Printer Friendly

Year-two Section 404 compliance: smart companies are working smarter; Following the second FEI forum on Sarbanes-Oxley Section 404 compliance, FERF spoke with several participants about what practices are helping them achieve better, easier and less-costly approaches to compliance.

There's no question that complying with year-one of Section 404 of the Sarbanes-Oxley Act was painful--even more painful than expected--for publicly traded companies. Having spent an average of over 26,000 hours and $4.3 billion, as reported by Financial Executives International (FEI) in August, testing and attesting to thousands of internal controls and often enduring strained relationships with auditors, companies anticipate year-two compliance to improve.

Indeed, guidance from the Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) last May is expected to aid efforts to develop better, easier and less-costly approaches to Section 404 compliance.

To identify these better approaches, FEI's Committee on Corporate Reporting (CCR) hosted a meeting in Dallas in mid-September, where Section 404 implementation team leaders and their senior managers from some of the nation's largest companies exchanged their successful approaches to compliance.

As expressed by William Hogan, senior vice president-Finance for Computer Associates International, his company "is intensely committed to implementing a best-in-class regulatory compliance program, including application and adherence to Sarbanes-Oxley and the spirit of the regulations." In essence, he is seeking to learn best practices. With year one now under their belts, Financial Executives Research Foundation (FERF) spoke with some of the forum participants, to highlight key practices that are working well at their companies.

Microsoft Corp.: Reducing the number of key controls.

Saul Gates, director of the Financial Compliance Group (FCG) at $39 billion software developer Microsoft Corp., wants to reduce the number of Microsoft's key controls. Each year, each key control must be tested first by management, and then by the external auditor, and such testing can be expensive.

Gates (no relation to Chairman Bill Gates) was hired away from PricewaterhouseCoopers in May 2004 to head up the FCG at Microsoft. The FCG developed an internal control framework and control documentation templates for all of Microsoft's process owners in more than 100 countries.

"Microsoft decided early on that management would 'own' responsibility for all business process controls," recalls Gates. "We developed the methodology, cleared it with Deloitte (its external auditor), and gave it to the process owners. They, in turn, developed their own control sets." The process owners, he notes, do their own design assessments, and other members of management then test the controls.

When Microsoft first tallied its key controls in its year ending June 30, 2004, 7,500 were identified. At its 2005 audit, the number was reduced to 5,200. Gates says the goal for 2006 is to reduce that number to under 4,000, thus cutting its key controls by almost 50 percent.

How will this be accomplished? Gates describes three approaches:

1. Take some significant accounts out of scope. Most companies currently have revenue or balance sheet coverage ("scope") of 85 to 90 percent-which is significantly greater than what is required. If an account is considered to have a remote risk of being materially misstated, it can be taken out of scope. Thus, the associated controls do not need to be tested. Currently, Gates is actively identifying which accounts can be taken out of scope, so that the associated key controls can then be eliminated.


2. Identify lower-risk areas where reliance on company-level controls is sufficient. Routine transactions may be considered low-risk, and testing every transaction process can be time-consuming and costly. There are opportunities to test mid-level or company controls and alleviate the necessity to test routine transactions. Gates says, "We are becoming smarter about what's really relevant to our SOX assertion."

3. Critically assess the necessary number of transaction-processing controls. Controls on many related transactions may be redundant. By evaluating the transactions and respective controls, redundant controls can be combined or eliminated to achieve sufficient coverage.

Gates says the payroll function is a good example of Microsoft's process to reduce its number of key controls. In 2004, Microsoft had 28 individual key controls in the payroll function at each of 18 payroll locations. This could require testing over 500 key controls for the payroll function alone. After careful evaluation, the number of payroll processes was reduced to 20 and the number of locations to 10. This resulted in 200 key controls in 2005 at the transaction level. At the company level, one level up, there are two primary company-level controls: compare actual to budget and analyze average cost per headcount.

Reducing 200 to two is Gates' goal for 2006, and two events may help him get there:

* The May 16, 2005 guidance from the SEC and PCAOB asks external auditors to "use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting;" and

* a better understanding by both management and the auditor of the complete set of controls throughout the company. As companies went through the deficiency evaluation process, they gained a better understanding of which controls they were truly relying on to prevent or detect errors or misstatements. Careful evaluations of key controls based on this new understanding will show where the number of controls can be reduced without lowering the quality of the overall system of internal control.

Medtronic Inc.: Looking for process standardization.

Brenda Lovcik, Director of SOX Compliance at Medtronic Inc., stresses the importance of keeping the business on track--including information technology (IT) system implementations--by being proactive and working closely with the company's external auditors. (Medtronic's auditor is PricewaterhouseCoopers.)

Lovcik was working in Internal Audit in May 2003 when Medtronic began to plan for Sarbanes-Oxley Section 404 and she was tapped to head the compliance effort. "Rather than wait for the external auditors to tell us how to comply, we were proactive in developing a plan and working with our auditors to get them comfortable with that plan," says Lovcik.

Medtronic is a $10 billion medical device company that had been very decentralized, but documentation for compliance with Section 404 has demonstrated the benefits of standardization. "We would like to see more process standardization," she says. "This will help us with future acquisitions and overall growth of the company."

Part of the standardization effort includes a worldwide implementation of SAP, as Medtronic's single enterprise resource planning (ERP) system. Prior to 2005, the company had a limited implementation of SAP for just its general ledger. Wanting to do a major implementation of other modules of SAP for its European operations in January 2005, the external auditors advised against it, given Medtronic's fiscal year-end, which is the last Friday in April. "We did decide to delay implementation, but for business reasons, not for compliance reasons," says Lovcik.


What's next for Medtronic? "In conjunction with the worldwide implementation of SAP and the increased importance of process standardization, the organization has taken on an initiative for global process improvement," says Lovcik, and she'll be one of the individuals to lead that effort as she moves from her 404 implementation role. She's been named Director of Global Process Improvement for Intercompany Consolidations and Profit Elimination.

Corning Inc.: Taking a "top-down" approach to risk and planning.

James I. Michaelson, manager of Accounting Policy and Procedures at Corning Inc., explains the benefits of risk assessment and a risk-based approach to auditing. Having worked in a number of positions for Corning, he moved into his present position in March 2004 to take the existing Sarbanes-Oxley compliance project from the planning phase to completion.


Corning, a $4 billion diversified-technology company with multiple operating segments, outsources its internal audit function to one Big Four firm (Ernst & Young) and another Big Four (PricewaterhouseCoopers) serves as its external auditor.

By March 2004, Michaelson noted, a lot of the documentation had already been done by management, working with the internal auditors. Michaelson's compliance goal in 2004 was to standardize business processes, internal control matrices, documentation and testing.

"In year one, the external auditors were risk-averse, because their primary guidance was Auditing Standard 2 (AS2), which was finalized during the summer of 2004," says Michaelson. "However, the PCAOB's May guidance suggests auditors use a risk-based, or top-down, approach to auditing. We interpret that guidance as a license to use judgment." In response, he says, his company has prepared a risk-based approach in conjunction with its external auditors, "which we see as a much more practical approach to auditing, while ensuring 404 compliance."

The real benefit from this risk-based approach, says Michaelson, is more value from Corning's audit dollar. "If you had a good first year, your auditors should be able to rely more on management's work and redirect efforts toward more risk-based areas."

For Corning, this also means shifting internal audit dollars from "coverage-only" areas (year-one approach) to rotational auditing (coverage beyond 404 and risk). Year one involved extensive testing to comply with AS2, with most large locations being audited comprehensively to maximize coverage and limit risk.

Now, Michaelson says he expects reductions in external audit hours in year two, but doesn't necessarily expect to reduce internal audit hours since he can now spend them on "value auditing." The goal there is to reintroduce a robust internal audit that satisfies 404 and provides healthy monitoring for all locations.

Time Warner Inc.: Going forward; finding the value.

Pascal Desroches, vice president and deputy controller for Time Warner Inc., has responsibility for overseeing the application of Time Warner's compliance with Section 404 on behalf of the company's controller, CFO and CEO. Besides Sarbanes-Oxley compliance, he's responsible for the company's external financial reporting, accounting policies and overall technical accounting matters.

Time Warner generates $42 billion in revenues from a variety of different media and entertainment businesses, including cable systems, cable and broadcast television, Internet, magazine publishing and filmed entertainment.

Desroches says that even though Time Warner had audited its systems of internal control over financial reporting in both 2001 and 2002--under the previous standard--in year one of 404 compliance, it spent significantly more time than it did under the prior standard, including areas that were considered low-risk and where problems were not expected. Desroches notes that both Time Warner and its auditors (Ernst & Young) interpreted the new rules as requiring more documentation and testing than the previous standards.


Did Time Warner realize benefits in year one? Overall, says Desroches, a significant benefit was that "it really helped raise the level of control consciousness throughout the organization." While the finance organization "always appreciated the importance of control," he says, what 404 did was to drive "that same mindset to not only finance, but to all personnel in our businesses."

Reflecting on year one relative to expectations, Desroches says, "This was one of those areas where we didn't have a basis for [comparison]--like accounting rules and other things. Over time, you gain experience with them, and know what to expect, regarding the interpretations and how things have been applied historically. This was new to everybody, and it was going to be interpreted by an organization that itself was new."

Desroches expects 2005 costs will go down, largely due to a lack of the start-up time experienced in 2004. Also, he comments, "In order for this to be sustainable, it can't be a project management approach. We have to begin to weave compliance into the way we perform controls around the company."

In that regard, he says, Time Warner is transitioning to a self-assessment approach, with the control-process owners being responsible for ensuring that controls are functioning, coupled with a robust monitoring program by internal audit and the internal Sarbanes-Oxley compliance team. He's aiming to be completely transitioned by the end of 2006.

Desroches expects internal resources to continue to be utilized at the same level, but he's hopeful that Time Warner will save by devoting less time to third-party consultants, as well as needing less work by internal audit.

Desroches says the PCAOB May guidance was "very helpful, and had the right tone," as it relates to having both the company and its auditors being more pragmatic and using more judgment--all with a risk-based approach. But, he warns, "There needs to be a consistent message that emerges from the PCOAB's 2005 inspections process."

For example, he says, if, in the examination process, the PCAOB sends a message that the public accounting firms didn't do enough in their review, or that companies didn't do enough in support of management's assertion, "one potentially unintended consequence may be that, notwithstanding the May guidance, the auditor's interpretations will continue to be fairly strict and fairly narrow."

William M. Sinnett ( is Director of Research for Financial Executives Research Foundation (FERF). Ellen M. Heffes ( is Executive Editor for Financial Executive and Web Content Editor for


* When Microsoft first tallied its key controls (June 30, 2004), 7,500 were identified. At its 2005 audit, the total was 5,200; by 2006, it's aiming for under 4,000.

* Medtronic stresses the importance of keeping the business on track--including IT system implementations--by being proactive and working closely with auditors.

* At Corning, the benefit from using a risk-based approach to compliance is more value from its audit dollar. While the amount spent won't change in year two, it will be spent on "value auditing."

* Time Warner's realized benefit was a higher level of control consciousness throughout the organization.
COPYRIGHT 2005 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:internal controls
Author:Heffes, Ellen M.
Publication:Financial Executive
Geographic Code:1USA
Date:Nov 1, 2005
Previous Article:Taking stock at the PCAOB: in an interview, the PCAOB's chief auditor, Douglas R. Carmichael, reviews the agency's recent actions and the evolving...
Next Article:CFOs embrace online travel booking: online providers eliminate the middleman for routine bookings, which can reduce processing time and travel costs...

Related Articles
Ask FERF (Financial Executives Research Foundation) about ... Sarbanes-Oxley tools.
Defining moment for good governance: research from both Financial Executives Research Foundation and Robert Half international find that...
Ask FERF (financial executives research foundation) about ... private company compliance with section 404.
Ask FERF (financial executives research foundation) about ... Sarbanes-Oxley Implementation Guidance.
Section 404 implementation: is the gain worth the pain?
FERF release two key reports.
Compliance; Poll: most won't find 404 burdens easing.
From the editor.
Ask FERF about ... using enterprise content management for Section 404 compliance.
Ask FERF about ... Sarbanes-Oxley Section 404 compliance costs.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters