Section 404 requires public companies to include an annual internal control report that details management’s responsibilities for establishing and maintaining adequate internal controls and procedures for financial reporting. It also requires management’s evaluations about the effectiveness of the company’s internal controls.
In addition, reports Mark Takacs, the firm’s external auditor basically must go through the same affirmation process and attest to the integrity of the internal controls governing financial information.
Takacs is senior manager of Technology, Security and Risk Services for Ernst & Young in Grand Rapids.
So besides having to attest to the accuracy of their financial results, companies are required to prove that adequate controls are in place to catch inaccuracies.
According to the Securities and Exchange Commission (SEC), public companies with a market capitalization in excess of $75 million must comply with Section 404 for their first fiscal year ending on or after this coming Nov. 15.
The compliance deadline for smaller companies is the first fiscal year ending on or after July 15, 2005.
Compliance deadlines for large and small companies were originally set for June 15, 2004, and April 15, 2005, respectively, but in late February the SEC extended both.
According to the SEC, representatives of five large public companies had requested extension of the June 15, 2004, deadline. They argued that “it would be extremely difficult for companies to properly prepare for compliance with the new internal control over financial reporting requirement, and for auditors to properly implement a new standard that has not yet been finalized, for a fiscal year that is nearly complete.”
Since IT departments manage and operate a company’s information systems, IT people should be part of a company’s Section 404 steering committee or team.
“One of the more important pieces, at least from the IT side, is that IT should absolutely be integrated into the overall 404 team early on,” Takacs stressed. “Ultimately, the 404 team should be helping to drive the IT focus.”
Below are some basic steps a steering committee can follow to achieve compliance:
**Identify internal control criteria and determine what information needs to be documented.
**Document significant business processes and controls.
**Evaluate design and operating effectiveness through testing.
**Identify inadequate controls and take corrective actions.
**Establish a system for monitoring controls.
Takacs said public companies that lack significant IT systems are “extremely rare” and that most companies probably won’t require new software applications and IT-supported business processes to comply with new regulations.
Some of the smaller companies may or may not have to deploy new software packages to put them in compliance.
“The only time I see companies changing systems is basically in the event that it was already planned,” he observed. “Generally, no companies I see are actually changing systems as a result of the need to comply with 404.
“What they do need to do is build documentation that identifies technology controls that help assert that integrity of financial information can be assured.”
The job is more complex for public companies that have several divisions or business units that each have their own reporting systems, he said.
Typically, when a company has multiple divisions running multiple systems, he said, financial data are fed into a consolidation system at headquarters and that process won’t change.
“The transfer of data between each division’s system to the consolidation system is a more important piece to look at from a controls perspective so that the data is transferred in a controlled, well-organized manner to ensure integrity.”
He said, generally, the larger companies tend to be ahead of the pack in terms of preparing for internal control compliance.
E&Y recently surveyed more than 100 major businesses across industries about their Section 404 preparations and processes. The companies ranged in size from less than $1 billion in annual revenues to more than $20 billion in annual revenues.
According to E&Y’s “Emerging Trends in Internal Controls” report published in January, 70 percent of companies surveyed expected to spend more than 10,000 hours on their Section 404 projects, while 36 percent planned to apply more than 25,000 hours to the task.
Of those surveyed, 48 percent had multiple, complex systems. Some 65 percent of companies indicated they planned to rely on IT controls in specific areas of their business, rather than on management review and detect controls.
Of companies with more than $100 billion in sales, 40 percent planned to incur more than 100,000 hours, “with a sizable number in excess of 200,000 hours,” according to the survey results.
The survey also revealed that companies continue to struggle with their approach to company-wide controls, information technology-based controls and transactions processed by third parties.
More than half the companies surveyed were completing their documentation of processes and controls, four were in the final or reporting phase and 19 were in the evaluation phase.
Of all the industries surveyed, financial services companies appeared to be further along in the compliance process.