Printer Friendly

Section 404 compliance: telling it like it is; It's 'showtime' for reporting on internal controls, and Financial Executives Research Foundation (FERF) asked some in corporate America, 'How's it going?' Here are a few tales from the trenches.

Investors will soon hear and read a lot about internal control. Beginning with this year's annual reports, companies will, for the first time, be reporting on the effectiveness of their internal control over financial reporting--as required by Section 404 of the Sarbanes-Oxley Act of 2002. Not all of the news will be good, because some companies will have to disclose control deficiencies that have not yet been remediated as of fiscal year end.


Companies have long been plagued by control deficiencies and weaknesses in their systems of internal control. The Public Company Accounting Oversight Board (PCAOB) has now defined three different magnitudes of control deficiencies, and has even provided examples. To the extent that control deficiencies are identified, both management and the external auditors are required to determine if they are significant deficiencies or material weaknesses (see sidebar). Only material weaknesses are required to be publicly reported. For over a year now, companies have been documenting their business and financial reporting processes and how those processes are controlled, and then testing those controls.

The Dow Chemical Co. got started early. "We started back in March of 2003," says Ron Edmonds, global accounting director for Dow. "We put together a Sarbanes-Oxley Section 404 Implementation Team, drawn from finance, information systems, manufacturing, human resources, legal and the business units, to first decide what had to be done and then implement the needed actions."

Dow decided to install Deloitte's Risk Control Tracking System to store and keep track of all the process documentation, process flow charts and control self-assessments. By mid-2003, Dow had documented most of its processes and was able to start testing the related controls.

Early Start Helpful

"We found some gaps in existing documentation and some control deficiencies, but, because we got started early, we were able to remediate the deficiencies and retest the controls," Edmonds recounts. He estimates that, all told, Dow employees spent over 100,000 hours documenting, testing, remeditating and retesting. And, while Edmonds did not attach an internal cost to the hours, if the average professional is paid $100,000 per year in salary and benefits, this total cost could approach $5 million--not including the additional costs of soft-ware and outside consultants.

Dow's Implementation Team kept its audit committee well informed of its activities and progress. "We put together written presentations for each meeting of the audit committee starting in mid-2003, and the audit committee meets about six times per year," says Edmonds. "We were upfront with any issues and deficiencies that we uncovered, and explained exactly how they would be remediated." The Implementation Team also developed special educational programs for the top 200 leaders at Dow, and has had multiple meetings with the Office of the Chief Executive.


Edmonds says that Dow has not yet decided how it will report on its system of internal controls in its 10-K. "Once we get through the process of assessing internal controls, we'll figure out how to explain it in the 10-K. We suspect that most companies will use similar language to report on their internal controls, but we don't yet know what that language will be. However, we do not expect to have to report any control deficiencies or weaknesses at Dow."

General Motors Corp. will also not have to report any deficiencies. "We have not yet found any reportable control deficiencies at GM," says Chief Accounting Officer Peter R. Bible. While Deloitte, GM's external auditor, was still testing some of GM's internal controls, Bible expects that Deloitte will issue an unqualified opinion. "We will make a statement about our internal controls in our 10-K, probably in Management's Responsibility for Financial Statements, but we don't expect to have to announce any bad news," he says.

Bible says that GM will file its 10-K on March 15, as permitted by the SEC's recent rule that will maintain the current filing deadline within 75 days of fiscal year-end. "We were certainly glad that the SEC announced this ruling. This will give our audit committee more time to review the 10-K." Before the SEC made this announcement on November 17, a company with a fiscal year-end of December 31 would have had to file its 10-K on March 1 (within 60 days of its fiscal year-end), as part of a three-year phase-in accelerating companies' deadlines for SEC filings. "If we had to file the 10-K by March 1, we would have had to change the date of the audit committee meeting, which would have required other changes in our 10-K review timeline."

On the filing timetable, Bible says: "There may be a lot of companies that will have to announce unremediated material weaknesses, and I think that they will need this additional time to plan their announcements."

Bible does concede that some surprises surfaced during GM's documentation and testing of internal controls, such as the quality of internal controls at service providers. "There is some question as to whether SAS 70 (Statement on Auditing Standard 70, Reports on the Processing of Transactions by Service Organizations) is adequate for the requirements of AS2 [Auditing Standard No. 2] as issued by the PCAOB, and this might by an issue for some companies."

Dow's Edmonds also discussed the SAS 70 issue. "We had one large service provider that decided it did not need to provide us with an SAS 70 report. We told them that if they did not give us an SAS 70, we would need to send in a team of our internal auditors, and Deloitte, our external auditor, would send in another team, and we expected that a lot of other clients would do the same. Needless to say, the provider decided to send an SAS 70 report to all of their clients."


But the SAS 70 issue is not so easy to resolve, notes Edmonds, who says another service provider also sent Dow an SAS 70 report for 2003 last July, saying that "we would not get the SAS 70 for 2004 until mid-2005. Dow's position is that the SAS 70 needs to cover at least six months of the current year activity under audit or we can not rely on it." Edmonds recommends that companies ask their service providers for an SAS 70 that covers July to June at a minimum, and get it in the third quarter. Assuming the service provider has no changes in its internal control structure subsequently, it can then be used for the current year.


For more on how 20 large companies have implemented Section 404, and how they plan to comply in the future, see the FERF Executive Report, Sarbanes-Oxley Section 404 Implementation: Status on Structure, Process and Sustainability. The report can be ordered online at

Credit Rating Impact Unclear

A key issue to both companies and investors is how the reports on internal control will affect a company's credit rating. In October, Moody's Investors Service issued a Special Comment, "Section 404 Reports on Internal Control: Impact on Ratings Will Depend on Nature of Material Weaknesses Reported." (The document is available on FEI's Web site.) This special comment describes what the new rules require, what the new reports will say and how Moody's expects to react to the new reports.

"We are less concerned about material weaknesses that relate to controls over specific account balances or transactions," says Gregory Jonas, managing director at Moody's. "If management takes corrective actions in a timely manner, rating actions are unlikely."

"However, if a company reports material weaknesses that relate to company-level controls, such as the control environment or financial reporting process, we will bring the company to rating committee to determine whether a rating action is necessary," says Jonas.

He explains: "These types of weaknesses concern us because it's harder for auditors to audit around a pervasive control problem. In these cases, investors just don't know how much they can trust reported financial data, particularly when that data is not audited."

Jonas realizes that companies have done a lot of work over the past year, at considerable expense, and he is very positive about the whole process. "We believe that internal control reports are a good thing, because we expect they will help restore investor confidence and improve the quality of financial reporting. If so, the benefits to investors will be considerable."

Will there be comparable benefits to companies? Section 404 compliance will provide companies with opportunities to first standardize their business processes, and then improve upon those processes. If employees at the business unit level are willing to take ownership of these processes, a new corporate culture based on good controls will emerge. And if process inefficiencies are identified and resolved, increased productivity will likely result.

Today, some question the enormous costs of Section 404 compliance. The full value of the efforts will only become apparent over time.

RELATED ARTICLE: Is It a Significant Deficiency or a Material Weakness?

Three degrees of control deficiencies--in order of magnitude--have been formally defined in Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, (AS2) released by the Public Company Accounting Oversight Board (PCAOB) on Mar. 9, 2004:

1 A control deficiency exists when the design of operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. (Paragraph 8)

2 A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is a more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected. (Paragraph 9)

3 A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. (Paragraph 10)

Note: Auditing Standard No. 2 provides examples of the different orders of magnitude of control deficiencies in its Appendix D. For example, not reconciling intercompany accounts is a control deficiency. Not having a formal process in place to ensure reconciliation would be considered a significant deficiency. If there are a significant number of material intercompany transactions, lack of a formal process would constitute a material weakness.

RELATED ARTICLE: What Has to be Reported?

Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Final Rule 33-8238, which became effective Aug. 14, 2003) was released by the U.S. Securities and Exchange Commission (SEC) in response to Section 404, which directed the SEC to prescribe rules requiring annual reports to:

* State management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

* Contain an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting.

William M. Sinnett ( is Manager of Research for Financial Executives Research Foundation (FERF).
COPYRIGHT 2005 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:regulation
Author:Sinnett, William M.
Publication:Financial Executive
Geographic Code:1USA
Date:Jan 1, 2005
Previous Article:FASAC priorities for coming year.
Next Article:10 tips for protecting retirement plans from litigation.

Related Articles
Internal control matters...again: Motorola's senior vice president and controller tells Financial Executives Research Foundation (FERF) how "COSO"...
Ask FERF (Financial Executives Research Foundation) about...COSO resources. (Resources).
Designing a Section 404 project: Financial Executives Research Foundation looks at the technology used and future implementation expectations for...
Ask FERF (Financial Executives Research Foundation) about ... Sarbanes-Oxley tools.
Defining moment for good governance: research from both Financial Executives Research Foundation and Robert Half international find that...
Ask FERF (financial executives research foundation) about ... private company compliance with section 404.
Ask FERF (financial executives research foundation) about ... Sarbanes-Oxley Implementation Guidance.
Why should private companies implement Sarbanes-Oxley? While public companies must comply with provisions of the Sarbanes-Oxley Act, that's not the...
Section 404 implementation: is the gain worth the pain?
Section 404 compliance and 'tone at the top'.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters