November 22, 2004

As a key section of the Sarbanes-Oxley Act took effect last week, companies continue to race against the clock to meet the act's rigorous financial-documentation and reporting requirements before the end of their fiscal years. And not all companies will make it.

Under Sarbanes-Oxley's section 404, most public companies are required as of Nov. 15 to include with their 2004 annual reports a statement containing management's assessment of the effectiveness of the company's internal financial controls, as well as corroborating statements from outside auditors. Companies whose fiscal year ends Dec. 31 have until March to issue statements.

Enacted two years ago in the wake of the Enron and WorldCom accounting scandals, Sarbanes-Oxley holds CEOs and CFOs accountable for producing financial statements that accurately portray their companies' financial conditions.

The difficulties surrounding compliance were highlighted earlier this month when SunTrust Banks Inc. revealed that it's unlikely it can state in its annual report that its controls are working effectively because accounting problems in its auto-loan portfolio won't be corrected before Dec. 31.


Regis has been testing its controls, making incremental improvements, CFO Didier says.

Regis has been testing its controls, making incremental improvements, CFO Didier says.

Photo by Raoul Benavides
PricewaterhouseCoopers LLP, which has a large compliance practice, reported last week that 70% of its clients have experienced "significant slippage" in meeting section 404 requirements, and 10% are at severe risk of not being in compliance. As many as 20% of companies will report "material weaknesses" in their annual reports, the Securities and Exchange Commission's chief accountant said in a recent speech.

The SEC earlier this year approved an auditing standard adopted by the Public Company Accounting Oversight Board, a nonprofit entity that the Sarbanes-Oxley Act established. But uncertainty over the standard and how accounting firms will interpret it is causing anxiety for compliance executives. "We weren't as efficient as we could have been in establishing our section 404 compliance program due to the changes brought by the SEC" and the oversight board, says Greg Buccarelli, director of finance at Novartis Corp., a pharmaceuticals company.

Novartis' efforts are on track, nevertheless. It has spent between $15 million and $20 million on its 404 compliance effort, documenting internal controls, testing them, and making fixes. To help it map controls for its financial-accounting system from SAP, the company last year brought in business-process software from Axentis Inc.

Companies benefit because they're being forced to scrutinize their business procedures, says Kyle Didier, CFO of Regis Corp., which operates 10,000 hair salons across the United States under brand names such as Supercuts. The company, whose fiscal year ends June 30, has been testing its controls for well over a year. "We're making improvements incrementally," Didier says. A central repository of documentation and testing results based on software from Movaris Corp. has made it easier.

No sooner will companies issue their assessments for this year's annual report than they'll begin the process for 2005. QuadraMed Corp., a provider of software for the health-care industry, has implemented Internal Controls Enforcer, a compliance tool from PeopleSoft Inc. QuadraMed will use Enforcer to assign responsibility for financial controls to business-process owners, says Kevin Haggerty, senior director of internal audit. The goal, he says, is to make the process sustainable and repeatable from quarter to quarter.

ABOUT THE AUTHOR