Myths and Realities of Sarbanes-Oxley

Choose an area of interest:

Member Sign Up
Member Log On
Edit Member Profile
Newsletters
Editorial Inquiries
Privacy Policy
Reader Profile
About Us
Contact Us
Advertise

Newsline
Columnists & Columns
Newsletters

Resources/Tools
Associations, Societies & Firms
Federal and State Link Library
Newsletters & Journals
CPA Exam Study Guides
Glossary of Terms

Search Jobs
Post Resume
Post Jobs/Search Resumes
Career Resources
Professional Designations
Internships
Colleges & Universities

Login to Professional Education Center
Login to FMN Online
Login to CPA Report Online
Login to FMN Self-Study PEC
Login to CPA Report Self-Study PEC
FMN Video Subscriber Center
CPA Report Video Subscriber Center
Accounting & Finance CPE Programs
Corporate Training
Ethics & Compliance
Association Reseller Program
e-Learning Consulting
Engineering Education Programs

Professional Education Center

Choose an area of interest:

Financial Executive
Myths and Realities of Sarbanes-Oxley
By Steve Wagner

December 2003 I'm no therapist. But considering all the frustrated executives I've encountered lately, I'm beginning to think that management therapy could be a lucrative sideline business. The source of this frustration? Sarbanes-Oxley Section 404 compliance.

These executives represent the spectrum of industries, but their symptoms are invariably similar:

distress over the complex Section 404 regulations;
anxiety over snowballing costs;
concern over the scope of the independent auditor's procedures;
apprehension over how to get all their Sarbanes-Oxley work done and still find time for the real business of their company.

Like a good practitioner, I listen closely to their concerns. I ask gently probing questions, and I attempt to calm their jittery nerves. "Your worry over 404," I intone sagely, "is understandable. You hear idle talk; you read speculative reports. But you should pay no mind, because much of this information is erroneous or exaggerated."

Now, I'm not just practicing pop psychology here. Sarbanes-Oxley has seeped so deeply into the businessperson's psyche that it has unleashed a flood of misconceptions. And these mistaken beliefs, if left unchallenged, can disrupt a Section 404 compliance project.

So please join me in a brief clinic to debunk these myths:

Myth No. 10
Sarbanes-Oxley is a huge negative.
If you do just enough to get by, this myth could come true, and you may find yourself in a quagmire of bloated controls, burgeoning expenses and enduring headaches. But if you embrace the spirit of the law - strong ethics, good governance, reliable reporting - you'll get a re-energized company and reassured investors.

Myth No. 9
My company can't afford to implement a system of internal control.
In my view, this statement is completely backward. In fact, companies can't afford not to implement a system of internal control. The penalties would be too severe and the market reaction too strong to consider anything but full and total compliance.

Myth No. 8
Information technology is not covered under Sarbanes-Oxley Section 404.
Given the reliance of today's businesses on information technology, virtually every system and process and related control in your organization will have some dependence on your IT system. Thus, your CIO should be deeply involved in your compliance work. Avoid the mistake made by many companies that treat IT controls separately. IT controls should be full integrated into your Section 404 project.

Myth No. 7
My company has plenty of time to deal with section 404 issues.
When the SEC relaxed its Section 404 compliance deadlines last spring, a collective sigh of relief was heard throughout the business community, and many projects were quickly relegated to the back burner, if not taken off the stove altogether. But it's time to get cooking again. You need to allow yourself enough time to fully test and remediate your controls, and to demonstrate that they are designed and functioning properly. It's not something that can wait until the last quarter.

Myth No. 6
Sarbanes is my auditor's problem, not mine.
If you believe this statement, then your auditor does indeed have a problem - with his/her client! In fact, Congress deliberately wrote Sarbanes-Oxley to ensure that companies themselves be held accountable for the accuracy of financial reporting and disclosure. Your auditor will check your work, but you have to provide the work to check!

Myth No. 5
There's still a great deal of uncertainty over rules and standards. I am going to wait until it's all sorted out.
Actually, virtually all of the standards have been finalized (auditing rules being the exception). And what has never been in doubt is the need to create a COSO-like framework of internal control. Getting the preliminary work done will take plenty of time; you can worry about nuances of the final auditing standard later.

Myth No. 4
Luckily, my company doesn't have a lot of controls to document, because we outsource many of our business functions.
As far as Section 404 is concerned, an outsourced business process is no different from one handled internally. In other words, if it impacts your financials, you are responsible for ensuring that the controls are effective. This may require you to directly test the controls at your outside service providers. Or, in some circumstances, you may be able to get an SAS 70 (type 2) report from the provider, which documents the design and operating effectiveness of their internal controls over financial reporting. (If you aren't sure if you can use the SAS 70, consult your business advisor.)

Myth No. 3
Section 404? We're already done!
This represents a clear case of wishful thinking, because the fact is that when it comes to section 404 compliance, you are never done! Compliance is a never-ending process. You have to monitor, evaluate, test, and remediate in perpetuity, and if you don't have systems in place to do so, you are a long way from done.

Myth No. 2
We only need to deal with the big picture; our auditors won't be interested in the details.
Actually, your auditor is keenly interested in the details. Your auditor is charged with verifying that your controls are effective, and the only way to do that is to examine your controls at a detailed level.

Myth No. 1
If my controls are deficient, it doesn't really matter. I can always fix the problem in the next period.
Popular opinion notwithstanding, reporting on internal control is not analogous to closing your financial books. For example, when you close your books, you can always make post-closing adjustments if you discover an error. But once you complete your year-end assessment of internal controls, it's done. Material weaknesses uncovered after the fact cannot be retroactively adjusted, and such untimely discoveries will require your auditor to issue an adverse opinion.

You don't need a therapist to tell you that a clear eye and a level head are prerequisites for any Sarbanes-Oxley Section 404 project. Your compliance work will be challenging enough without laboring under misconceptions. So take a dose of the myth-busting medicine prescribed above. And feel free to dispense it to your colleagues and associates. Good business health awaits!

STEVE WAGNER is a partner at Deloitte who concentrates on corporate governance and internal control. He can be reached by telephone at 617.437.2200 or via email at swagner@deloitte.com.

Return to Financial Executive

FEI's flagship publication, Financial Executive magazine, has won another award -- an Eastern Regional gold (first place) award from the American Society of Business Press Editors (ASBPE) in their annual competition. FE won in the editorial division for its March 2002 special section on "Best Practices." This is the fourth juried award FE has won in the past two years. The award was presented in Boston on Monday, June 9.

2003 Financial Executives International. Reprinted with permission.

		Related Stories

		Streamlining HR Processes to Improve ROI 'Offshoring' Drive for Savings Accelerates Is Technology Delivering on its Productivity Promise?


		Related Courses

		Professional Education Center

Would you recommend this article?

5 (yes, highly)
4
3
2
1 (no, not at all)

Comments: