Year-two Section 404 compliance: smart companies are working smarter; Following the second FEI forum on Sarbanes-Oxley Section 404 compliance, FERF spoke with several participants about what practices are helping them achieve better, easier and less-costly approaches to compliance.

• Author: Sinnett, William M.
• Position: Internal controls

There's no question that complying with year-one of Section 404 of the Sarbanes-Oxley Act was painful--even more painful than expected--for publicly traded companies. Having spent an average of over 26,000 hours and $4.3 billion, as reported by Financial Executives International (FEI) in August, testing and attesting to thousands of internal controls and often enduring strained relationships with auditors, companies anticipate year-two compliance to improve.

Indeed, guidance from the Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) last May is expected to aid efforts to develop better, easier and less-costly approaches to Section 404 compliance.

To identify these better approaches, FEI's Committee on Corporate Reporting (CCR) hosted a meeting in Dallas in mid-September, where Section 404 implementation team leaders and their senior managers from some of the nation's largest companies exchanged their successful approaches to compliance.

As expressed by William Hogan, senior vice president-Finance for Computer Associates International, his company "is intensely committed to implementing a best-in-class regulatory compliance program, including application and adherence to Sarbanes-Oxley and the spirit of the regulations." In essence, he is seeking to learn best practices. With year one now under their belts, Financial Executives Research Foundation (FERF) spoke with some of the forum participants, to highlight key practices that are working well at their companies.

Microsoft Corp.: Reducing the number of key controls.

Saul Gates, director of the Financial Compliance Group (FCG) at $39 billion software developer Microsoft Corp., wants to reduce the number of Microsoft's key controls. Each year, each key control must be tested first by management, and then by the external auditor, and such testing can be expensive.

Gates (no relation to Chairman Bill Gates) was hired away from PricewaterhouseCoopers in May 2004 to head up the FCG at Microsoft. The FCG developed an internal control framework and control documentation templates for all of Microsoft's process owners in more than 100 countries.

"Microsoft decided early on that management would 'own' responsibility for all business process controls," recalls Gates. "We developed the methodology, cleared it with Deloitte (its external auditor), and gave it to the process owners. They, in turn, developed their own control sets." The process owners, he notes, do their own design assessments, and other members of management then test the controls.

When Microsoft first tallied its key controls in its year ending June 30, 2004, 7,500 were identified. At its 2005 audit, the number was reduced to 5,200. Gates says the goal for 2006 is to reduce that number to under 4,000, thus cutting its key controls by almost 50 percent.

How will this be accomplished? Gates describes three approaches:

1. Take some significant accounts out of scope. Most companies currently have revenue or balance sheet coverage ("scope") of 85 to 90 percent-which is significantly greater than what is required. If an...