Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Today, almost two years after the Sarbanes-Oxley Act of 2002 became law, companies, their executives, and their boards are grappling with implementing one of the act’s most labor-intensive requirements. Complying with section 404, which requires businesses to make a public report of the effectiveness of their internal controls, can be overwhelming and burdensome to a company’s internal accounting departments. To avoid the potential pitfalls, top management and board members should be actively involved from the beginning of the project. Directors should take an active role in defining key business units and processes to be examined and should also monitor the correction of any deficiencies identified. A successful, proactive approach to compliance with section 404 can be achieved through a concerted effort by internal accounting and auditing teams, who are assisted by external specialists when appropriate. And despite the headaches, there are significant upsides to section 404 compliance beyond just meeting the requirements of the law. Section 404 requires public companies to include a report on internal controls in the annual Form 10-K filed with the Securities and Exchange Commission. According to SEC rules, this report must “(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and (2) contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Whether the company’s internal control structure is “adequate” is based on a comparison to an established internal control framework, such as that developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a private-sector initiative formed to study fraudulent financial reporting and ways to prevent it. Section 404 also requires a company’s external auditor to attest to and report on management’s assessment of internal control. Finally, the SEC’s rules require management to provide a quarterly evaluation of any change to internal controls that could have a material impact on financial reporting.The effective date for section 404 has been delayed several times beyond the deadlines established in the SEC’s preliminary release of the rules. For certain large public companies — generally companies with more than $75 million of outstanding public shares that have been public for more than a year — these requirements begin with the annual report filed for the end of the first fiscal year ending on or after November 15, 2004. All others must comply starting with their annual reports for the fiscal year ending on or after July 15, 2005. For most companies, meeting the requirements of section 404 is going to entail significant effort. Because many businesses have trimmed their accounting and internal audit departments over the years to reduce costs, internal control structures have suffered. Although most companies have attempted to make adjustments to avoid weakened controls, it is possible that these personnel reductions have had an adverse impact on the strength of the overall control structure and the reliability of financial reporting, both external and internal. On the positive side, section 404 of Sarbanes-Oxley requires companies to refocus on the basics of understanding their internal controls and the processes by which financial information is gathered and reported across the organization. The intent is to improve the integrity of publicly available financial information — but this step will also result in better and more reliable financial information for the directors and executives managing the business. Strengthening internal controls can also have a positive operational impact. For example, improving the internal controls in the billing function can increase the accuracy and reliability of invoices sent to customers, thereby improving customer satisfaction and cash flow. It is critical that management and the board of directors take responsibility not only for the final assessment of the organization’s controls, but also for the process of getting there. One of the aims of Sarbanes-Oxley is to require senior management and the board to become more involved in monitoring the internal control structure of the organization. This goal cannot be accomplished if the section 404 compliance process is outsourced to armies of consultants with nominal management oversight and supervision. Consultants can provide extremely valuable direction, advice, and manpower. Management and the board, however, should set the overall direction for the project and be actively involved with all phases of it. There are a multitude of software tools available to aid in the section 404 process. Directors should be involved in developing a list of needs and requirements for assistive software to ensure that detailed reporting will be available to them on project status, control deficiencies that are identified, and remediation plans. Much of the section 404 project can be achieved using very simple resources. For instance, word processing programs, spreadsheets, and flowcharting software are used for basic documentation and testing of controls, while document management software can store the volume of electronic documents generated. However, the final section 404 assessment report should be based on management’s understanding of the overall controls, not on the output of a software tool. This assessment will be based on understanding the risks and potential causes of misstatement in particular accounts and processes and on identifying controls that specifically mitigate those risks. Controls that prevent errors are preferable to those that simply detect them after they have occurred. Automated or computerized controls are often more reliable than those that require human intervention. Ideally, controls can be optimized so that their regular, effective operation is also monitored and reported on. The key to evaluating the business’s controls is asking the question: What could be wrong with the financial statements and disclosures, and are the best possible procedures in place to catch it? Board members should pay particular attention to the most significant financial statement accounts — a determination that should be based not only on their size compared to the balance sheet as a whole, but also on relative risks. For example, accrued expenses may not be a significant component of the balance sheet, but may still be an area of focus to verify that needed accruals are not missing. Board members should also carefully review accounts subject to significant management judgment. Revenue recognition should almost always be an area of special focus. Other potential trouble spots may include the valuation of accounts receivable and inventory, the recoverability of long-lived assets such as property and equipment or goodwill, stock-based compensation, and the accounting for any business combinations. To decide which controls are most important, directors should ask themselves which areas could be most subject to manipulation, error, and fraud. Good project planning and strong project management leadership are keys to successful compliance. Corporations should identify critical business units, processes, and financial statement accounts that will need to be evaluated. Board members should provide input on financial statement accounts and processes that they consider to be risky and also particular divisions or subsidiaries that they believe may need focus. For example, operations in distant countries that are subject to minimal direct management oversight by headquarters may need more in-depth review. Divisions that make technology products may require more attention than divisions in more mature, stable industries. While it is important for members of management and the board of directors to be aware of the potential problems and pitfalls that section 404 compliance presents, they should also know that there will be substantial benefits derived from the process. These benefits can include a stronger understanding of not only the risks the company faces, but also the information that management uses to manage those risks. Better information should lead to better decision making and, ultimately, better results for the company and its shareholders. David Lloyd is a senior manager with Stout, Causey & Horning, P.A., a CPA and management consulting firm based in Hunt Valley, Md.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.