Section 404 Compliance: Lessons Learned

Section 404 Compliance: Lessons Learned

On May 10, 2006, the U.S. Securities and Exchange Commission (SEC) held a roundtable discussion on the second-year experiences with the internal control reporting and attestation provisions of the Sarbanes-Oxley Act of 2002 (SOA). The following week, both the SEC and Public Company Accounting Oversight Board (PCAOB) announced their plans to follow up on the roundtable results and other feedback they have received. Because of these developments and because many accelerated filers are either preparing for or executing their third-year of Section 404 assessments, it is a good time to reflect on lessons learned. This exercise can provide valuable insights not only for accelerated filers, but also for foreign filers and U.S. non-accelerated filers who must complete their Section 404 assessments by the end of calendar year 2007. In this issue of The Bulletin, we have outlined seven lessons for improving processes and compliance approaches.

Deploy a top-down approach to focus on what’s important

A top-down approach still has not been applied in a manner that effectively reduces the extent and/or alters the
timing of independent testing in routine processes with alternative sources of evidence. Management fraud most often has been perpetrated at the company level and in the period-end financial reporting process, and not within the upstream routine business processes. Despite that history lesson, most of the Section 404 compliance work is targeted to the process-level controls. There are at least three reasons for this costly incongruity:

  • First, the number of key controls is excessive, resulting in inordinate independent testing. While most issuers have reduced the key controls their personnel must test, many have more work to do.
  • Second, company-level controls are more difficult to test than process-level controls. Because auditors generally prefer evidence from re-performance and inspection tests, they place more weight on testing process-level controls. 
  • Finally, management has not fully deployed company knowledge in setting the scope for its assessment process. Management’s assessment process remains substantially auditor-directed because of the focus on reducing external audit costs, and a reluctance to modify the compliance process when auditors conclude they must increase their testing if the modifications are put into effect.

The result is that management is diverted to spend more time on less important matters. There are three steps managers should take:

  1. Because the number of key controls to evaluate and test is the most important cost driver of the compliance process, companies should continue to refine their analysis of key controls to narrow them down to the vital few that really matter.
  2. Managers should place more emphasis on evaluating company-level controls to reduce the extent and/or alter the timing of independent testing of process-level controls with alternative sources of evidence.
  3. Finally, when setting the scope of independent tests of process-level controls, management should fully utilize its knowledge based on its day-to-day involvement with processes and the underlying controls. This is discussed further later.

At the SEC roundtable, everyone agreed that audit committee oversight, “tone at the top” and other company-level aspects of the control environment, as well as controls over the period-end financial reporting process, are vital to reducing the more significant financial reporting risks. The SEC reported that commentary it had received, both during and prior to the roundtable, suggests that management assessments under Section 404 have not fully reflected the top-down, risk-based approach the Commission intended. The PCAOB committed to revise Auditing Standard No. 2 (AS2) to sharpen the auditor’s focus on areas that pose higher risk of fraud or error.

Consider qualitative and quantitative factors to implement a truly risk-based approach

Many companies applied a conservative approach in the initial year of compliance, and may have been overly inclusive of areas to evaluate and test. Because of the limited time available in the second year and the cost reductions made possible by the significant first-year documentation and remediation costs, many companies only updated their risk assessment for changes in the business, but did not take a hard enough look at the areas noted in the prior year as “high” or “moderate” risks to ascertain whether those determinations were still appropriate.

Last year, the PCAOB staff indicated that “quantitative measures alone are not determinative as to whether an account should be identified as significant.” Since that guidance was issued, significant traction in applying it in practice has not occurred. In addition, the audit process is largely focused on applying quantitative measures of account-level materiality, which was another point of debate during the roundtable. The PCAOB is likely to address these and other related matters in amending AS2 so that qualitative and quantitative factors comprise the total mix of information that is available for determining the significance of an account and the nature, timing and extent of tests of controls.

It is our experience that management considers qualitative as well as quantitative factors when assessing risk. An effectively coordinated companywide risk assessment process offers an opportunity to reconcile management’s perception of risk with that of the auditors, and vice versa, and should be encouraged as an approach to initiate constructive dialogue between the parties. If testing continues to be conducted in areas where, in the view of management, the risk of material error or fraud is relatively low, management should refine the prior-year risk assessment by giving more explicit consideration to supplementing the quantitative materiality factors with qualitative factors, e.g., the nature and significance of possible error or fraud that could occur in an account (i.e.,
“what can go wrong”), the susceptibility of an account to error or fraud, the robustness versus subjectiveness of the processes for determining significant estimates, the nature and effect of related party transactions, and the testing experience and problem areas from prior years that may require attention during the current-year assessment. While the external auditor’s expectations and requirements will continue to influence the scoping of management’s assessment process, qualitative factors should at least be considered when planning the nature, timing and extent of independent testing.

Optimize IT controls to increase the cost-effectiveness of the controls portfolio

Use of automated IT controls remains an area of “mystery” to many management teams and sometimes to auditors as well.
The cost of relying extensively on manual controls in sophisticated financial reporting processes never has been as evident as it is today. Not only do manual tests of controls by companies and their auditors require much time and effort, they are not always reliable in sophisticated environments. The costs inherent in this labor-intensive compliance approach are incurred each year until management reevaluates the controls portfolio with an eye towards balancing the mix of automated and manual controls to increase controls cost-effectiveness. Because an automated control takes substantially less time to test than a manual control, the savings can quickly add up. For example, manual controls require an inspection of each sample occurrence, often embedded in reams of documents, whereas an automated control only requires a one-time observation of either an application’s performance or an ERP configuration setting, provided it is designed, maintained and secured effectively. Testing of a remediated manual control requires additional sampling versus the real-time resolution and retesting of an online control.

Apply continuous process-level testing techniques to improve reliability of results

For data-intensive, high-volume transaction processes, management can deploy automated monitoring tools and data analytics to evaluate processing results on a more comprehensive and reliable basis than sample-driven manual testing. In fact, use of these tools can eliminate the need for performing labor-intensive manual tests of controls. For data-intensive and high-volume processes like accounts payable, cash applications or payroll, management should replace manual testing with continuous monitoring. This shift in emphasis also should reduce substantially the need for periodic manual auditing. Finally, the comprehensive coverage of continuous process-level monitoring also makes the testing process value-added because it can lead to operational improvements.

Improve operational effectiveness and efficiency of upstream financial reporting processes

Most of the cost increases from Section 404 compliance are internally driven. According to Table 8 included in Appendix I of The Final Report of the Advisory Committee on Smaller Public Companies to the SEC, the audit and audit-related fees increased for accelerated filers in 2004 by approximately 50 percent over the prior year. A study by AMR Research (AMR) points out that costs incurred by companies, inclusive of external audit costs, increased by more than 100 percent during the same period. A more recent AMR study of larger companies noted that only 19 percent of financial executives report their companies realized the cost savings they expected during 2005. This conclusion is reinforced by a recent Financial Executives International study that also indicated cost reductions in 2005 fell below expectations. Thus, many companies have expressed, and continue to express, the view that Section 404 compliance costs need to be reduced by making the compliance process more cost-effective.

A significant portion of the total cost of financial reporting lies within the upstream business processes that initiate, authorize, record, process and report routine transactions. These processes include procure-to-pay, conversion, order-to-cash, capital expenditure and treasury, among others. As companies begin to understand that high compliance costs are largely a result of high-cost transaction processes, they see opportunities for: eliminating redundant activities, platforms and other nonessentials; simplifying and standardizing processes; centralizing common and similar activities; improving the mix of automated and manual controls; and transforming inefficient “detect and correct” controls to preventive controls that “build in” versus “inspect in” quality. As processes are improved to address these opportunities, the better mix of controls will lead to more efficient controls testing for both the company and the external auditor.

Many companies are seeking to optimize their compliance costs through improved “filtering” of the controls population to evaluate and test only those controls that matter. While this strategy is sound, it has just about run its course for many accelerated filers who have completed their second year. If there isn’t a strong focus on improving the capability, transparency and operational performance of financial reporting processes, and on strengthening company-level controls and monitoring processes, companies will end up planning their Section 404 compliance activity for subsequent years around a high-cost internal control structure. This compliance activity will likely continue to emphasize heavily the minutiae of detailed manual testing of routine process-level controls.

While we agree that the conversation around “pass-fail” and managing external audit costs is important, we believe that this conversation can only go so far in gaining traction as to improving compliance cost-effectiveness. In Years Three and Four, the Section 404 conversation should focus more broadly on “process capability,” as determined by the quality, time and cost performance of the upstream business processes as well as the extent of financial reporting risk sourced within those processes. Companies choosing to deploy the transparency provided by Section 404 compliance as a means to improve the quality of their upstream financial reporting processes, and institutionalize the compliance process around high-quality financial reporting processes, are experiencing further reductions in their compliance costs.

What’s the message? Management should get the company’s internal control structure in order by directing attention to improving the operational efficiency and effectiveness of upstream financial reporting processes, including the underlying internal controls embedded within those processes. By taking that approach, companies not only drive down internal processing and management assessment costs, but they also are able to reasonably expect external auditors to align their audit approaches with the more effective controls design.

Incorporate management’s knowledge of controls into the assessment process

On May 16, 2005, the PCAOB staff issued the following guidance to auditors: “Management’s day-to-day involvement with processes and the underlying controls provide a broader array of procedures to achieve reasonable assurance for purposes of its assessment of internal control over financial reporting than the auditor has available.” The nuances of this guidance are not widely understood. Many companies continue to operate under the constraint that they must have the same body of evidence as the auditor, i.e., they must always independently test in areas in which the auditor concludes such testing is necessary.

Some illustrations may be useful. If management decides to rely solely on self-assessment1 in low-risk areas, the external auditor may conclude that he or she needs to perform additional testing in those areas because they fall within his or her quantitative scoping threshold. If management decides to rely on company and/or process-level monitoring in lieu of detailed independent testing in selected moderate to low-risk areas, the external auditor may decide to perform additional testing in those areas as well. This disparity is inevitable as management relies on its “day-to-day involvement” and evaluates over time relevant qualitative factors the external auditor may choose to ignore in deference to a quantitatively focused scoping approach. Such disparity should have no impact on the auditor’s evaluation of management’s assessment process, so long as management is able to articulate an effective rationale supporting the company’s approach, and has a point of view as to the high-risk areas with which the auditor concurs.

If the external auditor decides to test areas not independently tested by the company, management can still decide to perform that testing to support the attestation process. The result is that executive management and the audit committee will better understand who is driving the cost of compliance and by how much. In addition, the testing by the external auditor in areas regarded as “low risk” by management can be monitored over time by the audit committee to ascertain whether it surfaces meaningful results. If it does not, questions eventually will arise as to whether the lack of benefit from performing such testing merits the cost.

Don’t wait for Washington to act

Audit scopes and approaches did not change significantly in 2005 following last year’s roundtable because PCAOB examiners were still in the field. Auditors were understandably reluctant to modify their firm’s audit methodology while that methodology was being reviewed by the PCAOB inspection division. Companies can expect the same during 2006.

In its post-roundtable announcement, the SEC laid out a plan for issuing guidance to management to assist registrants in their performance of a top-down, risk-based assessment of internal control over financial reporting (ICFR). Pursuant to that plan, the SEC published a Concept Release as a prelude to its forthcoming management guidance. Now that the comment period for the Concept Release has expired, management can expect the Commission to issue guidance in the near future. However, the timing for the issuance of that guidance in final form is not clear at this time. In addition, while the PCAOB did not specify the timetable for its forthcoming amendments to AS2, the Board reported that it will phase-in any amendments by establishing effective date(s) that would minimize any unnecessary disruption to ongoing audits of ICFR, and would not hinder the auditors’ current efforts to fully implement the guidance issued on May 16, 2005. The message: Management should focus on doing the right thing in applying the above lessons, and should not wait for the SEC and PCAOB to act.


The lessons learned, as articulated in this issue of The Bulletin, indicate that organizations with the most effective internal controls need not be the ones who spend the most money to get them. Companies using a truly top-down and risk-based approach, optimizing their IT controls, deploying continuous monitoring techniques, and improving the operational effectiveness and efficiency of their upstream financial reporting processes, are the ones most likely to have in place a high-quality and sustainable internal control structure. As they achieve superior quality, time and cost performance, these companies will unlock the value in Section 404 compliance and demonstrate consistently the most cost-effective compliance process.

For companies implementing Section 404 for the first time, we have provided More Section 404 Lessons Learned as a supplement to this issue of The Bulletin. This supplement provides more granular lessons in such areas as: planning and organizing the project; documenting and evaluating controls design effectiveness; validating controls operating effectiveness; designing and implementing solutions for control deficiencies; communicating results; completing the overall project documentation and other important topics. The supplement is available at, along with other Protiviti publications, including Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements; Guide to the Sarbanes-Oxley Act: IT Risks and Controls and Guide to the Sarbanes-Oxley Act: Managing Application Risks and Controls.

Key Questions to Ask

Key questions for board members:

  • Has management reported to the board its plans to improve the control environment, the entity-level and process-level monitoring processes, and the mix of automated and manual controls?
  • Are you satisfied with management’s risk assessment process, and the substance of the dialogue it drives between management and the company’s external auditors? Would the company benefit from an effective enterprisewide risk assessment process that is more comprehensive than financial reporting?
  • Are you satisfied management has a plan to identify and address opportunities to improve the quality, time and cost performance of upstream business processes that feed financial reporting?

Key questions for management:

  • Is your Section 404 compliance process truly top-down and risk-based? Have you optimized the mix of your IT and manual controls? Are you deploying or investigating the use of continuous monitoring techniques in data-intensive, high-volume transaction processes? If the answer is “yes” to any of these questions, how do you know? If “no,” what action will you take over the next 12 months?
  • Are you benchmarking your upstream financial reporting processes and sourcing root causes of performance gaps to improve the operational effectiveness and efficiency of these processes? If not, what action will you take over the next 12 months?
  • Have you transformed the focus of your internal Section 404 dialogue from “pass-fail and managing external audit costs” to “process capability and managing total compliance costs”?
1As discussed in Issue 1 of Volume 2 of The Bulletin, a self-assessment process is a predetermined approach whereby managers and process owners self-review or self-audit the key controls for which they are responsible and communicate the results to management. Important characteristics of a self-assessment process include: predetermined questions approved by management, criteria for supporting responses, rigorous deployment throughout the organization, timely follow-up and resolution of issues, and periodic internal audit testing of results.

The Bulletin (Volume 2, Issue 8)

Click here to access all series

Ready to work with us?