Quarterly Update for Benefit Plan Sponsors: 2nd Quarter, 2004

Sarbanes Oxley Section 404 Implementation Discussion with FEI Companies

Financial Executives Research Foundation

Issue Alert

June 2003

Sarbanes Oxley Section 404 Implementation Discussion with FEI Companies Prepared by FERF Purpose Listed below are some member companies’ reactions to the final SEC rules on Section 404. The rules delay the implementation of 404 requirements for the majority of filers to the end of fiscal years ending on or after June 15, 2004.

Has your company changed its implementation timeline? Overall, FEI companies continue to move full speed ahead on their 404 Implementation efforts. However, the delay has provided companies the ability to contain costs by delaying implementation to 2004 in some areas. These areas include documentation, selection of technology solutions, installation of risk control tracking software or reconsideration of working with outside consultants to perform documentation work. Under the revised timing, costs can be contained, as these activities will be performed in-house in conjunction with normal audit work, post system implementation, and acquisition or divestiture activities. The additional time is also allowing companies to have both their internal and external auditors perform limited testing in a “dry run” scenario to give all parties comfort that controls will meet the requirements. Most of this testing is expected in the 4th quarter. Any informal assessments will be used to further fine tune implementation efforts. Some companies not performing “dry run” testing are having their audit partners review processes prior to implementation to verify necessity, to make sure companies are asking the right questions, and to identify the right internal control exposures. For these companies internal audit will perform some testing in 2003. Most companies indicated that they will not formally report as of the end of the 2003 fiscal year, but will continue to report the status of all 404 work to their already active audit committees. What is the biggest hurdle FEI companies faced regarding Section 404 implementation? The accelerated timetable was the biggest hurdle facing FEI companies. This hurdle has been alleviated with the issuance of the SEC’s final rules. As indicated earlier, implementation for the majority of filers is now 2004.

Is internal control documentation preparation being outsourced? Most companies prepare internal control documentation internally, with few exceptions. Generally speaking, companies have moved away from outsourcing with the extended timeline. Regardless of who prepares documentation, external auditors are continually kept informed of both existing and new processes. What role is internal audit playing in Section 404 implementation? Each company wants the process owner to be responsible for establishing, documenting and testing the controls, where possible. However, the role of internal audit is evolving into a secondary, though still very important one, providing an additional layer of testing. For the most part, internal auditors are informed of process changes, but similar to the external auditors; internal auditors still independently test the business unit or division. Overall, internal audit efforts are being optimized with regard to verification and testing of controls. However, concern remains on how much companies will be able to use internal audit to contain costs, particularly since the Public Company Accounting Oversight Board is still in the process of finalizing new rules around the attestation requirements. Are external auditors documenting your internal control process? Generally external auditors do not directly document the process, but all companies keep their external auditors continually informed of both existing and new processes. The final SEC rules note that “auditors may assist management in documenting internal controls. When the auditor is engaged to assist management in documenting internal controls, management must be actively involved in the process. We understand the need for coordination between management and the auditor; however, we remind companies and auditors that management cannot delegate its responsibility to assess its internal controls over financial reporting to the auditor. The rules adopted today do not amend the Commission's rules on auditor independence.” What level of guidance have you received from your external auditors regarding documentation, testing required, timing of their testing, etc.? The level of guidance given by the external auditor seemed to depend on the individual audit partner involved. There was no consistent answer among the FEI companies. However, the expectation is that companies will ask auditors to give comfort on underlying controls across all businesses and cycles. Most of the future work will involve actual testing and determining what remediation activities are needed. Again, an overall concern was that external audit would rely less on of internal audit work, and that there has been some experience that auditors are calling for a high number of processes to be tested beyond solely material areas.

Overall, it was felt that an active dialogue with the external auditors was of utmost importance. What level of documentation are companies planning on retaining, and in what format? Standardized documentation includes flowcharts and narratives guided by COSO principles with segments attesting to comfort at their respective levels. Testing of documentation will primarily take place using a Q&A approach and format. The Q&A documentation will provide the backbone for any detailed testing. Companies felt that detailed testing will incorporate a revalidation of procedures. Processes also include reviews of existing procedures to cover any gaps with regard to the new rules and a separate internal and external audits every year; one company’s testing process uses a team made up of internal and external auditors and members of their controllers organization and involves spot checks on controls with subsequent representations to corporate headquarters based on testing. What % level of coverage are companies achieving with self-assessment procedures? Levels are established at each company based on what the management team is comfortable with. All companies are working with their external auditors to set up guidelines to determine what kind of coverage will be acceptable to both parties. Generally, coverage of balance sheet and income statement accounts appear to range from 75% to 85%. Is internal audit, the process owner, or an outsourced group performing selfassessment activities? Again in an effort to contain costs and create ownership at the business process level, the reporting unit is completing the self-assessments, and taking responsibility for documentation and corrective actions. Based on this process the business comes up with conclusions on its control structure. Broader reviews and limited testing will be performed by internal audit to ensure that representations to corporate are correct. In one case, a business controls organization has been established to report to each business unit independently from internal audit. What system will be used to store documentation and drive self-assessment? This is extremely variable by company, from internally developed software to third party software. Third party software varies from that offered by the Big 4 (not their external auditors) to other 3rd party vendors.

Training involves facilitators from internal audit or the business unit depending on the company. Some companies are using a “train the trainer” methodology. Training involves documentation and self-assessment procedures along with specific instruction for input into the new 404 software packages that have been purchased. Other methods are a “just in time” approach concurrent with the audit cycle What resources do you see being dedicated to this process for initial implementation? Prior to the SEC extending the effective date for compliance, an informally survey of FEI members about their cost estimates to implement Section 404 indicated that the costs would be significant. (The following results are based on 83 responses from public companies with annual sales revenue averaging $3.27 billion conducted the week of May 19.) Members projected that their company employees would be spending an average of 6,700 hours evaluating and enhancing corporate internal controls this year, and that they expected additional spending averaging $480,000 for such things as evaluation software, outside consulting and employee training. These costs were separate from those necessary to cover the independent auditors attestation. Members said they expected annual audit fees to increase over 35% to cover auditor attestation Other current issues include: internal control documentation for taxes, capital allocations and operating risk—some companies are linking capital allocation to control assessments, and audit firm rotation—some companies have placed their audits out for bid and some are determining whether the bid process should be systemic every few years.

*** Copyright © 2003 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher. Financial Executives Research Foundation, Inc. is an affiliate of Financial Executives International. The purpose of the Foundation is to sponsor research and publish informative material in the field of business management, with particular emphasis on the practice of financial management and its evolving role in the management of business. Order this and other Research Foundation publications by logging on to www.fei.org/rfbookstore/. Discounts available to FEI members and Foundation donors. The FEI Research Foundation is a 501(c)(3) independent nonprofit educational organization. The Foundation relies on voluntary, tax-deductible contributions from corporations, FEI chapters and individuals. The Foundation receives no portion of FEI membership dues. Report authored by Financial Executives Research Foundation (FERF) research director, Cheryl de Mesa Graziano, and Editorial Advisory by Marla Markowitz Bace, FERF EVP and COO.