Lessons Learned from Section 404 of the Sarbanes-Oxley Act
Ho, Shih-Jen Kathy, Oddo, Alfonso R., The CPA Journal
A Conversation with Compliance Officers
Corporate accounting scandals in the past decade, such as Enron and WorldCom, led the U.S. Congress to pass the landmark legislation the Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as the Sarbanes-Oxley Act (SOX). To make management accountable for accurate financial statements, section 404 of SOX requires an annual evaluation and report by management on the effectiveness of internal controls and procedures for financial reporting, as well as a report by the independent auditor attesting to management's assertion. Management must include a statement in its annual internal control report that it is management's responsibility for establishing and maintaining adequate internal controls and procedures for financial reporting. Both the public company and individual managers may be subject to significant criminal and civil penalties for noncompliance with SOX. The effective date for accelerated filers was November 15, 2004, and for nonaccelerated filers the date has been extended to July 15, 2007.
This article examines compliance with SOX section 404 from management's perspective. The authors interviewed compliance officers from two U.S. Fortune 500 companies, referred to as LMN and UVX for the sake of confidentiality. The authors are very grateful to the compliance officers who participated in this study. These individuals were the managers of the SOX compliance project at their respective companies and have been involved in compliance since 2002. Each presented his or her company's experience in implementing SOX section 404, at a summer conference in 2005. Two separate follow-up interviews were conducted, in December 2005 and in January 2006. The interviewing style incorporated a hybrid of the focused interview, using specific questions, and the in-depth interview, permitting the interviewee to direct the interview. The interviewees were asked to describe the project, the implementation steps, facilitating factors, major challenges, key benefits, training provided, unresolved issues, and their experiences of implementation. Most important, as early adopters, the interviewees were asked to share the lessons they learned.
Compliance Cost and Resources
LMN: The company has roughly 50,000 employees globally, with annual sales of $14 billion. In terms of SOX compliance, approximately 50 people globally were involved in the project. Outside consultants were also engaged from two other Big Four accounting firms in addition to LMN's external auditor. The total compliance cost in 2004 was $18.1 million, of which $7.1 million was paid to the external auditor for its work related to SOX. LMN had a loss in 2004.
UVX: UVX has annual sales of $25 billion. The company spent well over $20 million in the implementation phase of SOX and, like most companies, its audit fees went up during that time period as well. UVX also hired consultants, independent contractors, and some smaller regional accounting firms to work directly on areas needing cleanup. Additional Big Four accounting firms were used as consultants in specific areas to assist with the initial review period. These consultants were engaged for about one year, after which the work was integrated into staff responsibilities, with some minimal hiring, mostly at the clerical level.
The implementation of the compliance project was very similar for the two companies interviewed. Both used the Committee of Sponsoring Organizations (COSO) model in looking at risk and internal control, and began with an interpretation phase of figuring out what the law meant. (See David R. Campbell, Mary Campbell, and Gary W. Adams, "Adding Significant Value with Internal Controls," The CPA Journal, June 2006.) Part of the problem at this step was that the law itself was not quite established. About midway through 2004, the companies began to really understand what compliance meant. …