Risk & Compliance

Company Size and 404 Compliance

There are ''pronounced differences'' between larger and smaller companies regarding Section 404 of Sarbox, especially in defining the scope of the ...
Stephen TaubJune 8, 2004

How companies approach compliance with Section 404 of the Sarbanes-Oxley Act varies widely, depending upon the size of the company, a survey has found.

According to Parson Consulting, which surveyed 96 finance directors and financial controllers of U.S. public companies, there are “pronounced differences” between larger and smaller companies, especially in defining the scope of the program and incorporating software applications. (Parson defines larger companies as those with a market capitalization of $1 billion or more, while smaller companies have a market cap ranging from $75 million to $1 billion.)

Take the issue of scope. Parsons found that 47.2 percent of larger companies reported taking a narrower approach to compliance — one that is focused primarily on financial reporting processes — compared with 27.3 percent of smaller companies. This is presumably due to the amount of time and resources required to address controls across the organization, according to Parsons. On the other hand, 41 percent of smaller companies are taking the broader approach of addressing operational as well as financial controls, compared with less than 28 percent of larger companies.

When asked what traditionally “nonfinancial” policies and procedures they believe will significantly impact financial reporting controls, survey respondents cited information systems (92.9 percent), risk management (73.8 percent), human resources (50 percent), supply-chain management (31 percent), and facility management (14.3 percent). However, respondents from the larger companies were more likely than their smaller-company counterparts to cite all of these categories, except for facility management.

The finance executives were also asked what they are doing to ensure that those traditionally nonfinancial processes are monitored and controlled. Fully 90.5 percent of all respondents said they are “documenting and communicating policies and procedures,” and three-quarters said they are including them in internal audit reviews. However, 33 percent of respondents from larger companies said they are implementing “technology enablers,” compared with just 20.5 percent at smaller companies. On the other hand, 29.5 percent of respondents from smaller companies cited employee orientation and ongoing training, compared with about 14 percent at larger companies.

Another interesting, but not too surprising, finding is that a majority of companies plan to integrate Section 302 certification with the implementation of Section 404; in fact, nearly 21 percent of companies integrated them right from the beginning. Less than 3 percent of larger companies plan to approach certification separately, compared with 13.6 percent of smaller companies.

Nearly three-quarters of all the surveyed companies either use specialized software applications for 404 compliance or plan to do so. One-third of respondents at larger companies cited the use of such software as critical, compared with only 20.5 percent at smaller companies. In fact, nearly 32 percent of smaller companies don’t plan to use software at all, compared with just 11.1 percent at larger companies.