Headlines like these can disrupt the sleep of CEOs, board members, CFOs and other corporate finance executives. Their waking nightmare is to pick up a copy of The Wall Street Journal and find their company's name beside terms like "restated earnings," "accounting irregularities," "subpoenas" and "Justice Department."

 

Although the stiff penalties outlined in the Sarbanes-Oxley Act initially captured the attention of CFOs, they and their staffs are now scrambling to address the far-reaching but less-understood challenge of complying with the new law, and Section 404 in particular. Section 404 requires management to explicitly take responsibility for establishing and maintaining an adequate internal control structure.

 

The Securities and Exchange Commission (SEC) has acted swiftly to enact and clarify a majority of the new law's mandates since it was signed last summer. This includes the executive certification of quarterly and annual reports, stricter standards for external auditor independence, tighter time frames for filing 10-Qs and 10-Ks, the need for a "financial expert" on a company's audit committee, greater disclosure of off-balance-sheet arrangements and many other rules.

 

Uncertainty persists, however, along with the challenge of keeping abreast of ongoing guidance on the new law. In particular, uncertainty surrounding Section 404 continues as finance executives await clarification on many implementation issues. This should dissipate as the SEC provides further guidance and the Public Company Accounting Oversight Board (PCAOB) gets up to speed with its new chairman, former New York Federal Reserve Board President William McDonough.

 

The SEC and the PCAOB have made it very clear that they (not the AICPA) will issue the auditing standards regarding the review of internal controls and Section 404 attestation. These rules have not yet been issued.

 

While there is some uncertainty around implementation, the bulk of the work will be a rather straightforward (but significant) effort of documenting and assessing controls across the enterprise. The following practices should help finance executives address Section 404 compliance in a way that is proactive, effective and promotes transparency and good corporate governance.

 

Take action now. As it now stands, companies with fiscal year-ends falling after September 15 must comply with the internal controls assessment rule this year -- a process that requires significant time.

 

There are four distinct phases to 404 compliance.

Under the new law, external auditors will then attest to that report, which can be a time-consuming process, depending on how well the company assesses, documents, tests and reports. A good benchmark for calendar year-end companies is to complete initial assessment and documentation by the end of August, to give their external auditors enough time to do their attestation work.

 

Institute a formal project management approach. The scope of this effort should not be underestimated, and companies should bring sound project-management discipline to the project. Establish a project management office or, at the very least, assign a project manager who can work through each compliance phase and identify the details and milestones necessary to ensure that all deadlines are met. An ideal candidate is a project management professional or someone with comparable experience, such as the project management of a large-scale system implementation.

 

Under the new law, external auditors will then attest to that report, which can be a time-consuming process, depending on how well the company assesses, documents, tests and reports. A good benchmark for calendar year-end companies is to complete initial assessment and documentation by the end of August, to give their external auditors enough time to do their attestation work.

 

Institute a formal project management approach. The scope of this effort should not be underestimated, and companies should bring sound project-management discipline to the project. Establish a project management office or, at the very least, assign a project manager who can work through each compliance phase and identify the details and milestones necessary to ensure that all deadlines are met. An ideal candidate is a project management professional or someone with comparable experience, such as the project management of a large-scale system implementation.

 

Adhering to deadlines is critical now, even with year-end six months down the road. External auditors want to conduct preliminary testing as soon as the process is evaluated, to avoid time and scope problems in their year-end attestations. Be cautious not to be too distant from the project leader or to outsource total responsibility for the effort.

 

Outside help and advice is important, but having your own team closely managing and taking responsibility is the best approach -- the internal control environment is a function and responsibility of management. In addition, a company's CFO is individually responsible for making the assertion on the effectiveness of the control environment.

 

Be mindful of auditor independence issues. Some external auditors, eager to do much more than preliminary testing, have embraced an aggressive interpretation of the independence issues at the heart of Section 404. For example, many external auditors will provide control-assessment software tools at no cost for client companies to use in their compliance efforts. Right now, that's acceptable, pending possible future guidance from the SEC or direction from the PCAOB.

 

Some external auditors go so far as to offer to serve as the "smart arms and legs" of the client company's project management office. That conflicts with the spirit, if not the letter, of the new law's independence rules because external auditors would be attesting to work that they themselves have performed. Companies with a focus on good governance are choosing to ensure their auditor's independence by distancing their external auditor from the documentation and assessment work related to Section 404.

 

Communicate closely with external auditors. A wise approach to auditor independence rules does not mean curbing communications with external auditors. On the contrary, management and external audit partners should continually interact throughout the compliance process. That line of communication helps assure companies that their assessments, documentation, testing and reporting are headed in the right direction, and it should lighten the attestation load (not to mention the cost of that work) external auditors bear at year-end.

 

Question out-of-the-box offers. Due to the significant effort involved, in many cases it may be necessary to seek outside compliance assistance. Corporate finance executives, however, should be skeptical of shrink-wrapped "silver bullets" and cost estimates that contain exact totals of work hours.

 

Are there neat software tools that can bolster compliance efforts? Yes. Can you pull off the shrink-wrap, load the software, hit "enter" and automatically comply with Section 404? Not by a long shot. It is the talent, experience and time commitment of the people on the project that will determine its success.

 

CFOs should raise their eyebrows when an outside firm proclaims up front that this should be a 10,000-hour engagement. Until a company completes a thorough assessment of internal controls, it is extremely difficult to take seriously any estimate of hours or dollars. For the fortunate minority of organizations with the most defined and effective control environment, a fee estimate might be reasonable. But for the majority of public companies, any specific estimate provided before the assessment phase seem highly unrealistic.

 

All of the practices above have a common thread: management's responsibility for the internal control structure. Any successful project should result in management having a better understanding of its own processes and controls. A truly successful project will also be more than a one-time compliance event -- it should be the start of an ongoing process of self-assessment, monitoring and improvement.

GEORGE P. HERRMAN is CFO of Jefferson Wells International, a professional services firm serving more than half of the Fortune 500 in the areas of internal audit and information technology controls, accounting/finance, technology and tax. Visit www.jeffersonwells.com/sarbanes.