How Kmart Grew 404 Compliance at Home

Instead of relying on internal auditors and consultants to test internal controls, the retailer put management in charge from the start.
Craig SchneiderMarch 14, 2005

Sometimes it pays to skip a step—or a compliance year, for that matter. Just ask Jennifer Montgomery, who, as director of internal controls at Kmart, helped management take charge of internal-controls testing one year earlier than managers at many companies its size are likely to do.

Montgomery says Kmart is nearly ready to report its year-end financials to the Securities and Exchange Commission (SEC) after completing its first year of compliance under Section 404 of the Sarbanes-Oxley Act, which governs internal controls over financial reporting. But in an unusual move, management was put in charge of compliance from the onset in lieu of spending millions of dollars on consulting fees or putting the brunt of work on internal auditors’ shoulders.

Montgomery says many of her peers will pass the 404 testing torch to management this year. The reason most companies didn’t tap managers to do it in the first year, she explains, is that they didn’t want to spend the time to teach management. “It’s always been the goal of companies to get the controls in the hands of management,” she says, but it’s been “more of a Year Two initiative.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Montgomery notes that the plan was to create an internal-controls compliance strategy “with minimal distraction to the business,” that didn’t have internal auditors deviating from their daily, risk-based work, and that put someone at the helm who was dedicated to the compliance but also in the controller’s office. “We wanted to keep the ownership of the controls at the business level” she says.

Kmart’s Sarbox steering committee set the 404 project in motion by naming Montgomery as its leader. Comprised of the chief financial officer, the chief information officer, the chief compliance officer, the general auditor, and the SEC counsel, the group, which meets once a month, makes sure compliance is on time and fully achieved.

After the committee had assessed the company’s internal-controls risks and identified key controls, Montgomery trained managers in how to assume their compliance tasks. Next, she directed about 150 Kmart managers to document their own controls and draw up a standardized testing template. If the control rested at a supervisor level, for example, that’s where it would be tested. And the tester would be at least at the same job level of the person performing the control.

In its 404 compliance efforts, Kmart tried hard not to duplicate work, according to Montgomery. “We didn’t over-test too many controls, or [test] two controls that cover the same risk-and-control objective because that’s overkill,” she says.

Based on what she’s heard at industry gatherings this year, Montgomery said, “people tested too many controls this year.” Next year, however, “you’ll see a lot of scaling back,” she added.

Montgomery claims that Kmart saved money in comparison to what her peers might spend by using existing resources instead of hiring from the outside. To be sure, the company did pay out of its own pocket to get software by supplied by Movaris. The program provides Montgomery with an automated, closed-loop system for monitoring progress for internal- controls compliance.

The software provides E-mail reminders, escalation (E-mail alerts sent when the testing goes past a due date), and exception capability when a control failure is logged. The last kicks off another loop and gets other people involved to determine whether the failure was in the design or in operations, isolated or systemic, Montgomery explains. Managers then decide about how to deal with the failure based on such information, she says.

”Being a single person administering the process, I had to make sure nothing got dropped,” Montgomery explains. “It’s been, for me, a huge timesaver.”

Before the company implemented the software in the fourth quarter of 2004, many of the internal-controls checks were done by hand and highly labor intensive. To check progress on Section 404 compliance, Montgomery says, she had to either call people or manually click open individual folders on a restricted drive on the network where people stored their testing results.

The new automated system was implemented in 30 days. Now, when people are done with their testing, they click “submit,” and the report is locked in, incapable of being altered.

“I think it was less of a distraction by putting [testing responsibility] in management’s hands,” Montgomery added, because compliance was spread out.

While other companies are passing the testing of internal controls to their management this year, Kmart will be in its second year, making the work far easier, according to the controls director. Montgomery says management will simply review its existing controls and see if any changes are needed this year.

Those companies that will be teaching management to test controls this year, however, should be prepared to field a lot of questions. Kmart helped management’s transition by creating reference documentation that provides, for example, the best remediation for certain control failures. General reference documents, from case studies to definitions, reside on the Movaris system “if [the managers] need to refresh their memory,” Montgomery says.