Efforts to Comply With the Sarbanes-Oxley Act in High Gear

Other Key sections of Sarbanes-Oxley
Other Key sections of Sarbanes-Oxley

The Sarbanes-Oxley Act passed in 2002, and gave U.S. public companies an extensive new list of rules to follow in financial reporting. Right away in 2003, companies had to comply with Section 302. That required CEOs and CFOs to certify the accuracy of quarterly and annual Securities and Exchange Commission (SEC) statements and disclosures. That first part of Sarbanes-Oxley compliance was relatively simple. It required few information technology (IT) upgrades and minimal changes to business processes. Sometimes, just the upgrade of document management systems or financial systems could handle the tasks. SAP Whistle Blower component, Audit Information System software and SAP R/3, already installed at many companies, could handle some early Sarbanes-Oxley requirements, for example.

John Hagerty
John Hagerty

But today, as 2004 has begun, Section 404 and 409 of the Sarbanes-Oxley Act are set to kick in. Companies are scrambling to get compliance projects ramped up and IT systems ready for what will be a major overhaul, in some cases. “This has more potential to cause significant changes in the architecture that supports decision making,” said John Hagerty, vice president of research for AMR Research in Boston, Mass.

Attestation of financial controls by an external auditor

Sections 404 and 409, says Hagerty, will be tougher to comply with than the earlier provisions. Section 404 requires attestation of financial controls by an external auditor. Companies have until June 15, 2004, or the end of their fiscal year 2004, whichever comes first, to meet this requirement. For some, that means the deadline for 404 compliance is just a few months away.
Section 409 requires real-time reporting of a company’s materially significant events. Although the SEC has not yet set a deadline for 409, it’s causing plenty of worry. Hagerty says for some companies, it will be bigger than the impact of Section 404, as it may have profound impacts on the IT architecture that supports analytics–with the requirement for rapid identification of events and assessment of financial impact. “This will be big and difficult for IT,” he said.
That’s the bad news. The good news is that most companies in the Fortune 1000 are well on their way with compliance projects. As of the end of 2003, 86 percent of companies were evaluating or implementing Section 404 solutions, says AMR Research. And 75 percent expect to have necessary Section 404-based work completed by mid-year, says Hagerty.
As for Section 409, 77 percent of Fortune 1000 companies are implementing or evaluating solutions now. Some 19 percent already have an operational solution in place, says AMR Research. Many companies, as many as 80 percent, are considering turning to their ERP providers such as SAP, for help with 404 and 409.

SAP helps companies take steps toward compliance

SAP Compliance Management for Sarbanes-Oxley Act allows companies to be secure in internal controls, to produce accurate and timely financial statements and to mitigate and monitor risks. mySAP Financials includes Audit Information System (AIS), which manages internal controls and provides whistle blowing capability. These tools integrate tightly with SAP R/3, and with all the solutions of the mySAP Business Suite, such as mySAP Enterprise Resource Planning, mySAP Customer Relationship Management and mySAP Human Resources.
Here are the key requirements of Sections 404 and 409 along with what SAP offers to help companies comply:

  • Section 404, Management Report on Internal Control over Financial Reporting. This section requires attestation of financial controls by an external auditor. And it requires executives to annually assess and report on their companies’ financial reporting and internal control capabilities. The deadline for this section was extended by the SEC to the fiscal year that ends on June 15, 2004, or after. SAP’s Management of Internal Controls (MIC) allows documentation, assessment and testing of the effectiveness of controls. SAP AIS allows structured monitoring and reporting. SAP R/3, SAP Business Information Warehouse (SAP BW) and SAP Strategic Enterprise Management (SAP SEM), can be helpful for this section too.
  • Section 409, Real-Time Disclosure. This section requires real-time reporting of all events that could effect a company’s financial performance. The SEC has proposed a 48-hour filing deadline for 8-K forms. The 8-K is an SEC form used by companies to report any material events or corporate changes that could be important to investors. The 8-K provides more current information than 10-Q quarterly or 10-K annual reports. The SEC has not decided an official deadline for this capability, but it’s got many CIOs in high-stress mode. SAP SEM tools can help.

Several facts to understand

At the beginning of Section 404 and 409 compliance projects, there are several budgetary and operational facts to understand, says Hagerty. First, companies should know that the projects will include all business units. Finance, IT, customer service, security and other areas will be effected by process changes and therefore must be included on teams to handle project planning and execution.
Specifically, Hagerty warns IT departments to plan 2004 budgets to include people’s time for participation on task forces and for potential software purchases and implementation costs. For some companies, costs could skyrocket in 2004 if they decide the only way to comply is to put a new system architecture in place and not just a piece of software or two.
If a new architecture is implemented, current and future budgets must include the associated costs. No matter what, IT budgets must include future management costs for Sarbanes-Oxley-compliant systems, says Hagerty. Sarbanes-Oxley requires a perpetual, long-term solution, not a quick, one-time fix.
As a best practice, Hagerty suggests that companies design what he calls an “Active Compliance Framework.” Executives, employees, compliance officers and external regulators should all be involved on an ongoing basis. Plans should include rigorous management of a variety of process layers, such as reporting and risk, documents and records, and security and audit control.

Budgets and Phases of Sections 404 and 409

With 404 looming, Hagerty lists four phases to compliance. The first three phases are documentation of controls, monitoring and evaluation of controls, and auditor attestation of them. The fourth phase is the long-term management and enforcement of those controls. It’s a critical step that must not be missed, he says.
Auditors have until fiscal year end to verify Section 404 compliance. But Hagerty says firms should not wait until the end of the year to finish 404-related projects. To ensure that processes run correctly, companies should get the necessary information to their auditors no later than one quarter before fiscal year end. Six months would be even better, he adds.
Companies should employ their internal project teams, but also expert, outside help, says Hagerty. This can help a company avoid over-documenting events, but instead document just the events that are of concern to the SEC. “Working with expert advisors can help you figure out what really is considered material versus all the extraneous things that may be immaterial,” he said.
As of the end of 2003, 51.6 percent of companies were using or planning to use an outside auditor on Sarbanes-Oxley teams. Some 22.6 percent were using or planning to use an IT vendor, 22.6 percent were using or planning to use a legal advisor and 22.6 percent were using or planning to use a consultant, says AMR Research.
With Section 404 looming and Section 409 a not-too-distant reality, Hagerty says that 2004 and 2005 will be trying years for some companies. They have a slight reprieve because the SEC has not yet determined how fast the real-time reporting requirements of Section 409 will be or exactly which events will have to be reported.
But, the SEC is likely to decide those specifics sooner rather than later. And Hagerty says smart companies are already in the midst of preparations. “You may have to change all the underpinnings of how information is transferred from one place to another,” he said. Sarbanes-Oxley Sections 404 and 409 are more than just financial issues, they include IT challenges that companies better be prepared to tackle.

Sarah Z. Sleeper
Sarah Z. Sleeper