Learned from Section 404 of the Sarbanes-Oxley Act
A Conversation with Compliance Officers
By Shih-Jen Kathy Ho and Alfonso R. Oddo
JUNE 2007 - Corporate
accounting scandals in the past decade, such as Enron and WorldCom,
led the U.S. Congress to pass the landmark legislation the Public
Company Accounting Reform and Investor Protection Act of 2002, commonly
known as the Sarbanes-Oxley Act (SOX). To make management accountable
for accurate financial statements, section 404 of SOX requires an
annual evaluation and report by management on the effectiveness
of internal controls and procedures for financial reporting, as
well as a report by the independent auditor attesting to management’s
must include a statement in its annual internal control report that
it is management’s responsibility for establishing and maintaining
adequate internal controls and procedures for financial reporting.
Both the public company and individual managers may be subject to
significant criminal and civil penalties for noncompliance with
SOX. The effective date for accelerated filers was November 15,
2004, and for nonaccelerated filers the date has been extended to
July 15, 2007.
article examines compliance with SOX section 404 from management’s
perspective. The authors interviewed compliance officers from
two U.S. Fortune 500 companies, referred to as LMN and UVX for
the sake of confidentiality. The authors are very grateful to
the compliance officers who participated in this study. These
individuals were the managers of the SOX compliance project at
their respective companies and have been involved in compliance
since 2002. Each presented his or her company’s experience
in implementing SOX section 404, at a summer conference in 2005.
Two separate follow-up interviews were conducted, in December
2005 and in January 2006. The interviewing style incorporated
a hybrid of the focused interview, using specific questions, and
the in-depth interview, permitting the
interviewee to direct the interview. The
interviewees were asked to describe the project, the implementation
steps, facilitating factors, major challenges, key benefits, training
provided, unresolved issues, and their experiences of implementation.
Most important, as early adopters, the
interviewees were asked to share the lessons they learned.
Cost and Resources
The company has roughly 50,000 employees globally, with annual
sales of $14 billion. In terms of SOX compliance, approximately
50 people globally were involved in the project. Outside consultants
were also engaged from two other Big Four accounting firms in
addition to LMN’s external auditor. The total compliance
cost in 2004 was $18.1 million, of which $7.1 million was paid
to the external auditor for its work related to SOX. LMN had a
loss in 2004.
UVX has annual sales of $25 billion. The company spent well over
$20 million in the implementation phase of SOX and, like most
companies, its audit fees went up during that time period as well.
UVX also hired consultants, independent contractors, and some
smaller regional accounting firms to work directly on areas needing
cleanup. Additional Big Four accounting firms were used as consultants
in specific areas to assist with the initial review period. These
consultants were engaged for about one year, after which the work
was integrated into staff responsibilities, with some minimal
hiring, mostly at the clerical level.
of the compliance project was very similar for the two companies
interviewed. Both used the Committee of Sponsoring Organizations
(COSO) model in looking at risk and internal control, and began
with an interpretation phase of figuring out what the law meant.
(See David R. Campbell, Mary Campbell, and Gary W. Adams, “Adding
Significant Value with Internal Controls,” The CPA Journal,
June 2006.) Part of the problem at this step was that the law
itself was not quite established. About midway through 2004, the
companies began to really understand what compliance meant.
1: Plan and scope the evaluation. Make initial scope
of business cycles, functions, and legal entities.
assessment is based on the effectiveness of internal controls
taken as a whole, not on the individual components of controls
or individual controls. This holistic approach assumes that some
individual controls are more significant to the overall operating
effectiveness than others. (See Michael J. Ramos, How to Comply
with Sarbanes-Oxley Section 404; Assessing the Effectiveness of
Internal Control, second edition, Wiley, 2006.) The objective
of this phase is to answer the following questions: What are the
significant areas of risk? What are the significant business processes?
Which portion of the global operations is in scope?
This took place in the later part of 2003. LMN did
a fairly formalized risk-assessment process. It had a two-day
brainstorming session with the external auditors, looking at the
overall business operation, financial statement exposure, and
past problems, and identifying “control weakness”
and “control breakdown opportunities.” The company
identified 11 key business processes.
A SOX core team was established. Its responsibility
was to come up with the process design, which then would be implemented
across the company. The team, a group of about a half-dozen people,
was an interesting mix of corporate accounting and internal audit.
One member had training in education as his key functional capability,
and database management experience. UVX had a “black belt”
assigned to use the Six Sigma methodology as much as possible.
[According to the American Society for Quality website (www.asq.org),
a certified Six Sigma black belt is a professional who can explain
Six Sigma philosophies and principles and who demonstrates team
leadership and understands team dynamics.] As a result of this
phase, the company identified 10 processes and 73 subprocesses.
2: Document the controls. Document significant controls
and identify links to financial statements.
To document these controls, UVX did the following:
significant financial statement accounts;
key business processes and subprocesses that impact those accounts;
control objectives, risks, and controls for each subprocess;
an internal control catalog for financial reporting.
catalog is a streamlined version of controls that should be in
place and operating effectively throughout the company. The control
catalog is different from the old internal control documentations.
In the past, different auditors could have different interpretations,
because much of the audit was based on interview and discussion.
That is no longer the case because a clearly defined roadmap exists
around all of the controls, and very specific documentation supports
it. No guesswork is involved. Many other important controls were
not included because they have considerably less potential to
impact the company’s financial information.
The company developed an inventory of expected key
internal control activities for 11 different business cycles and
corporate functions, ensuring adequate coverage of financial statement
accounts and financial assertion categories. It documented and
validated the design and operational effectiveness of controls
for more than 55 global locations. The documentation consisted
of process narrative, framework, and flowcharts for these controls.
At the completion of this step, more than 9,700 key controls had
been documented and reviewed. More than 350 key spreadsheet applications
were reviewed to document and validate key internal controls.
3: Evaluate effectiveness. Evaluate the controls
through verification and testing, and document the results.
The company adopted the testing methodologies used by its external
auditor to ensure the consistency of the approach and the ability
for partial reliance on management testing. Testing ranged from
performing “inquiry and observation” and walkthrough
reviews to full-sample detailed transactional testing. On a cumulative
basis, more than 18,000 individual tests were performed by LMN
personnel for the initial compliance period in 2004. Testing included
visits to major third-party service provider locations to validate
control structure for key control-point interfaces.
Observation and examination of controls, performance
of controls over time, and the documentation of controls are all
important. Documentation must exist to support the control owner’s
certification that the control activity has been executed and
is readily available for audit review. The documentation should
contain the following:
of the control owner and job title
of the specific control activity performed
evidence/documentation that supports that the control was performed,
including reference to the specific documents evaluated and
their time periods
that the control is executed (e.g., annually, semiannually,
quarterly, monthly, weekly, daily)
taken as a result of the control execution
4: Identify and correct deficiencies. Communicate
findings and correct deficiencies.
For controls evaluated as not effective, the control owner must
provide details of a remediation plan to fix the control weakness.
Remediation plans are tracked to ensure that corrective action
is taken and that controls are operating effectively. Concurrently,
appropriate corporate and business management jointly evaluate
all controls rated as ineffective, to ensure that proper prioritization
and attention are given to the remediation task.
Testing results were comparable to peer companies; that is, initial
control deficiencies approximated 12% to 15% of the total controls’
inventory. Retesting was performed to validate remediation for
initial control deficiencies noted. Control deficiencies included
items as simple as a missing date on an approval report; an issue
requiring reporting to the audit committee of the board of directors
as “significant deficiencies”; and a control weakness
requiring external disclosure as a “material weakness.”
In its report on internal controls over financial reporting as
of December 31, 2004, LMN reported two instances of material weaknesses:
one about accounting for income taxes, the other involving accounting
for pension and other postretirement benefit plans. These material
weaknesses were corrected by September 30, 2005.
5: Management’s report on internal controls. Prepare
management’s written assertion of effectiveness.
Senior management uses the results of the management
evaluation and subsequent remediation efforts to prepare a written
report on the effectiveness of the controls.
6: Prepare audit of internal controls by independent auditor.
The external auditors perform their audit and issue
two opinions: one on management’s assessment process, and
the other on whether the company maintained, in all material respects,
effective internal controls over financial reporting.
is necessary for the project’s success?
Like anything in a corporation, top leadership must drive the
project for it to be successful. UVX has 65,000 employees, and
to make this kind of legislation felt and embraced throughout
the organization, top leadership must say, “You will concentrate
on this,” and that happened at UVX. The CEO and CFO were
very specific in that employees had to implement the project,
and as a result the project was successful.
There are two major issues. First, the company must set strict
requirements in terms of completion dates. Employees had to perform
their work and complete it on time. The report needs to be done
on the same day the company issues the 10-K, no exceptions or
extensions. Second, the company must follow the documentation
guidelines and testing guidelines established. If we do not follow
those guidelines, the external auditors won’t give us the
approval, and we fail automatically because we cannot make our
own assessment, either.
are the major challenges of the compliance project?
The biggest challenge was how to control project
costs. If the company is having a bad year, it can cut back on
some other budget areas, but not the compliance work. And there
are no low-cost alternatives to do this, so this is really a challenge
and impedes the process. Another challenge was how to take the
level of documentation and testing to a higher level; then it
became, What processes can be implemented to get it done, and
how can the compliance process be simplified? Other challenges
included keeping people’s interest in the project. Employees
understand that it’s important, it’s a regulation.
But getting an operational manager’s interest when the manager
is concerned with meeting sales targets is difficult. To keep
this on the radar screen is the real challenge. Another challenge
is getting the internal audit and finance staff to stay focused
and excited about the project.
A significant challenge was that resources—everyone
working together to be successful and recognizing that it is important
to the company, like continuing the SAP journey and doing implementations
or driving key corporate programs—had to take a backseat
to the implementation project. There were some inefficiencies
in the compliance project, especially in the early stages, and
the company had to work cooperatively to move the project to a
more efficient stage.
are the key benefits of the compliance project?
The benefits include better discipline in the company’s
financial processes; improved documentation around all of its
key controls; a more thorough understanding of controls and risks;
and a very clear demonstration of control activities through to
financial exposure, which provides the company with a more direct
understanding of how a control impacts the financial risk of the
One benefit is more enhanced documentation of business processes
and business controls. Also, the company has a better understanding,
a more-detailed linkage of how its business operations relate
to its financial statements and financial reporting. The compliance
project also pointed out some opportunities for operational efficiencies.
The concepts of enterprise risk management, governance structure,
and organizational design follow from SOX implementation. Like
many corporations, LMN didn’t have a formalized ERM process,
but the SOX project helped develop the ERM process.
kind of training does your company provide for the compliance
The company did a series of training on SOX 404,
ensuring that employees understand the requirements and how it
impacts their work. UVX has internal control coordinators whose
job is to work with every control owner in the platform and ensure
they understand their responsibilities. If a new person comes
in and another person leaves, companies need to ensure a smooth
transition. Control owners also go out and train staff onsite
about the audit process so they understand what the new audit
process will look like, and what their audit responsibilities
are. The company also has a great deal of online training. Control
owners have an online SOX course to help them understand what
Perhaps the biggest challenge was to educate the
entire corporation about the basic nature of the new compliance
project, and what the specific requirements were. The company
experienced some resistance from business managers who questioned
whether this was their responsibility. The company established
a formalized educational program to clarify expectations, roles,
and responsibilities. A big challenge was getting nonfinancial
people to understand the control activity. LMN found that employees
could describe their business process, but they didn’t understand
it in the context of the controls.
your company have any training in ethics?
The company has a large compliance structure that
includes both ethics and compliance—not just compliance
with laws, but making the right choices about areas of responsibility.
Compliance officers in each of the company’s platforms ensure
that ethics programs are in place. An annual business ethics survey
is required of all employees to attest to their responsibilities
and disclose areas where there might be conflicts. The
company has an online training course, with 16 modules on everything
from the Foreign Corrupt Practices Act to safety, health, and
environmental issues. The company’s risk-assessment process
includes a formalized process to understand exposures and mitigating
company also has an annual ethics day where the top 250 leaders
across the company come together with the CEO and outside speakers
to work on cases, talk with outside experts, and reflect on the
ethical and core values of the company.
Top management support and buy-in are important
for internal controls to be effective. In addition, the organization’s
ethical and business practices are also very important. The company
has something called “six values” that run its business,
such as ethical behavior and ways of doing business. A business-conduct
policy is reinforced through corporate accountability and reputation
training. All employees have to take a refresher course once a
year, and a case study addresses some potential wrongdoings and
do you manage the size of key control activities?
One real challenge was to identify key controls.
This was a new experience for both the company and the external
auditors, and we spent a lot of time debating among ourselves.
When we started on this journey we went too far and too deep.
All of us had too many controls; we didn’t concentrate on
key financial statement accounts; we looked at some operational
issues we really didn’t need to; and as a result we did
a lot more work than necessary. As the law evolved, the PCAOB
got involved and made it clear that the focus of the compliance
project is the controls over financial reporting and not the operational
are now looking at a 50% decrease in the number of control activities
that we’re documenting and testing. That was one key lesson.
A lot of the reduction of key control activities
is done through standardization of internal controls, and simplification
and automation. UVX reduced key control activity by one-third
from 2004 to 2005 and had a target of another 20% reduction in
2006. Much of that happened through centralizing and efficiency
in using a database or technology tools. For example, the SAP
process has been greatly simplified. One person can flag exceptions
and notify those people where the exceptions exist rather than
having 40 people do that, so now that control owner is one person
instead of 40 people.
you talk more about the information system that has grown out
of the compliance project?
The company uses a tool called VIRSA, which is manufactured
by SAP. UVX also developed internally a documentation database
so its auditors can get documentation online for any of the activities
in the platform. It allows them to do much of their work centrally
and then go out to the sites only for sample testing and validation.
The company’s control database allows it to do validation
testing on all of the reports that need to be run in SAP, to verify
that key controls are operating effectively.
The company has a system that links into its human
resources (HR) hierarchy and its information technology (IT) systems,
and forces documentation updates, summarizes reports, and prepares
reports for management. LMN also created a formal SOX website
on its intranet, so anyone with questions about Sarbanes-Oxley
can get answers quickly. Its employees do not need to be SOX experts,
but they should be familiar with its requirements and how SOX
applies to their jobs.
are the most important lessons you have learned so far?
Extensive time is required in implementing the process, and the
remediation process has to happen much sooner and with much more
effort. Companies must continually keep their employees aware
of this. After initial implementation, employees may not think
it’s important anymore, so they need to be reminded that
the process is ongoing.
Discipline is required in meeting the financial requirements,
and evidence must support it. Companies must have discipline and
must go through all the documentation because it places requirements
on the organization, and meeting those requirements creates the
institutional discipline around what’s needed and required
there any unresolved issues in your compliance project?
SOX needs to address the broader issue of management
governance and controls, the higher-level issues.
More research is needed. The implementation project
provides a disciplined approach to looking at internal controls
and audits, but it will not guarantee the prevention of fraud.
are some opportunities for improvement?
Year one was a learning opportunity for all parties involved in
terms of expectations, approach, and results. In the future, more
focus should be on a risk-based approach versus simply “executing
the audit program.” Implementation of COSO II and its risk-based
approach will help. In addition, SOX section 302, about the disclosure
control procedure, is just as important but is more or less being
are your SOX section 404 “leading” practices?
Senior leadership was actively engaged through a
SOX steering committee. Routine meetings were scheduled among
finance, IT, business unit, and operations personnel. There was
a clear agreement about corporate and operations responsibilities.
The design, the control catalog, the evaluation process and definition,
and the documentation template are the responsibilities of the
corporate unit. On the other hand, the actual evaluation, documentation,
and remediation are the responsibilities of the operations section.
The company integrated internal and external audit plans in 2005.
There were improvements in the audit process, with more reliance
on testing and joint audits. UVX also created numerous networks
for communication, which include a global SOX coordinators’
network, regularly scheduled internal audit and external auditor
meetings, a controllers’ network, a remediation network,
and a SOX 404 website for education and training. The controllers
are responsible for the initial deficiency analysis and the initial
likelihood/magnitude rating, but the final classification is senior
financial leadership’s responsibility.
Separate from the internal control group, we created
a dedicated global internal controls organization charged with
the coordination of ongoing SOX compliance by 1,100 global business
process control owners. To eliminate internal controls conflict,
we had one full-time individual spend a year analyzing the “internal
controls conflict matrix” and reviewing them conflict by
conflict (e.g., an IT control fix or a manual control fix). In
the context of governance and setting policy relative to SOX compliance,
we also have a SOX steering committee that consists of the corporate
controller, the corporate legal secretary, the chief information
officer (CIO), the director of internal audit, and the external
do you think might happen to SOX in five years?
SOX will be less administratively complex. It will
be simplified and focus more on corporate governance and enterprise
risk management instead of some of the lower-level requirements
we see today. And there will be some convergence with requirements
SOX is already becoming the way we do our work;
the framework is there, and the discipline is in place. Improvements
will be made, but in general it’s become a standard, and
so it will be less of an event and more of an underpinning.
advice would you give smaller businesses or not-for-profit organizations
that plan to review their internal control processes?
A formal governance structure is needed to implement
the process. The structure may include a steering committee that
has overall management oversight and management support. The steering
committee should consist of people from different areas, such
as the CFO, IT, and operations management. A long-term plan to
sustain the effort is also needed.
Companies that are starting fresh can learn from
those that have gone before them, and a host of readily available
processes are out there that one could adapt. A not-for-profit
or a company entering the public finance arena should use these
models as a framework to implement the requirements of SOX using
their basic internal controls already in place. SOX can help reinforce
a company’s existing fundamental controls. Internal controls
must be embedded in the fabric of an organization.
Challenges, Key Benefits
learned a number of lessons from these interviews with SOX compliance
officers. First, leadership is the most important ingredient for
a successful SOX compliance project. Top management must drive
the program, and this will encourage ownership of the project
by people throughout the organization. Establishment of and adherence
to documentation and testing guidelines are also necessary.
challenge is how to control the cost and cost-effectiveness of
the project. Inefficiencies in the compliance project, especially
in the early stages when people are learning the rules and regulations,
must be overcome to improve cost-effectiveness. Other challenges
include how to take documentation and testing to a higher level,
how to simplify compliance, how to maintain people’s interest
in the project, and how to motivate and recruit new talent to
implement the project.
of a SOX compliance project include better discipline in the company’s
financial processes, improved documentation of key controls, and
a more thorough understanding of controls and risks. Implementing
the compliance project provides a more detailed understanding
of the linkage between business operations and financial reporting.
It also strengthens entity-wide governance, and uncovers more
opportunities for operational efficiency though a standardized
business process and internal controls.
the compliance project requirements was one of the biggest difficulties
faced by the interviewees. This encompassed designing, staffing,
supporting, and implementing all the aspects of the project. Internal
control documentation under SOX is much more specific than it
was in the past. There is no guesswork involved, and it should
make the audit process much easier. Both of the companies discussed
above established a formalized education program to clarify expectations,
roles, and responsibilities. A big challenge was getting nonfinancial
people to understand their process in the context of the controls.
In addition, the companies examined here have offered employees
training in ethical behavior and ways of doing business.
activities were reduced through the standardization of internal
controls, as well as simplification and automation. For internal
controls to be effective, top management support and buy-in, and
the organization’s ethical and business practices, are all
important. Both companies have information systems in place to
support documentation updates and report preparation. In the future,
the authors believe that a greater focus should be placed on a
risk-based approach. In this respect, the implementation of COSO
II will help, as it provides a disciplined approach to looking
at internal controls and audits.
years into the future, the interviewees expect SOX to be simplified
and to be focused more on governance and enterprise risk management.
Improvements will be made, but in general, SOX will become less
of a disruptive event and more of a standard.
Kathy Ho, PhD, and Alfonso R. Oddo, MBA, CPA,
are professors of accounting in the college of business of Niagara
University, Niagara Falls, N.Y.