Designing a Section 404 project: Financial Executives Research Foundation looks at the technology used and future implementation expectations for Section 404 projects.
With an original requirement for implementation during the 2003 reporting year and vague guidance from the Securities and Exchange Commission (SEC), implementation was a challenge, and executives began developing action plans. They expressed confidence that their company's internal controls were adequate. However, the CEO and CFO, who would now be required to attest to the adequacy of the controls, had no visibility into their controls systems, and had no quantitative assurance about the extent of controls testing.
Financial Executives Research Foundation (FERF) queried executives to determine how Section 404 projects are organized and executed and what technology is being used to gather the mass of internal control documentation needed to ascertain compliance. It also identified implementation challenges and expectations for future compliance.
"The first year of compliance will be the most costly, as companies use consultants and new technology to document and evaluate processes. But, they are positioning themselves to go forward on a self-sustaining basis with the workforce currently in place. We don't see companies hiring new employees dedicated to Section 404 compliance," says James DeLoach, managing director at Protiviti Inc., in thoughts echoed by others.
The key personnel requirement is a project manager with a background in finance, to manage and direct multiple departments and timelines. Whether from internal audit, accounting, treasury or another finance area, the project manager's expertise is valuable. Greg Jamieson, project manager for Section 404 at The Coca-Cola Co., cites his internal audit, corporate and international finance experience as advantageous.
"I have a good understanding of how financial information flows throughout our organization. This knowledge has been a great asset to me as we implement Section 404," says Jamieson.
Steve Miranda, vice president of financial applications for Oracle Corp., says, "Good corporate governance requires an integrated set of systems focusing on control, visibility and efficiency." Tactically, for most, the Section 404 solution serves as a central repository for internal control documentation; it also facilitates the testing of controls by internal and external auditors and provides a portal for executive review.
Vendors are offering applications that use word processing, spreadsheets and diagramming/flowcharting tools to document the processes and internal controls, then organize the information according to user specifications. Some offer the ability to view best practices for internal controls or the Committee of Sponsoring Organizations (COSO) Integrated Framework. Other solutions provide for testing certification of controls by the business owner and the auditor. Most products are Web-enabled, allowing a company with more than one location to use the package with minimal information technology staff.
Various options are also available for organizing information within the application. Paisley Consulting's Risk Navigator offers users the ability to determine significant accounts from the financial statements. Processes associated with those accounts are identified and assigned to process owners. Internal controls are documented and tested, and process owners can sign certifications for each process on a quarterly basis.
At Microsoft Corp., documentation is organized under transaction cycles (billing cycles) supported by Microsoft's SharePoint Portal Server, a document-sharing Web site portal. The product is used to track internal control documentation that is updated quarterly.
Oracle's Internal Control Manager works in concert with its Tutor product. Tutor is the central location for process documentation, which is organized by process flow. Internal Control Manager allows the user to define audit attributes, like specific general ledger accounts and process owners, associated with each process. It also allows for identification of risks and mitigating controls.
Making the Decision
Miles Everson, a partner in PricewaterhouseCoopers's Global Risk Management Solutions Group, comments that "few companies put the same rigor into application selection for Section 404 as they did for enterprise resource planning (ERP) or other enterprise applications," because of a lack of time and of a view held in many companies that ensuring compliance was a corporate function. When selecting enterprise applications systems, many departments become involved in or have input into the process through requirements documents and gap analysis; this was not the case for Section 404 software.
Another factor impacting application decisions is the availability of software packages. Prior to the SEC's June decision to extend the Section 404 deadline to fiscal 2004, the proposed ruling called for 2003 implementation. Because of this and the requirement for attestation covering the entire reporting year, financial managers were eager to put something in place.
Jamieson says when Coca-Cola began searching early this year, it found few packages meeting its criteria. It was looking not only for a solid solution from a reputable vendor, but one that was accessible worldwide, Web-based, easily adaptable to its business and that fit well in its existing IT infrastructure. It chose Paisley's Risk Navigator.
Section 404 implementations are giving birth to a business term once relegated to the jargon of consultants: process owners. Process owners are the new heroes, as managers conclude that one person or department cannot be responsible for full Section 404 compliance.
Rollout of Section 404 software requires education--not just on new software, but, in many cases, on processes and internal controls. "A control background is necessary for identifying controls. Even within our audit department, we are finding a need for [additional] education around internal controls," says Elizabeth O'Farrell, executive director and general auditor of Eli Lilly and Co.
Many companies have formed teams charged with leading initial implementation efforts that typically include process and internal control documentation and training. However, process and business owners still play the most important role in Section 404 compliance, since they are the ones responsible for the processes. Existing teams may change as initial documentation is completed and process owners become more educated.
For example, Coca-Cola's internal audit department is initially handling the company's rollout, which includes documenting processes and testing controls. During this fieldwork, the internal auditor will train field personnel on the Risk Navigator application.
Lilly's rollout plan has two stages: documenting process and controls, then testing. O'Farrell says the company is developing a testing plan using the COSO framework and will integrate it into its existing audit plan.
As Section 404 implementations progress, financial managers are uncovering challenges. For example, processes and controls are not the only important pieces of information in internal control documentation. "Financial information that requires a high degree of judgment often comes from disparate sources within a company. The processes behind disparate sources, like models or assumptions, need to be identified, documented and tested. So a compliance tool needs to capture both the processes and the data flows producing financial statement amounts," says PwC's Everson.
The example he provides is the analysis for the allowance for doubtful accounts, a highly subjective number on the financial statements. A company may document its process as quarterly evaluation by the collections manager, but the information that really needs to be documented is what assumptions were used by the collections manager in the evaluation.
Another challenging area involves IT controls, a key area since so many of today's business processes are IT- driven. "One of our core team members has an IT background [to ensure IT issues are considered during implementation]," says Koen Van Loock, project leader for Section 404 at Lilly. "A general IT controls section is included in the documentation of each process and must be completed by a person with an IT background," he adds.
In the testing phase of Section 404 implementation, financial executives are finding little or no specific guidance on the extent of testing required for compliance. "Management will not get specific guidance for testing. It is management's responsibility to decide what is necessary to make the assertion that controls are operating effectively," says DeLoach. Protiviti encourages clients to consider a range of testing methods, from self-assessment to statistical sampling, depending on the nature of the risks and controls inherent to the process and the controls mitigating those risks.
Beyond Initial Implementation
Most financial managers have enough to do this year--just with Section 404 implementation. Beyond this year, initial implementation for many companies will be complete, and managers will be taking a closer look at the costs of compliance. Once cost is determined, they will make decisions about whether they are getting value for the amount spent or whether they need to spend more for a broad-based system, such as an enterprise risk management system (ERM), explains Everson.
Many vendors believe that to ensure compliance longer-term, ERM is where Section 404 is going. In the short term, however, most companies are just doing the minimum to ensure compliance. "Sarbanes is the first step down the road of enterprise risk management," says Tim Welu, vice president of sales for Paisley Consulting. "ERM has not been adopted more readily at many companies because it is a cultural change, not a piece of software. Management must change the culture to one where each employee feels responsible for managing risk and understanding the controls that mitigate those risks."
Even further down the road, Microsoft Assistant Controller Taylor Hawes speculates that the next generation of solutions will be eXtensible Business Reporting Language (XBRL)-based. "In the larger scheme, XBRL comes into play, providing an oversight, monitoring and risk assessment component and the potential to continually monitor the effectiveness, risks and issues of significant control processes and systems."
FERF would like to acknowledge FY 04 donors who contributed in response to the FY 03 campaign, but missed the June 30, 2003 deadline.
George Aldrich Thomas Beall Terry Campbell Barry Collins Michael Connolly Philip Cook Alan Cyron John Delucca Timothy Descamps Dennis Dooley Reza Espahbodi Mark Foletta Charles Frasier Richard Hamilton John Kelleher Kevin Kurihara David Lloyd James Malone Roger Marchetti Andrzej Matyczynski Ann McNally Stephen Melvin Paul Middeke William Miller G. Clay Myers Frank Pici James Plake Donald Polio Arthur Rawl Erich Schumann Jack Simpson Christine Gray-Smith Sandra Rouhselang Unites States Cellular Corp. Fred Uzzell Kenneth West
Tiffany McCann, CPA (email@example.com) is a Research Associate and Cheryl de Mesa Graziano, CPA (firstname.lastname@example.org) is Director of Research, both with Financial Executives Research Foundation (FERF). For information on the Section 404 research study, see FERF's bookstore, www.fei.org/rfbookstore
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Management Assessment of Internal Controls; compliance|
|Author:||Graziano, Cheryl de Mesa|
|Date:||Sep 1, 2003|
|Previous Article:||Globalization and IT fuel for the U.S. growth engine: concerned that the economy is not growing fast enough? Noted economist Robert Shiller points...|
|Next Article:||Marketing yourself it may just be job one.|