A 10 step Sarbanes-Oxley solution: on the heels of recent Section 404 deadlines, a health-care audit shop reviews its strategy for establishing a solid foundation for ongoing compliance

Internal Auditor, Dec, 2004 by Kristina Kendall

THE U.S. SECURITIES AND EXCHANGE COMMISSION required most publicly listed U.S. companies to comply with Section 404 of the Sarbanes-Oxley Act of 2002 by November 15, 2004. Although surveys conducted earlier this year showed that many of these companies' leaders either were confident in their ability to meet the deadline or had already made significant progress toward it, a number of them still anticipated considerable difficulties. Like so many of those firms, we at Anthem Blue Cross and Blue Shield were faced with what seemed like a massive mountain to climb.

Our company has internal audit teams and audit management physically operating in each of its four regional headquarters locations in the United States, with senior internal audit management in Indianapolis, where Anthem is based. Anthem's Section 404 efforts, directed by the Indianapolis office, began with a pilot audit program executed in the company's Southeast region. Lessons learned from the pilot, which have now been shared with other Anthem regional audit teams for execution across the enterprise, may be instructive for other similarly structured companies embarking on Sarbanes-Oxley efforts of their own. Our pilot program included 10 key high-level steps that proved integral to project success and helped provide a solid foundation for ongoing compliance.

1. IDENTIFY KEY FINANCIAL STATEMENT ACCOUNTS

Anthem Internal Audit began its pilot work by selecting income statement accounts that represented the bulk of the company's business, such as those containing high volumes of activity or large balances. We then identified any material balance sheet accounts, including those that either corresponded to, or were significantly affected by, the selected income accounts.

To manage information collected throughout the pilot and in subsequent testing, we created a database specific to our Sarbanes-Oxley program. In a separate "account information" section, we identified significant financial statement accounts and related information such as account type, description, and owner. The database was also used to record primary management assertions related to each account--completeness, existence/occurrence, rights/obligations, valuation/measurement, and presentation/disclosure. Maintaining an automated central repository of Sarbanes-Oxley documentation has been essential to the success of our compliance work.

2. DOCUMENT PROCESS FLOWS FOR KEY ACCOUNTS

Documenting process flow proved one of the most important steps in our Sarbanes-Oxley program, as it provided the foundation for all subsequent work. Well-written, thorough documentation can facilitate audits of key controls, whereas poorly written or incomplete documentation could cause the audit team to waste significant effort on rewriting documents, identifying controls that were missed, or eliminating controls erroneously identified as "key."

Enlisting the assistance of finance and operations experts helped Anthem Internal Audit assemble meaningful, thorough process documentation. Anthem's finance division, with help from numerous operations personnel, was responsible for documenting significant process flows. Internal auditing provided process flow documentation from recent audits to facilitate this effort.

Anthem's process documentation is maintained in a separate section of the company's Sarbanes-Oxley database. Records are organized according to the company's "mega-processes," or primary activities, such as "claims and disbursements" and "premiums and cash receipts." Each key process is categorized under its respective mega-process and accompanied by a process description, process owner identification, and a list of associated risks. Process records also include process flow narratives, flowcharts, and attachments.

Anthem applied a standard naming convention to all process documents, which helped establish consistency across the database and facilitate ease of use. Official copies of all process flow documents are maintained in the database and updated regularly by Anthem's finance department. Process owners are required to sign off on each document, attesting to its accuracy.

3. CREATE A PRELIMINARY LIST OF KEY FINANCIAL CONTROLS

One of our main goals while identifying key financial controls was to avoid testing duplicate items. Within several processes, for example, we found more than one control point that would detect the same problem and therefore narrowed our testing to include only the control that appeared earliest in each process. We reasoned that, if functioning correctly, these controls would detect potential problems, eliminating negative effects downstream in the process.

For each process examined, we asked, "What could go wrong?" and "If this happened, how and where would it be detected?" After identifying a potential error or audit issue, we then considered the likelihood of occurrence. Using this method, we identified several hypothetical process errors that would likely result in the loss of a customer if not detected and corrected in time, thereby meriting "high risk" status. However, if the likelihood of occurrence for such process errors was low, or if occurrence would not have had a material impact on the company's financial statements, we evaluated the merits of omitting the controls associated with them from our key financial controls list, further helping to reduce unnecessary testing. Of course, Anthem takes losing customers quite seriously, and any controls removed from Sarbanes-Oxley testing were still left in place.