Section 404 compliance and 'tone at the top'.

AuthorCunningham, Colleen
PositionPresident'sPAGE - Sarbanes-Oxley Section 404

At the March meeting of the Committee on Corporate Reporting (CCR), FEI invited the Section 404 project leaders from our CCR companies to participate in a one-day session on year-one implementation issues. The discussion included leading practices in areas such as organization structure, scope, deficiency management, use of external resources, relationship with the external auditor, communication to the audit committee and management reports, to name a few. Also addressed were unintended consequences and challenges to sustainability as companies move from "project" to "process."

The discussion led to a recent publication by our research affiliate, the Financial Executives Research Foundation (FERF), "Sarbanes-Oxley Section 404 Implementation: Practices of Leading Companies." It also served as the basis for CCR's letter to the Securities and Exchange Commission (SEC), filed on April 1, in advance of an April 13 roundtable held by the SEC to solicit feedback on first-year implementation issues. I was asked to participate on that roundtable, along with four other CCR members (and several other FEI members).

[ILLUSTRATION OMITTED]

A recurring theme throughout the day at the SEC was the need for moving to a "risk-based" approach to Section 404 scoping, documenting and testing. That clearly didn't happen in year one. Many companies noted that they attempted to scope Section 404 by starting with their significant risk areas and determining where they should be spending the most time. Unfortunately in most cases, the external auditors nixed that approach in favor of a "coverage" approach.

That is, they wanted to ensure that a high percentage of locations and accounts were covered (such as coverage of 90 percent of locations or 80 percent of revenue, etc.) rather than focus on those areas with the most risk. This broad-based approach was the cause of much of the expense in the first year of implementation.

For smaller companies, taking a risk-based approach is imperative. Many of the controls are informal, though equally effective. If we look at where the issues occurred at the companies that caused Sarbanes-Oxley to be enacted, they clearly centered on the "control environment" aspect of the Committee of Sponsoring Organizations, or COSO (FEI is one of the original sponsoring organizations) internal control framework--more specifically, the "tone at the top."

What is "tone at the top?" It is the shared set of values that an organization has...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT