Taking control of internal controls: the 411 on Sec. 404

California CPA, July, 2004 by Jerry Ascierto

The text of the Sarbanes-Oxley Act, Sec. 404, Management Assessment of Internal Controls, contains only 173 words. But in its practical application, it contains so much more.

[ILLUSTRATION OMITTED]

Sec. 404 requires publicly traded companies to include in their annual report an assessment of the effectiveness of their internal controls over financial reporting and the accompanying auditor's report.

Though designing and maintaining a company's controls always has been the purview of management, Sec. 404 adds the tasks of annually evaluating, testing and reporting on internal controls. And, as most companies grappling with Sec. 404 can tell you, it is no small task. Compliance is proving to be labor intensive and costly as many companies invest in new software, hire consultants and re-train staff.

According to a survey by Financial Executives International, the average cost per company of first-year Sec. 404 compliance was nearly $2 million--or approximately 12,000 internal staff-hours and 3,000 external work-hours--plus additional auditor fees of roughly $590,000.

And in a study conducted by the law firm Foley & Lardner, companies reported that the average cost of being public climbed from $1.24 million before Sarbanes-Oxley to $2.86 million in 2003, with audit fees rising 23 percent between fiscal years 2002 and 2003.

"Don't underestimate the task involved," says CPA Bill Scully, controller for San Diego-based Pioneer Speakers. Inc., a subsidiary of Pioneer Electronics Inc. "Sec. 404 is seemingly straightforward at the front end, but as you look at all the aspects involved, it opens a Pandora's box."

The enormity of this compliance initiative has forced the SEC to push back the Sec. 404 deadline from June 15 to Nov. 15, 2004 for "accelerated filers"--any U.S. public company with a market capitalization of more than $75 million that has filed at least one annual report with the SEC.

While the effort required to comply varies according to business size, every publicly traded company--whether it has $1 million or $1 billion in revenue--is required to comply.

THE COSO FRAMEWORK

CPA Kris Dunning, an audit partner with Moss Adams LLP and lecturer for the California CPA Education Foundation, has advised numerous companies on Sec. 404 compliance. The first step, he says, is deciding on a framework since Sec. 404 doesn't tell companies how to document and test internal controls, only "that they need to use an accepted model," he says.

A majority of companies are adopting the framework authored by the Committee of Sponsoring Organizations of the Treadway Commission, a voluntary organization formed nearly 20 years ago to work on ways to improve the quality of financial reporting. The COSO model has five components: control activities: the control environment; risk assessment; information and communication; and monitoring.

Control Activities: Most companies already are focused on control activities--policies that ensure management's directives are carried out, such as segregation of duties and policies that authorize and verify transactions.

Control Environment: Establishing and communicating throughout the company a corporate code of ethics, which often includes whistleblower provisions.

Risk Assessment: Determining the risks present in each of a company's business processes. For public companies, high-risk areas "will be subject to interpretation," and might include revenue recognition and equity transactions, Dunning says. Risk assessment "can provide some initial guidance as to how much you're going to focus on the actual control activities, depending on the risks," he adds.

Information and Communication: This consists of processes and systems that support the exchange of information in a form and time frame that enable people to carry out their responsibilities. "It also deals with the access to internally and externally generated information, how you're communicating things to the outside and provisions to make sure insider information is not getting out," Dunning says. "That's an area that most companies haven't documented very well under an accepted framework."

Monitoring: In the past, monitoring internal controls was a function of the internal audit staff at large corporations. But COSO's monitoring element "goes beyond testing existing controls to a continual reassessment of the controls in light of any changes to an individual process and whether those controls remain effective," Dunning says.

Because Sec. 302 of Sarbanes-Oxley requires a company's officers to certify financial statements and give certification with respect to internal controls, many companies are starting to monitor quarterly, either by developing internal resources or outsourcing the monitoring job to consultants or other CPA firms.

"Companies now want some sort of internal due diligence to make sure they haven't had any breaches in internal controls or that the controls haven't changed substantially from prior periods," Dunning says.

DOCUMENTATION

The most challenging aspect of Sec. 404 concerns the high level of detail required in the documentation of internal controls. Companies must be able to demonstrate to an outside auditor that internal control procedures are effective and how they work.