Taking control of internal controls: the 411 on Sec. 404.The text of the Sarbanes-Oxley Act See SOX. , Sec. 404, Management Assessment of Internal Controls, contains only 173 words. But in its practical application, it contains so much more. [ILLUSTRATION OMITTED] Sec. 404 requires publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. to include in their annual report an assessment of the effectiveness of their internal controls over financial reporting and the accompanying auditor's report Auditor's Report Recorded in the annual report, the auditor's report tests to see that a corporation's financial statements comply with GAAP. This is sometimes referred to as the clean opinion. Notes: Most auditor's reports consist of three paragraphs. . Though designing and maintaining a company's controls always has been the purview The part of a statute or a law that delineates its purpose and scope. Purview refers to the enacting part of a statute. It generally begins with the words be it enacted and continues as far as the repealing clause. of management, Sec. 404 adds the tasks of annually evaluating, testing and reporting on internal controls. And, as most companies grappling with Sec. 404 can tell you, it is no small task. Compliance is proving to be labor intensive Labor Intensive A process or industry that requires large amounts of human effort to produce goods. Notes: A good example is the hospitality industry (hotels, restaurants, etc), they are considered to be very people-oriented. See also: Capital Intensive, Trading Dollars and costly as many companies invest in new software, hire consultants and re-train staff. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a survey by Financial Executives International, the average cost per company of first-year Sec. 404 compliance was nearly $2 million--or approximately 12,000 internal staff-hours and 3,000 external work-hours--plus additional auditor fees of roughly $590,000. And in a study conducted by the law firm Foley & Lardner, companies reported that the average cost of being public climbed from $1.24 million before Sarbanes-Oxley to $2.86 million in 2003, with audit fees rising 23 percent between fiscal years 2002 and 2003. "Don't underestimate the task involved," says CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. Bill Scully, controller for San Diego-based Pioneer Speakers. Inc., a subsidiary of Pioneer Electronics Inc. "Sec. 404 is seemingly straightforward at the front end, but as you look at all the aspects involved, it opens a Pandora's box Pandora’s box contained all evils; opened up, evils escape to afflict world. [Rom. Myth.: Brewer Dictionary, 799] See : Evil ." The enormity e·nor·mi·ty n. pl. e·nor·mi·ties 1. The quality of passing all moral bounds; excessive wickedness or outrageousness. 2. A monstrous offense or evil; an outrage. 3. of this compliance initiative has forced the SEC to push back the Sec. 404 deadline from June 15 to Nov. 15, 2004 for "accelerated filers"--any U.S. public company with a market capitalization Market Capitalization A measure of a public company's size. Market capitalization is the total dollar value of all outstanding shares. It's calculated by multiplying the number of shares times the current market price. This term is often referred to as market cap. of more than $75 million that has filed at least one annual report with the SEC. While the effort required to comply varies according to business size, every publicly traded company--whether it has $1 million or $1 billion in revenue--is required to comply. THE COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) FRAMEWORK CPA Kris Dunning, an audit partner with Moss Adams Moss Adams LLP is the 12th largest public accounting firm in the United States and provides accounting, tax and consulting services to public and private middle-market enterprises in many different industries. LLP LLP - Lower Layer Protocol and lecturer for the California CPA Education Foundation, has advised numerous companies on Sec. 404 compliance. The first step, he says, is deciding on a framework since Sec. 404 doesn't tell companies how to document and test internal controls, only "that they need to use an accepted model," he says. A majority of companies are adopting the framework authored by the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. , a voluntary organization formed nearly 20 years ago to work on ways to improve the quality of financial reporting. The COSO model has five components: control activities: the control environment; risk assessment; information and communication; and monitoring. Control Activities: Most companies already are focused on control activities--policies that ensure management's directives are carried out, such as segregation of duties and policies that authorize and verify transactions. Control Environment: Establishing and communicating throughout the company a corporate code of ethics Code of Ethics can refer to:
n. One who reveals wrongdoing within an organization to the public or to those in positions of authority: "The Pentagon's most famous whistleblower is . . provisions. Risk Assessment: Determining the risks present in each of a company's business processes. For public companies, high-risk areas "will be subject to interpretation," and might include revenue recognition and equity transactions, Dunning says. Risk assessment "can provide some initial guidance as to how much you're going to focus on the actual control activities, depending on the risks," he adds. Information and Communication: This consists of processes and systems that support the exchange of information in a form and time frame that enable people to carry out their responsibilities. "It also deals with the access to internally and externally generated information, how you're communicating things to the outside and provisions to make sure insider information is not getting out," Dunning says. "That's an area that most companies haven't documented very well under an accepted framework." Monitoring: In the past, monitoring internal controls was a function of the internal audit staff at large corporations. But COSO's monitoring element "goes beyond testing existing controls to a continual reassessment Reassessment The process of re-determining the value of property or land for tax purposes. Notes: Property is usually reassessed on an annual basis. You may request a "reassessment" if you disagree with your assessment. of the controls in light of any changes to an individual process and whether those controls remain effective," Dunning says. Because Sec. 302 of Sarbanes-Oxley requires a company's officers to certify financial statements and give certification with respect to internal controls, many companies are starting to monitor quarterly, either by developing internal resources or outsourcing the monitoring job to consultants or other CPA firms. "Companies now want some sort of internal due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. to make sure they haven't had any breaches in internal controls or that the controls haven't changed substantially from prior periods," Dunning says. DOCUMENTATION The most challenging aspect of Sec. 404 concerns the high level of detail required in the documentation of internal controls. Companies must be able to demonstrate to an outside auditor that internal control procedures are effective and how they work. "Instead of simply having internal controls in place, we now have to provide evidence that the controls are in place," says CPA Shauna Barker, U.S. controller for PMC-Sierra, Inc., a Santa Clara-based semiconductor company. "The documentation requirement is a bear." Esfandiar Naddaf. CPA and vice president of corporate audit for Milpitas-based contract manufacturer Solectron Corp., believes his company had a head start since it switched to the COSO framework five years ago. "We've completed the first round of documentation, assessment and testing, and our early adoption of COSO-based self-assessment had a lot to do with that," Naddaf says. "But having said that, documentation remains a challenge." For educational toy An educational toy is a toy designed to teach people, typically children, about a certain subject or help them learn a skill as they play. Examples include:
An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. and outside accounting consultants." After identifying the internal process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance for all the major functional areas, the first wave of documentation narratives were written. But while some process owners completed the documentation, "we found that the work was more efficiently done by having accounting consultants partner with the process owners," Curley says. Pioneer Speakers' Scully adds, "Things you would normally take for granted have to be documented each step along the way. You have to create documentation for items or steps that used to be practically intuitive. But you can't rely on intuition anymore." TESTING Once internal controls are documented, a company will test them before bringing in an outside auditor, who may find weaknesses in the controls and typically would want to see those improvements function for several months. "For a company to expect to be able to demonstrate in less than a quarter that those processes are functioning as they've been modified, that may not be acceptable to the auditors," Dunning says. The first wave of compliant companies should finish documenting control activities "no later than the end of August, and that's a worst-case scenario worst-case scenario n → Schlimmstfallszenario nt ," Dunning says. Though the SEC has pushed back the Sec. 404 deadline, this extension shouldn't be seen as a grace period. "Companies might have looked at that extension as a way to put this on the back burner Noun 1. back burner - reduced priority; "dozens of cases were put on the back burner" precedence, precedency, priority - status established in order of importance or urgency; "... ," Dunning says. "But I recommend they use the extension for contingencies that might come up during the process." [ILLUSTRATION OMITTED] After spending nearly a year formulating a plan and documenting controls, "this may be one of those projects where the last 10 percent of the project could take 90 percent of the effort," PMC-Sierra's Barker says. TIMING IS EVERYTHING Since nobody is sure how stringent the testing will be, companies with later fiscal years have the benefit of time to learn from others mistakes. "I suspect we'll learn from the experience of our colleagues of what the pitfalls are," says Scully. Though Pioneer Speakers has a March 31 year-end, the company is revising its financial software system in conjunction with the compliance effort. The company's factory in Tijuana and its headquarters in San Diego San Diego (săn dēā`gō), city (1990 pop. 1,110,549), seat of San Diego co., S Calif., on San Diego Bay; inc. 1850. San Diego includes the unincorporated communities of La Jolla and Spring Valley. Coronado is across the bay. use different financial software, resulting in manually generated journal entries, "and that's something that worries our auditors," Scully says. Waiting to see how the first round of filers fare is only one advantage of filing later. The maturation of Sarbanes-Oxley compliance software is "where some of the later companies will have the most advantage," Dunning says. But waiting too long to begin the compliance effort is risky, "By waiting longer, there may be more tools available, but some of the better resources out there, like consultants, may be committed to other projects if you wait too long," says Dunning. THE DECENTRALIZED de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. DILEMMA While Sarbanes-Oxley applies to companies of all sizes, larger, decentralized companies may have the most challenging compliance effort. "Once you have external locations ... you may have to go through the same process several times," Dunning says. Solectron is a highly decentralized company with facilities in Australia, Europe, Central America Central America, narrow, southernmost region (c.202,200 sq mi/523,698 sq km) of North America, linked to South America at Colombia. It separates the Caribbean from the Pacific. , South America South America, fourth largest continent (1991 est. pop. 299,150,000), c.6,880,000 sq mi (17,819,000 sq km), the southern of the two continents of the Western Hemisphere. , Canada and the United States The United States and Canada share a unique legal relationship. U.S. law looks northward with a mixture of optimism and cooperation, viewing Canada as an integral part of U.S. economic and environmental policy. , and more than 100 factories spread across the globe. Getting everyone on the same page is a challenge. "There were different processes in different parts of the company, since we grew through acquisition," Naddaf says. "And each factory has its own financial staff and operations." The company has more than 300 business process control managers, regional internal control managers responsible for coordinating and documenting controls and performing assessments. Naddaf holds weekly calls with each business process control manager and spends a good deal of time visiting each site around the world. Solectron adopted a new web-based tool that allows Naddaf, the project team and process owners to chart the company's compliance progress. "It allows us to monitor the implementation of the action plans and also to give a consolidated view to management of our progress," Naddaf says. Bio-Rad Laboratories, Inc., a Hercules-based manufacturer and distributor of life science research products and clinical diagnostics, is another study in decentralized organization. The company has offices and manufacturing entities in more than 30 countries, with only 35 percent of their annual $1 billion in revenue coming from the U.S. "When you're dealing with people worldwide and talking about something as complex as SOX, without good communication there's no assurance you're heading down the right path," says Christine Tsingos, vice president and CFO at Bio-Rad. The company has more than 400 business process owners worldwide, responsible for assessing and reviewing internal controls. The company even produced a series of webcasts, translated into many different languages, to provide a reference point for those business process owners. "The first was a webcast on why this is important to the company," Tsingos says. "And the others go into detail of what internal controls are covered and what we need to do to properly implement and test them. We're a highly diversified and decentralized organization; we have operations that have grown up with the company and others that have come via acquisition. That's the greatest challenge for us, uniting them all." THE COST While it's still early in the process, there are indications that compliance doesn't come cheap. PMC-Sierra, a company with $250 million in revenue last year and 1,000 employees, estimates that it will spend nearly $400,000 combined on consultants and software, with the total cost coming to nearly $750,000. LeapFrog estimates that "not counting internal allocation of time," it will cost $500,000 just for the documentation effort. Curley expects the testing phase to cost an additional $150,000 to $300,000 "if everything goes smoothly." Bio-Rad estimates the compliance effort will cost "well in excess of a $1 million," Tsingos says, factoring in outside consultants hired at various locations, the man-hours of 400 business process control owners, a two-person full-time internal audit staff and whatever their auditors will charge for attestation The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her . Solectron estimates that from April 2003 to April 2004, the company spent in excess of 30,000 staff-hours internally worldwide. The bulk of that time was spent training business process owners on new software and Sarbanes-Oxley, and on the testing effort. THE BENEFITS So what does a company get in return for all of those staff-hours and hundreds of thousands of dollars? "I look at it as a process improvement tool," Solectron's Naddaf says. "If business process owners look at this purely as a compliance exercise, the company won't take full advantage of the benefits. "It will help us identify best practices," he says. "It will help us see how we can do things better, how we can improve." Sec. 404 may serve as an internal audit function for mid-tier companies that might not have previously had one. "If you're a mid-tier company, you wouldn't revisit re·vis·it tr.v. re·vis·it·ed, re·vis·it·ing, re·vis·its To visit again. n. A second or repeated visit. re the internal control structure and environment all that frequently," says PMC-Sierra's Barker. "For us, it is going to increase the frequency of the review and tighter controls do lead to better business practices." But in the end, Sec. 404 compliance should do what it's designed to do--making financial statements more reliable. "The reliability of the information that's coming out quarterly will continue to improve as companies get fully integrated with effective controls that are monitored on an ongoing basis," Dunning says. "It should make restatements much less likely." And if companies approach this the right way, Sec. 404 compliance can teach them something about themselves. "The efficiency of the utilization of their own people will improve," Dunning says. "You could figure out ways that you can utilize the system to do some of the control activities, or where there may be duplicate controls, which also can cut down on the overhead. There may be ways to re-evaluate the whole way that a company does business." Jerry Ascierto is Ca/CPA's associate editor. You can reach him at jerry.ascierto@calcpa.org. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion