Academic journal article Management Accounting Quarterly

Sustaining SOX 404: A Project Management Approach: Complying with the Internal Control Certification Requirements under SOX Section 404 Can Be Difficult for a Company of Any Size. by Using a Project Management Approach and Implementing Several Better Practices, Companies Can Devise a Compliance Project That Is Not Only Cost Effective but That Also Helps Achieve Better Business Results

Academic journal article Management Accounting Quarterly

Sustaining SOX 404: A Project Management Approach: Complying with the Internal Control Certification Requirements under SOX Section 404 Can Be Difficult for a Company of Any Size. by Using a Project Management Approach and Implementing Several Better Practices, Companies Can Devise a Compliance Project That Is Not Only Cost Effective but That Also Helps Achieve Better Business Results

Article excerpt

The Sarbanes-Oxley Act of 2002 (SOX) was enacted in the wake of many egregious corporate scandals involving fraud, greed, and breakdowns in internal controls. This landmark legislation has helped the United States do what no other country in the world has yet attempted to do: improve the standards for corporate accountability from the very top (the board of directors and senior management) to the lowest levels of the company, where business transactions and related activities are performed. It is the new internal control requirements of Section 404 of the Act where this law has its biggest impact on publicly traded corporations. Specifically, Section 404 requires management to take ownership of internal controls over financial reporting (ICFR) by assessing and publicly reporting on their effectiveness. To add more teeth to these requirements, this Section also requires external auditors to attest to management's assessment by independently opining on the effectiveness of a company's ICFR.

Large accelerated filers are in their third year of Section 404 compliance. In spite of this, controllers, their staffs, and many SOX compliance specialists admit that it is still very easy to get lost in the maze of identifying, testing, and continuously monitoring key controls, maintaining relevant documentation, and rolling up the individual process-level assessments being conducted throughout the company to form an overall opinion on the effectiveness of a company's ICFR.

Regardless of a company's size, there is no doubt that planning, executing, and sustaining an internal control assessment under Section 404 is a challenging and costly project. Initiating and sustaining this project requires massive coordination among a large number of employees throughout the organization as well as ensuring that appropriate documentation is maintained to support management's conclusions. Given the experiences of large accelerated filers, smaller public companies and other temporarily exempted entities (foreign as well as domestic) are legitimately anxious because they will soon be required to comply with the internal control certification and assessment requirements under Section 404.

Much has been written about the cost and difficulty of complying with the new internal control certification requirements under Section 404, but very few articles have focused on providing guidance on how to sustain compliance with Section 404 requirements in a cost-effective manner. Although a majority of companies have followed the Public Company Accounting Oversight Board's (PCAOB) "infamous" Auditing Standard No. 2 (AS2) to design and execute their internal control assessments, there is no single, cookie-cutter approach or methodology that a company can take to "walk through" this maze in real life. The previous two years of experience suggest that there are some "better practices" that a company can employ to organize, document, and track the SOX 404 compliance project in a cost-effective manner. Our experiences from working with many companies suggest that a number of issuers are implementing processes and putting appropriate structures in place that are proving to be quite adept at handling the challenges of Section 404 compliance. The purpose of this article is to share some of these better practices to help other companies manage this project cost effectively.

GETTING STARTED

While the biggest challenge for accelerated filers is to sustain this huge effort in a cost-effective manner, the biggest compliance challenge for smaller public companies is deciding where to begin. We recommend that all companies focus on the following three aspects as they work to initiate and sustain compliance with Section 404: tone at the top, scoping decisions, and establishing a SOX steering committee.

TONE AT THE TOP

Regardless of a company's size, the most important step to starting and sustaining a SOX 404 compliance project is setting the right "tone at the top. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.