Risk & Compliance

Section 404, Year Three: Ready for IT?

A body of knowledge about information technology and internal controls doesn't exist, say roundtable panelists; companies and auditors haven't deve...
Marie LeoneMay 10, 2006

See our special report on “The 404 Debate.”

At CBS, managers are satisfied with the media giant’s progress in developing and refining business processes to comply with Section 404 of the Sarbanes-Oxley Act. But before the information-technology systems used in the controls process attain a similar level of quality, says corporate controller and chief accounting officer Susan Gordon, the company has a long way to go.

Gordon spoke during Wednesday’s roundtable discussion about second-year experiences concerning Section 404 implementation. The day-long discussion among regulators, corporate executives, auditors, and institutional investors was conducted by the Securities and Exchange Commission and the Public Company Accounting Oversight Board.

During 404 audits, Gordon found that about 90 percent of the company’s controls over financial reporting were manual; during the next year, she hopes to cut that down to 80 percent. She takes some solace, however, in the knowledge that CBS is far from alone on the automation curve: its outside auditor still relies on questionnaires to assess the company’s IT systems. What’s more, the questionnaires aren’t tailored to CBS, and they don’t take the risk-based approach that the auditor uses to assess the company’s other internal-controls functions.

The problem, panelists agreed, is that a body of IT knowledge about internal controls doesn’t exist; it’s too early in the regulatory process for companies and auditors to have developed the practical experience that usually accompanies audits and testing. The combination of internal controls and IT “is an evolution,” said Tom Szlosek, vice president and controller of Honeywell International. According to Szlosek, companies first focused on financial integrity, then on backing up financial statements, and now they are looking at backing up the backup systems with IT.

James Turley, chairman and chief executive officer of Ernst & Young, noted that in the case of Section 404, IT is first applied to automation, then to deficiency detection, and finally to deficiency prevention. “Sarbox 404 is an opportunity for companies to migrate from detective controls to preventive controls,” added Peter Minan, national managing partner at KPMG. It also affords the opportunity to reduce the scope of external audits, said Minan, as well as the worker-hours employed in testing.

IT for the little guys is a different story, maintained Stephen Sherwin, chairman and CEO of Cell Genesys, a small-cap biotech company. “In a nutshell,” he said, “the problem is lack of adequate staff and infrastructure.” Developing or enhancing IT systems forces smaller public companies to seek outside consultants — usually a second audit firm — said Sherwin. That added expense, he observed, may mean that the cost of 404 compliance for smaller companies will never drop significantly.

“One of the consequences of the increase of IT [in the 404 process] is the increased cost of SAS 70,” concluded Lee Level, corporate vice president of systems integrator Computer Sciences. The Statement on Auditing Standards No. 70 spells out how to assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client. According to Level, his company’s SAS 70 costs have tripled since 404 went into effect. “There is a cost to go with the benefit,” he added, “but we love it.”