Year-two Section 404 compliance: smart companies are working smarter; Following the second FEI forum on Sarbanes-Oxley Section 404 compliance, FERF spoke with several participants about what practices are helping them achieve better, easier and less-costly approaches to compliance.
There's no question that complying with year-one of Section 404 of the Sarbanes-Oxley Act See SOX. was painful--even more painful than expected--for publicly traded companies publicly traded company
A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. . Having spent an average of over 26,000 hours and $4.3 billion, as reported by Financial Executives International (FEI FEI
Fédération Équestre Internationale. ) in August, testing and attesting to thousands of internal controls and often enduring strained relationships with auditors, companies anticipate year-two compliance to improve.
Indeed, guidance from the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ) and the U.S. Securities and Exchange Commission (SEC) last May is expected to aid efforts to develop better, easier and less-costly approaches to Section 404 compliance.
To identify these better approaches, FEI's Committee on Corporate Reporting (CCR 1. CCR - condition code register.
2. CCR - (Database) concurrency control and recovery. ) hosted a meeting in Dallas in mid-September, where Section 404 implementation team leaders and their senior managers from some of the nation's largest companies exchanged their successful approaches to compliance.
As expressed by William Hogan William Hogan was born in Ireland and became a priest before emigrating to America around 1810. Assigned to St. Mary's parish in Philadelphia, he proved himself a popular priest. , senior vice president-Finance for Computer Associates International, his company "is intensely committed to implementing a best-in-class regulatory compliance program, including application and adherence adherence /ad·her·ence/ (ad-her´ens) the act or condition of sticking to something.
immune adherence to Sarbanes-Oxley and the spirit of the regulations." In essence, he is seeking to learn best practices. With year one now under their belts, Financial Executives Research Foundation (FERF FERF Financial Executives Research Foundation
FERF Far End Reporting Failure
FERF Far End Receive Failure ) spoke with some of the forum participants, to highlight key practices that are working well at their companies.
Microsoft Corp.: Reducing the number of key controls.
Saul Gates, director of the Financial Compliance Group (FCG FCG First Consulting Group
FCG Foreign Clearance Guide
FCG Fatigue Crack Growth
FCG Flux Compression Generator
FCG Guinean Civic Forum (Guinea-Bissau)
FCG Fisheries Consultative Group (ASEAN-SEAFDEC) ) at $39 billion software developer Microsoft Corp., wants to reduce the number of Microsoft's key controls. Each year, each key control must be tested first by management, and then by the external auditor The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. , and such testing can be expensive.
Gates (no relation to Chairman Bill Gates (person) Bill Gates - William Henry Gates III, Chief Executive Officer of Microsoft, which he co-founded in 1975 with Paul Allen. In 1994 Gates is a billionaire, worth $9.35b and Microsoft is worth about $27b. ) was hired away from PricewaterhouseCoopers in May 2004 to head up the FCG at Microsoft. The FCG developed an internal control framework and control documentation templates for all of Microsoft's process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance in more than 100 countries.
"Microsoft decided early on that management would 'own' responsibility for all business process controls," recalls Gates. "We developed the methodology, cleared it with Deloitte (its external auditor), and gave it to the process owners. They, in turn, developed their own control sets." The process owners, he notes, do their own design assessments, and other members of management then test the controls.
When Microsoft first tallied its key controls in its year ending June 30, 2004, 7,500 were identified. At its 2005 audit, the number was reduced to 5,200. Gates says the goal for 2006 is to reduce that number to under 4,000, thus cutting its key controls by almost 50 percent.
How will this be accomplished? Gates describes three approaches:
1. Take some significant accounts out of scope. Most companies currently have revenue or balance sheet coverage ("scope") of 85 to 90 percent-which is significantly greater than what is required. If an account is considered to have a remote risk of being materially misstated, it can be taken out of scope. Thus, the associated controls do not need to be tested. Currently, Gates is actively identifying which accounts can be taken out of scope, so that the associated key controls can then be eliminated.
2. Identify lower-risk areas where reliance on company-level controls is sufficient. Routine transactions may be considered low-risk, and testing every transaction process can be time-consuming and costly. There are opportunities to test mid-level or company controls and alleviate the necessity to test routine transactions. Gates says, "We are becoming smarter about what's really relevant to our SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. assertion."
3. Critically assess the necessary number of transaction-processing controls. Controls on many related transactions may be redundant. By evaluating the transactions and respective controls, redundant controls can be combined or eliminated to achieve sufficient coverage.
Gates says the payroll function is a good example of Microsoft's process to reduce its number of key controls. In 2004, Microsoft had 28 individual key controls in the payroll function at each of 18 payroll locations. This could require testing over 500 key controls for the payroll function alone. After careful evaluation, the number of payroll processes was reduced to 20 and the number of locations to 10. This resulted in 200 key controls in 2005 at the transaction level. At the company level, one level up, there are two primary company-level controls: compare actual to budget and analyze average cost per headcount.
Reducing 200 to two is Gates' goal for 2006, and two events may help him get there:
* The May 16, 2005 guidance from the SEC and PCAOB asks external auditors to "use a top-down approach Top-down approach
A method of security selection that starts with asset allocation and works systematically through sector and industry allocation to individual security selection. that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting;" and
* a better understanding by both management and the auditor of the complete set of controls throughout the company. As companies went through the deficiency evaluation process, they gained a better understanding of which controls they were truly relying on to prevent or detect errors or misstatements. Careful evaluations of key controls based on this new understanding will show where the number of controls can be reduced without lowering the quality of the overall system of internal control.
Medtronic Inc.: Looking for Looking for
In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. process standardization standardization
In industry, the development and application of standards that make it possible to manufacture a large volume of interchangeable parts. Standardization may focus on engineering standards, such as properties of materials, fits and tolerances, and drafting .
Brenda Lovcik, Director of SOX Compliance at Medtronic Inc., stresses the importance of keeping the business on track--including information technology (IT) system implementations--by being proactive and working closely with the company's external auditors. (Medtronic's auditor is PricewaterhouseCoopers.)
Lovcik was working in Internal Audit in May 2003 when Medtronic began to plan for Sarbanes-Oxley Section 404 and she was tapped to head the compliance effort. "Rather than wait for the external auditors to tell us how to comply, we were proactive in developing a plan and working with our auditors to get them comfortable with that plan," says Lovcik.
Medtronic is a $10 billion medical device company that had been very decentralized de·cen·tral·ize
v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es
1. To distribute the administrative functions or powers of (a central authority) among several local authorities. , but documentation for compliance with Section 404 has demonstrated the benefits of standardization. "We would like to see more process standardization," she says. "This will help us with future acquisitions and overall growth of the company."
Part of the standardization effort includes a worldwide implementation of SAP, as Medtronic's single enterprise resource planning See ERP.
(application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) system. Prior to 2005, the company had a limited implementation of SAP for just its general ledger General Ledger
A company's accounting records. This formal ledger contains all the financial accounts and statements of a business.
The ledger uses two columns: one records debits, the other has offsetting credits. . Wanting to do a major implementation of other modules of SAP for its European operations in January 2005, the external auditors advised against it, given Medtronic's fiscal year-end Fiscal Year-End
The completion of a one-year, or 12-month, accounting period.
The reason that a company's fiscal year often differs from the calendar year and does not close on Dec 31, is due to the nature of company's needs. , which is the last Friday in April. "We did decide to delay implementation, but for business reasons, not for compliance reasons," says Lovcik.
What's next for Medtronic? "In conjunction with the worldwide implementation of SAP and the increased importance of process standardization, the organization has taken on an initiative for global process improvement," says Lovcik, and she'll be one of the individuals to lead that effort as she moves from her 404 implementation role. She's been named Director of Global Process Improvement for Intercompany Consolidations and Profit Elimination.
Corning Inc.: Taking a "top-down" approach to risk and planning.
James I James I, king of Aragón and count of Barcelona
James I (James the Conqueror), 1208–76, king of Aragón and count of Barcelona (1213–76), son and successor of Peter II. . Michaelson, manager of Accounting Policy and Procedures at Corning Inc., explains the benefits of risk assessment and a risk-based approach to auditing. Having worked in a number of positions for Corning, he moved into his present position in March 2004 to take the existing Sarbanes-Oxley compliance project from the planning phase In amphibious operations, the phase normally denoted by the period extending from the issuance of the order initiating the amphibious operation up to the embarkation phase. The planning phase may occur during movement or at any other time upon receipt of a new mission or change in the to completion.
Corning, a $4 billion diversified-technology company with multiple operating segments, outsources its internal audit function to one Big Four firm (Ernst & Young) and another Big Four (PricewaterhouseCoopers) serves as its external auditor.
By March 2004, Michaelson noted, a lot of the documentation had already been done by management, working with the internal auditors Internal auditor
An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. . Michaelson's compliance goal in 2004 was to standardize stan·dard·ize
1. To cause to conform to a standard.
2. To evaluate by comparing with a standard. business processes, internal control matrices, documentation and testing.
"In year one, the external auditors were risk-averse, because their primary guidance was Auditing Standard 2 (AS2), which was finalized See finalization. during the summer of 2004," says Michaelson. "However, the PCAOB's May guidance suggests auditors use a risk-based, or top-down, approach to auditing. We interpret that guidance as a license to use judgment." In response, he says, his company has prepared a risk-based approach in conjunction with its external auditors, "which we see as a much more practical approach to auditing, while ensuring 404 compliance."
The real benefit from this risk-based approach, says Michaelson, is more value from Corning's audit dollar. "If you had a good first year, your auditors should be able to rely more on management's work and redirect re·di·rect
tr.v. re·di·rect·ed, re·di·rect·ing, re·di·rects
To change the direction or course of.
A redirect examination.
re efforts toward more risk-based areas."
For Corning, this also means shifting internal audit dollars from "coverage-only" areas (year-one approach) to rotational auditing (coverage beyond 404 and risk). Year one involved extensive testing to comply with AS2, with most large locations being audited comprehensively to maximize coverage and limit risk.
Now, Michaelson says he expects reductions in external audit hours in year two, but doesn't necessarily expect to reduce internal audit hours since he can now spend them on "value auditing." The goal there is to reintroduce Re`in`tro`duce´
v. t. 1. To introduce again.
Verb 1. reintroduce - introduce anew; "We haven't met in a long time, so let me reintroduce myself"
re-introduce a robust internal audit that satisfies 404 and provides healthy monitoring for all locations.
Time Warner Inc.: Going forward; finding the value.
Pascal Desroches, vice president and deputy controller for Time Warner Inc., has responsibility for overseeing the application of Time Warner's compliance with Section 404 on behalf of the company's controller, CFO See Chief Financial Officer. and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. . Besides Sarbanes-Oxley compliance, he's responsible for the company's external financial reporting, accounting policies and overall technical accounting matters.
Time Warner generates $42 billion in revenues from a variety of different media and entertainment businesses, including cable systems, cable and broadcast television, Internet, magazine publishing and filmed entertainment.
Desroches says that even though Time Warner had audited its systems of internal control over financial reporting in both 2001 and 2002--under the previous standard--in year one of 404 compliance, it spent significantly more time than it did under the prior standard, including areas that were considered low-risk and where problems were not expected. Desroches notes that both Time Warner and its auditors (Ernst & Young) interpreted the new rules as requiring more documentation and testing than the previous standards.
Did Time Warner realize benefits in year one? Overall, says Desroches, a significant benefit was that "it really helped raise the level of control consciousness throughout the organization." While the finance organization "always appreciated the importance of control," he says, what 404 did was to drive "that same mindset mind·set or mind-set
1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations.
2. An inclination or a habit. to not only finance, but to all personnel in our businesses."
Reflecting on year one relative to expectations, Desroches says, "This was one of those areas where we didn't have a basis for [comparison]--like accounting rules and other things. Over time, you gain experience with them, and know what to expect, regarding the interpretations and how things have been applied historically. This was new to everybody, and it was going to be interpreted by an organization that itself was new."
Desroches expects 2005 costs will go down, largely due to a lack of the start-up time experienced in 2004. Also, he comments, "In order for this to be sustainable, it can't be a project management approach. We have to begin to weave compliance into the way we perform controls around the company."
In that regard, he says, Time Warner is transitioning to a self-assessment approach, with the control-process owners being responsible for ensuring that controls are functioning, coupled with a robust monitoring program by internal audit and the internal Sarbanes-Oxley compliance team. He's aiming to be completely transitioned by the end of 2006.
Desroches expects internal resources to continue to be utilized at the same level, but he's hopeful that Time Warner will save by devoting less time to third-party consultants, as well as needing less work by internal audit.
Desroches says the PCAOB May guidance was "very helpful, and had the right tone," as it relates to having both the company and its auditors being more pragmatic and using more judgment--all with a risk-based approach. But, he warns, "There needs to be a consistent message that emerges from the PCOAB's 2005 inspections process."
For example, he says, if, in the examination process, the PCAOB sends a message that the public accounting firms didn't do enough in their review, or that companies didn't do enough in support of management's assertion, "one potentially unintended consequence For the 1996 novel by John Ross, see .
Unintended consequences are situations where an action results in an outcome that is not (or not only) what is intended. The unintended results may be foreseen or unforeseen, but they should be the logical or likely results of the may be that, notwithstanding the May guidance, the auditor's interpretations will continue to be fairly strict and fairly narrow."
William M. Sinnett (email@example.com) is Director of Research for Financial Executives Research Foundation (FERF). Ellen M. Heffes (firstname.lastname@example.org) is Executive Editor for Financial Executive and Web Content Editor for fei.org.
RELATED ARTICLE: takeaways
* When Microsoft first tallied its key controls (June 30, 2004), 7,500 were identified. At its 2005 audit, the total was 5,200; by 2006, it's aiming for under 4,000.
* Medtronic stresses the importance of keeping the business on track--including IT system implementations--by being proactive and working closely with auditors.
* At Corning, the benefit from using a risk-based approach to compliance is more value from its audit dollar. While the amount spent won't change in year two, it will be spent on "value auditing."
* Time Warner's realized benefit was a higher level of control consciousness throughout the organization.