Taking control of internal controls: the 411 on Sec. 404.

• Author: Ascierto, Jerry
• Position: Sarbanes-Oxley Act - Cover Story

The text of the Sarbanes-Oxley Act, Sec. 404, Management Assessment of Internal Controls, contains only 173 words. But in its practical application, it contains so much more.

[ILLUSTRATION OMITTED]

Sec. 404 requires publicly traded companies to include in their annual report an assessment of the effectiveness of their internal controls over financial reporting and the accompanying auditor's report.

Though designing and maintaining a company's controls always has been the purview of management, Sec. 404 adds the tasks of annually evaluating, testing and reporting on internal controls. And, as most companies grappling with Sec. 404 can tell you, it is no small task. Compliance is proving to be labor intensive and costly as many companies invest in new software, hire consultants and re-train staff.

According to a survey by Financial Executives International, the average cost per company of first-year Sec. 404 compliance was nearly $2 million--or approximately 12,000 internal staff-hours and 3,000 external work-hours--plus additional auditor fees of roughly $590,000.

And in a study conducted by the law firm Foley & Lardner, companies reported that the average cost of being public climbed from $1.24 million before Sarbanes-Oxley to $2.86 million in 2003, with audit fees rising 23 percent between fiscal years 2002 and 2003.

"Don't underestimate the task involved," says CPA Bill Scully, controller for San Diego-based Pioneer Speakers. Inc., a subsidiary of Pioneer Electronics Inc. "Sec. 404 is seemingly straightforward at the front end, but as you look at all the aspects involved, it opens a Pandora's box."

The enormity of this compliance initiative has forced the SEC to push back the Sec. 404 deadline from June 15 to Nov. 15, 2004 for "accelerated filers"--any U.S. public company with a market capitalization of more than $75 million that has filed at least one annual report with the SEC.

While the effort required to comply varies according to business size, every publicly traded company--whether it has $1 million or $1 billion in revenue--is required to comply.

THE COSO FRAMEWORK

CPA Kris Dunning, an audit partner with Moss Adams LLP and lecturer for the California CPA Education Foundation, has advised numerous companies on Sec. 404 compliance. The first step, he says, is deciding on a framework since Sec. 404 doesn't tell companies how to document and test internal controls, only "that they need to use an accepted model," he says.

A majority of companies are adopting the framework authored by the Committee of Sponsoring Organizations of the Treadway Commission, a voluntary organization formed nearly 20 years ago to work on ways to improve the quality of financial reporting. The COSO model has five components: control activities: the control environment; risk assessment; information and communication; and monitoring.

Control Activities: Most companies already are focused on control activities--policies that ensure management's directives are carried out, such as segregation of duties and policies that authorize and verify transactions.

Control Environment: Establishing and communicating throughout the company a corporate code of ethics, which...