Risk & Compliance

Sarbox 404 Goes into Effect Tomorrow

The deadline for testing and auditing internal controls is here, and companies are far from prepared.
Stephen TaubNovember 15, 2004

Although many companies are reportedly not ready for it, the era of internal-controls compliance begins in earnest tomorrow. That’s when Section 404 of the Sarbanes-Oxley Act goes into effect for all companies whose fiscal year ends after today.

There will be nothing to file on Tuesday. But by early next year, the vast majority of companies that report on a calendar-year will have to assess the effectiveness of their internal controls over financial reporting and state in their annual reports whether the controls are operating effectively. The companies’ outside auditors also must evaluate the in-house assessment and render an independent report on it.

Even though the Securities and Exchange Commission delayed the provision’s implementation date twice, a large number of companies are apparently not ready for prime-time compliance with 404. Last week, PricewaterhouseCoopers chairman Dennis Nally told a packed house of largely board audit committee members in New York City that the vast majority of public companies are nowhere near ready to meet the new law’s deadlines, according to BusinessWeek. “There’s a lot of risk out there,” Nally reportedly said.

A recent assessment by more than 700 PwC audit teams found that just 20 percent of clients are on schedule to complete their internal control reviews, Nally reportedly said. At least 10 percent of the client sample is at “extreme risk” of not finishing in time to get an auditor review, he added.

The tardiness is worrisome. If the auditors’ reviews aren’t completed in time, it’s possible they won’t be able to sign off on their clients’ annual reports, the publication pointed out.

Even meeting the compliance deadline doesn’t get a company completely off the hook. If critical control weaknesses are found during the internal review, the deficiencies must be reported to the board. If the board determines that the weaknesses could materially affect financial statements, the problem must be reported to shareholders, the magazine noted.

What’s more, Nally thinks, nearly 20 percent of companies could wind up reporting such weaknesses. According to the magazine, Tim Ryan, an audit partner at PwC, asserted that: “Across the industry, the number of companies that are behind on this is in the 10 to 25 percent range.”

But the real issue, said Nally, “will be how the markets will respond [to that news.]”

Overall, companies are spending a bundle trying to comply with the new law. A survey conducted by executive recruiter Korn/Ferry concluded that Fortune 1000 companies are spending, on average, $5.1 million to comply with Sarbox in general, and are projected to pay another $3.7 million in ongoing compliance bills, said a Financial Times report. The vast bulk of this cost relates to meeting Sarbox 404 internal controls requirements.

In August, Financial Executives International put the average cost of complying with 404 at $3.1 million.

4 Powerful Communication Strategies for Your Next Board Meeting