Risk & Compliance

To Survive Sarbox, Document the Obvious

Your company probably has had self-assessment in place for years; now it's time to formalize the process.
Stephen TaubOctober 28, 2003

Internal controls. Attestation. Accelerated filings. Audit committees. Financial experts.

Complying with all of the provisions of Sarbanes-Oxley as more and more rules go into effect is enough to keep finance executives up at night — if not from worrying whether they are complying correctly and on time, then simply from finding time to perform their growing roster of daily tasks.

No doubt, finance pros are also mindful that they’ll be contending with auditors who will be tougher, more demanding, and much more conservative than in recent memory, now that the Public Company Accounting Oversight Board (PCAOB) is beginning to audit the auditors.

Lee Puschaver, chief accounting officer of FleetBoston, recommends that finance execs relax, calm down, and leverage existing processes. And document the obvious. “You had to be doing a number of things right over the years,” he says. “Turn them into internal controls.” If, for example, your legal counsel uses outside people, turn that into an internal control.

He adds, reassuringly, that “Mistakes and errors do happen.” So, don’t sweat it too much.

Puschaver is one of three senior finance executives from major corporations who discussed making practical decisions on record-keeping, disclosure, and internal monitoring during the October 30, 2003, quarterly CFO Roundtable webcast. He was joined by Jesse Greene Jr., vice president and treasurer of IBM, and Jay Haberland, vice president of business controls of United Technologies. (View the webcast archive.)

The discussion centered on the new requirements under Sarbanes-Oxley, ranging from the demands of the new accelerated filing rules, to new rules for audit committees, and even to treatment of off-balance-sheet entities.

The two provisions that seem most on senior financial executives’ minds are Section 404, on internal controls, which goes into effect in mid-2004, and Section 303, on certification of financial results, which was one of the first provisions to go into effect after the Act was passed in July 2002.

“The most expensive and time-consuming provision is clearly 404,” says Haberland.

No Need to Start from Scratch

Section 404 requires management to establish and maintain an adequate internal-control structure and procedures for financial reporting and to assess the effectiveness of the company’s internal-control structure and financial-reporting procedures.

Developing these internal controls, as well as the required documentation, is not a matter of starting from scratch. Many companies have had a self-assessment process in place for years; Sarbanes-Oxley simply required companies to formalize the process, and document it. “The big change for us is the level and consistency of the documentation and the consistency of the testing,” insists Haberland.

United Technologies, for example, has more than 400 reporting units worldwide, all of them requiring their own sets of controls. In the past, the company wasn’t as specific about documentation and testing of these controls. That’s changing.

“We’re getting more structured,” explains Haberland, both in the items that are documented and in the testing controls.

Haberland points out how important it is for companies to coordinate with their auditors, who by year-end will have their own rules and procedures in place. Work with your auditors, says Haberland, and understand the minimum requirements needed to make them comfortable when they assess your internal controls.

That’s the short-term goal. The long-term goal, of course, is to make Section 404 part of your company’s fabric, so you’re not scrambling each quarter and year to comply.

The Bigger They Are…

Another key issue, tied to a company’s internal controls, is the requirement that the chief executive officer and chief financial officer certify their company’s financial results. This is especially difficult for larger companies that drive down certification a number of levels of management, says IBM’s Greene. “It’s the hardest thing,” he concedes. “They must really understand their business or you’ll miss things.”

When it comes to certification or establishing internal controls, Greene explains that the most important issue is materiality. What exactly is significant enough to be reported? How small must a transaction be to be considered small? “The bigger the company, the more flexible you can be on size,” he adds.

For example, in a company like IBM, which could rack up $88 billion in revenues this year, is $1 million significant? “Probably not,” Greens allows. Of course, smaller companies will have their own thresholds.

Size, though, is just one issue. Materiality also comes into play when it comes to off-balance-sheet items, variances from standard contracts, and side letters, to cite a few other examples.

“The certifier must have internal controls and processes in place to give visibility to the business flows and risks,” explains Greene. He stresses, however, that “material” is still ultimately a judgment call, based on one person’s experience and knowledge. That said, you still must bring objectivity and facts to the process. And the process must be repeatable, consistent, and auditable.

At the end of the day, says Greene, executives should ask themselves two questions while preparing and certifying their controls and financials: What will get you in trouble? And what will keep you out of trouble?

“Many of the frauds,” contends Puschaver, “were honest mistakes” — individuals had the correct information but didn’t deal with it correctly.

Adds Puschaver: “Sarbanes-Oxley is like going to the dentist. The anxiety is usually worse than the actual experience.”

View the webcast archive