Print this issue
 View as PDF
Send us your comments

Management's Frequently Asked Questions

This first year of Section 404 compliance has been uncharted territory for everyone. The Internal Audit Practice at Amper, Politziner & Mattia has developed this brief to give our clients and friends the benefit of our knowledge, gained through our experience providing Section 404 preparation assistance.

What is Sarbanes-Oxley?
Sarbanes-Oxley is an Act designed to enhance corporate responsibility as it relates to financial reporting issues. Sarbanes-Oxley established new requirements and created an oversight and standards group called the Public Company Accounting Oversight Board or PCAOB.

Who is subject to the Sarbanes-Oxley Act? Public companies issuing securities, public accounting firms, and firms providing auditing services whether they are domestic or foreign must comply with Sarbanes-Oxley.

What is required for Sarbanes-Oxley Section 404?
In its annual report, the Company must report on internal controls over its financial reporting. Four key elements must be included in this report:

• Statement of Responsibility by Company Management (the CEO and CFO) for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
• Statement identifying the framework used by management to evaluate the effectiveness of the Company's internal control over financial reporting
• Management's Assessment of the effectiveness of Internal Controls over financial reporting
• Attestation by the company's external auditor on Management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting.

When is compliance required? Although the deadlines may change, currently publicly traded companies with a market capitalization greater than $75 million must comply with these new rules for fiscal years ending on or after November 15, 2004; other publicly traded companies must comply for fiscal years ending July 15, 2005.

What are the key steps we should take to prepare for Section 404?

• Assemble your team, or steering committee. This team should include the CFO, CIO, HR Director, all operational direct reports and any internal audit personnel.
• Conduct a "readiness assessment."
• Use the information from the readiness assessment to identify areas and priorities. Then, begin the "404 prep work" process:
• Planning
• Risk assessment
• Assessment of controls
• Testing
• Monitoring

We're a mid-size company with limited resources. Can we use our external auditor to help us prepare for 404? No. Sarbanes-Oxley forbids outsourcing internal audit work to your external auditor or having them assist in the design and implementation of your financial systems, since they're the ones who will have to opine on management's assessment of the effectiveness of the internal controls. Other (not all inclusive) services your external auditor may no longer provide include actuarial, human resources and investment advice. Most mid-size companies are hiring firms to assist them in this prep work. These firms can provide the non-audit services your external auditor can no longer provide.

Is there a "rule of thumb" as to when the company should begin the process? Ideally, we recommend that companies begin the process a year prior to the end of their fiscal year to ensure an orderly process. As noted above, the process begins with the assembling of your team. While this time frame may seem extreme, the first round of "accelerated filers" have taught us that enough time must be scheduled so that controls can be adequately tested, leaving sufficient time for any weaknesses to be corrected.

How much time should I budget for internal hours? Depending on the size and complexity of your company, it may be possible to manage the project by assigning one to three fulltime people to it. According to the FEI survey, companies with less than $100 million in annual revenues spend an average of 2,143 hours the first year. Adding the resources of experienced professionals to help you navigate the process is an option worth considering.

How much money should I budget for the 404 prep work and audit work for our company? The prep work cost will depend on the complexity of the company. Our experience has also shown that the external audit fees paid prior to Sarbanes-Oxley will likely double. Companies in the FEI survey also reported that they have spent an average of an additional $1 million on software and IT consulting to attain compliance with Section 404. Companies with less than $100 million in revenues will pay an average of $400,000 to $500,000 on software and IT consulting.

Are there other costs as well? You can also expect increased costs such as D&O premiums, recruiting of independent board members, and even increased Board salaries (due to the need for more oversight).

These new requirements and costs are imposing. Any options? Given the increase oversight of PCAOB and the SEC, there's really no option other than to comply if you intend to remain a publicly traded company. The potential for SEC sanctions, "qualified" opinions by independent auditors, and even potential litigation make noncompliance a non-option.

Therefore, if you intend to remain a public company, you can expect an increase in compliance-related costs and procedures. To minimize costs, be certain to select service providers with the experience and skills to meet these requirements in a cost-effective manner.

Should you decide that the requirements are onerous, we can envision three (3) scenarios:

1. Grow the company through increased sales and/or mergers/acquisitions. In this way, the compliance costs will be absorbed more easily.
2. Sell out.
3. Go private. While the costs of going private are significant, it may be a viable option. You may have a solid business with a good product and ready market that would be a great privately held business.