Public companies, for better or worse, have completed the first year of compliance with the Sarbanes-Oxley Act. Now is a good time for CPAs in industry and their external auditors to reflect on the Year One experience, identify lessons learned, and change their compliance strategies accordingly.For example, many companies only cleared the Year One Sarbanes-Oxley hurdle via an "all hands on deck" approach. Sarbanes-Oxley compliance, however, is not a one-time event; it is an ongoing requirement. So this tack is too disruptive to be allowed to continue.
The following article provides insight into some lessons learned during Year One and offers ideas for achieving sustainable, cost-effective Sarbanes-Oxley compliance in Year Two and beyond.
One-time vs. ongoing compliance
To comply with Section 404 and related Sarbanes-Oxley requirements, many companies created corporate project management teams, often consisting of current or former internal audit staff.
The typical Sarbanes-Oxley team was charged with drafting a customized framework and methodology for assessing the company's internal controls, establishing initial project plans and timelines, and coordinating delivery of the company's Year One requirements.
At some point, the Sarbanes-Oxley team engaged the broader organization, introducing compliance requirements via training sessions and other forums. The process of creating teams to facilitate compliance would begin again, this time at the local level.
During Year One, Sarbanes-Oxley teams addressed an array of complex challenges. For one, many public accounting firms are still interpreting the Public Company Accounting Oversight Board's Auditing Standard No. 2, which was issued in March 2004 and not approved by the Securities and Exchange Commission until June 2004. As such, management faced an evolving set of expectations regarding compliance requirements.
In addition, management often underestimated the resources needed to deliver nearly every aspect of Sarbanes-Oxley compliance, partially due to the evolving nature of the requirements themselves. As a result, despite incredible amounts of overtime and management putting business initiatives on hold, many companies still needed to augment staff with third-party consultants. These consultants sometimes provided internal control and overall subject-matter expertise, but too often they merely provided extra manpower at a high cost.
For many companies, challenged by one hurdle after another, the "all hands on deck" mentality achieved Sarbanes-Oxley compliance in Year One. But to be sustainable, a company's compliance program must evolve from this frenetic approach and ultimately become embedded in the fabric of the organization's business processes, procedures and culture.
Management must instill accountability for Sarbanes-Oxley compliance into the day-to-day responsibilities of every individual, especially CPAs and other professionals responsible for financial reporting. In addition, management must invest in appropriate tools to facilitate strong internal controls in general, and efficient maintenance of documentation in particular.
To transition from must-be-done project status to a company's modus operandi, CPAs should consider the following recommendations:
* Individual accountability. CPAs and other professionals must be held accountable for the performance of internal control and overall Sarbanes-Oxley compliance activities. As such, management must clearly define these new responsibilities, then review and rebalance each individual's overall job accountabilities, incorporating the impact of Sarbanes-Oxley as appropriate. As part of the overall appraisal process, management can then measure how well each individual delivered against his new accountability for Sarbanes-Oxley.
* Internal expertise. To successfully embed individual accountability, management must appropriately train all associates. Most importantly, CPAs and others responsible for establishing the company's control policies or compliance efforts must have an appropriate level of subject-matter expertise. Otherwise, management will continue to incur the high cost of third-party consultants or, worse, will not have qualified individuals leading these efforts. Consider appointing a chief internal controls officer or a chief compliance officer as the resident expert on the subject.
* Organizational structure. Management must determine the appropriate balance between corporate and business unit accountability for Sarbanes-Oxley compliance, depending on the nature, organizational structure and complexity of the company. In general, though, CPAs and other associates directly responsible for company controls should be held to the highest degree of accountability.
To this end, consider assigning primary accountability for Sarbanes-Oxley compliance with operating management. In addition, consider appointing a small corporate team responsible for monitoring regulatory developments, defining the company's overall methodology and approach, facilitating Sarbanes-Oxley training, and providing high-level oversight.
* Control self-assessment programs. During Year One, management often used the internal audit department or third-party consultants to perform operating effectiveness testing. By implementing a control self-assessment program that requires operating management to test their own key controls, management will develop a greater sense of accountability and more quickly identify and correct control breakdowns.
404 methodology and approach
During Year One, there was a tendency to be conservative when interpreting Section 404 documentation and other compliance requirements, resulting in over-documenting and over-testing. Management often developed comprehensive internal control frameworks that covered all major business processes, including processes related to the development, manufacture, marketing and sale of products, in addition to the processes that directly affect financial reporting and disclosure. Then management cast a wide net in documenting and assessing their company's internal controls, encouraging staff to document and assess all related control activities, rather than focusing on key controls.
And yet, despite aggressive efforts to document and assess detailed process and transactional controls, few companies adequately addressed company-level controls - those controls that set the tone at the top, permeate an organization, and have a significant impact on financial reporting and disclosure objectives.
To facilitate the evolution of its Sarbanes-Oxley compliance program in Year Two and beyond, company management should shift its focus from process and transactional controls to company-level controls. Then management should perform a risk assessment of its business in general, and its internal control framework in particular, to identify the processes that are critical from a financial reporting and disclosure perspective. Finally, management should "right-size" its framework, methodology and approach accordingly.
Deficiencies and remediation
Nearly all companies, even those that started with a sound internal controls environment, were surprised by the sheer number of deficiencies identified during Year One. As such, the time required to create action plans and perform gap remediation took much longer than anticipated. In fact, time constraints frequently forced companies to implement temporary, inefficient remediation activities.
Company management, therefore, should revisit Year One gap remediation efforts to ensure that newly implemented controls are efficient and sustainable for the long term. In addition, management should carefully define newly identified deficiencies, assess the risk of these deficiencies, and prioritize gap remediation efforts.
One lesson from Year One is to understand the root cause of deficiencies and to realize that not all deficiencies are equal. Auditing Standard No. 2 provides detailed definitions of the terms "significant deficiency" and "material weakness." Unfortunately, there are no bright-line tests that quantify or clarify terms such as "inconsequential" and "remote" that could be helpful in evaluating gaps.
Lacking appropriate guidance, many financial managers set thresholds too conservatively in Year One, causing companies to spend excessive time on minor issues. Going forward, management should carefully define what constitutes an internal control weakness that is sufficiently important to require action.
Identified deficiencies
If an identified deficiency is deemed high priority, it must be fixed in as timely a manner as possible. A deficiency determined to be low priority may be remediated after higher-ranking deficiencies are corrected, or may even be left open. Financial managers will need to exercise judgment for deficiencies falling into the medium priority category.
Regardless of how organizations identify deficiencies, a key lesson learned in Year One is that corrective action takes longer than expected. Any implemented process should track and report results on an ongoing basis, so critical areas requiring remediation are done in a timely manner. After all, beginning in Year Two, Sarbanes-Oxley compliance is a quarterly endeavor, not just an annual requirement.
Companies also need to develop a mechanism for aggregating deficiencies. Several deficiencies, which individually are not deemed material weaknesses, may in combination lead to a material weakness. According to the PCAOB, as of May 15, 2005, about 12 percent of companies reporting under Section 404 have reported material weaknesses. And even those companies not having material weaknesses may still have been cited by their outside auditor as having one or more "significant deficiencies."
Management is not required to publicly report significant deficiencies, but unresolved significant deficiencies could grow into material weaknesses. As such, significant deficiencies should also be addressed sooner rather than later.
Finally, management should analyze how deficiencies relate to each other before moving forward on remediation efforts. According to Auditing Standard No. 2, when evaluating the likelihood that a deficiency or a combination of deficiencies could result in a misstatement, the independent auditor should evaluate how the controls interact with other controls.
Some controls depend on others, such as general information technology controls. Some function together as a group of controls. Others overlap, in the sense that varying controls achieve the same objective. By understanding the impact of general and compensating controls early, management may be able to fix multiple gaps with one new control, rather than multiple redundant controls, thereby saving significant time.
IT frustrations and opportunities
During Year One, management encountered many frustrations in the area of information technology. Most first-year filers participating in KPMG's 404 Institute survey cited IT controls as the area or process containing the most key controls. Respondents also noted that IT controls accounted for about one-third of all deficiencies identified and one-quarter of significant deficiencies and material weaknesses.
IT-related deficiencies, however, were often difficult to remediate. Companies often had to contact their software vendors, and changes to legacy programs typically took significant time to correct. Many of the deficiencies identified related specifically to the general IT infrastructure, and software vendors now provide solutions to help meet the Sarbanes-Oxley requirements.
Management was also challenged by general application maintenance during Year One. Specifically, management first had to identify Sarbanes-Oxley-significant applications, then had to ensure the adequacy of system security and other controls related to these applications. To facilitate compliance related to general applications going forward, management needs to define the company's scope and Sarbanes-Oxley requirements related to this area.
Then management should develop a comprehensive inventory of the applications, classify the Sarbanes-Oxley significance of each, and then document and test the controls related to each application as appropriate, depending on its classification.
Another area where technology is likely to have a major impact is in the management of change. For major changes - such as mergers and acquisitions, divestitures, or system implementations - compliance should be built into the project plan. This includes the design of appropriate controls relating to the change, updating or creating process and control documentation, and ensuring that all systems changes have been thoroughly tested for effectiveness before going "live" with a change.
Many believe technology was not used effectively in Year One, so opportunities abound going forward. Many tools designed for Sarbanes-Oxley compliance did not exist a year ago, thus the benefits from automating Sarbanes-Oxley compliance activities have not been fully realized. Management must involve the IT department in a proactive effort to use technology to improve the quality and speed of information delivery, assure that compliance steps are performed according to design, identify and manage events in a consistent and auditable manner, and ensure accountability in the management and reporting of events. By doing so, management can accelerate the identification of problems, and reduce the amount of rework needed.
By automating key internal controls as well as Sarbanes-Oxley compliance steps, management may enjoy an added benefit - reduced audit fees. The PCAOB indicated that a benchmarking strategy for testing automated application controls may be employed. Since automated application controls are generally not subject to human-failure breakdowns, they will consistently perform a given control in exactly the same manner until the program is changed. This feature allows the auditor to "benchmark" or "baseline" these controls without having to repeat the prior year's tests of the automated application controls.
Of course, auditors must test and validate any new system that is key to the financial reporting process. Timing is critical here. Company management should be very cautious in implementing a major change to the company's IT environment or business processes late in the audit cycle.
Management and the external auditor
CPAs and other financial professionals complain about the "chilling effect" in their relations with independent auditors. During Year One, external auditors often refused to provide any advice for fear of violating independence rules. As a result, many companies incurred the additional cost of third-party experts to guide them through the Sarbanes-Oxley process.
Because of this "chilling effect," many companies were only willing to provide their independent auditors with the final drafts of their financial statements. Management feared that auditors would jump on errors detected in early drafts, resulting in unwarranted identification of internal control deficiencies. Companies also complained that auditors were interpreting the standards too strictly, often employing a checklist mentality. This approach led to a broadened scope of the audit, resulting in higher audit fees. There is also general agreement that auditors did not rely sufficiently on the work of others during Year One.
At an April PCAOB forum, participants aired concerns about their Year One experience. The PCAOB then provided its opinion on how Auditing Standard No. 2 can be implemented in a more effective and cost-efficient manner. The guidance covers many of the recommendations noted in this article, and encourages greater dialogue between management and their external auditors, as long as management makes the final determination on accounting and control matters. By encouraging auditors to adopt a risk-based audit approach and to exercise professional judgment, overall audit quality and efficiency should increase.
In planning Year Two compliance activities, company management and their auditors should openly communicate with each other. For example, since auditors are encouraged to make greater use of the work of others - such as the company's internal audit team - early identification of the areas in which auditors can rely upon the work of others will benefit both parties.
Regardless of the level of communication, management should realize that auditor reliance will be responsive to the degree of risk associated with the given controls. Accordingly, if an area of testing is at the very high end of the scale of audit risk, management should expect their external auditor to place very little reliance on the work performed internally.
The timing of the tests and audits of controls should be more palatable in Year Two. The PCAOB has stated that in most circumstances, testing controls throughout the year will provide several benefits, perhaps the most important of which will be the integration of the audit of internal control over financial reporting with the audit of financial statements. The auditor will still have to perform appropriate roll-forward procedures at year-end. Nevertheless, companies should find that the audit will not be as compressed as it was in Year One.
Finally, the overall effectiveness of Sarbanes-Oxley compliance efforts will improve by identifying and leveraging links among various programs and regulations. For instance, management has an opportunity to more effectively comply with Section 302, which requires the chief executive and chief financial officer to issue a quarterly statement certifying periodic reports on control activities, by appropriately scheduling Section 404 compliance activities and integrating these activities with Section 302 compliance.
Conclusion
The climb toward Year One Sarbanes-Oxley compliance was difficult. As most companies begin their Year Two Sarbanes-Oxley compliance trek, take the time now, if you have not already done so, to learn from the Year One experience. Embed compliance with Sarbanes-Oxley into the daily life of your organization, and make the long journey ahead a little easier.
J. Stephen McNally, CPA, is director of finance for Campbell Soup Co.'s Campbell U.S.A. Division, and is chair of the Pennsylvania CPA Journal Editorial Board. Reach him at j_stephen_mcnally@campbellsoup.com. David D. Wagaman, CPA, is an associate professor at Kutztown University and is a member of the Pennsylvania CPA Journal Editorial Board. Reach him at dwagaman@kutztown.edu. Reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of CPAs.
