of internal audit, and the external auditors.

What do you think might happen to SOX in five years?

LMN: SOX will be less administratively complex. It will be simplified and focus more on corporate governance and enterprise risk management instead of some of the lower-level requirements we see today. And there will be some convergence with requirements internationally.

UVX: SOX is already becoming the way we do our work; the framework is there, and the discipline is in place. Improvements will be made, but in general it’s become a standard, and so it will be less of an event and more of an underpinning.

What advice would you give smaller businesses or not-for-profit organizations that plan to review their internal control processes?

LMN: A formal governance structure is needed to implement the process. The structure may include a steering committee that has overall management oversight and management support. The steering committee should consist of people from different areas, such as the CFO, IT, and operations management. A long-term plan to sustain the effort is also needed.

UVX: Companies that are starting fresh can learn from those that have gone before them, and a host of readily available processes are out there that one could adapt. A not-for-profit or a company entering the public finance arena should use these models as a framework to implement the requirements of SOX using their basic internal controls already in place. SOX can help reinforce a company’s existing fundamental controls. Internal controls must be embedded in the fabric of an organization.

Major Challenges, Key Benefits

The authors learned a number of lessons from these interviews with SOX compliance officers. First, leadership is the most important ingredient for a successful SOX compliance project. Top management must drive the program, and this will encourage ownership of the project by people throughout the organization. Establishment of and adherence to documentation and testing guidelines are also necessary.

The biggest challenge is how to control the cost and cost-effectiveness of the project. Inefficiencies in the compliance project, especially in the early stages when people are learning the rules and regulations, must be overcome to improve cost-effectiveness. Other challenges include how to take documentation and testing to a higher level, how to simplify compliance, how to maintain people’s interest in the project, and how to motivate and recruit new talent to implement the project.

The benefits of a SOX compliance project include better discipline in the company’s financial processes, improved documentation of key controls, and a more thorough understanding of controls and risks. Implementing the compliance project provides a more detailed understanding of the linkage between business operations and financial reporting. It also strengthens entity-wide governance, and uncovers more opportunities for operational efficiency though a standardized business process and internal controls.

Managing the compliance project requirements was one of the biggest difficulties faced by the interviewees. This encompassed designing, staffing, supporting, and implementing all the aspects of the project. Internal control documentation under SOX is much more specific than it was in the past. There is no guesswork involved, and it should make the audit process much easier. Both of the companies discussed above established a formalized education program to clarify expectations, roles, and responsibilities. A big challenge was getting nonfinancial people to understand their process in the context of the controls. In addition, the companies examined here have offered employees training in ethical behavior and ways of doing business.

Many control activities were reduced through the standardization of internal controls, as well as simplification and automation. For internal controls to be effective, top management support and buy-in, and the organization’s ethical and business practices, are all important. Both companies have information systems in place to support documentation updates and report preparation. In the future, the authors believe that a greater focus should be placed on a risk-based approach. In this respect, the implementation of COSO II will help, as it provides a disciplined approach to looking at internal controls and audits.

Looking five years into the future, the interviewees expect SOX to be simplified and to be focused more on governance and enterprise risk management. Improvements will be made, but in general, SOX will become less of a disruptive event and more of a standard.

©2009 The New York State Society of CPAs. Legal Notices