Sarbanes-Oxley 404 (or "Sarbox" as it is commonly known) was enacted by the US government to tighten up financial reporting in the wake of Enron and other accounting scandals. Under Sarbox, senior managers are required to certify the effectiveness of their internal control procedures. Control information is subject to external audit and any weaknesses will be reported.
In addition to US companies, large Foreign Private Issuers (market value of more than $700 million) whose financial year ends on or after 15 July 2006 now need to provide Section 404 compliant management and auditor reports as part of their next annual filing to the SEC. Although smaller "accelerated filers" (market value $75 million to $700 million) still need to provide management reports as part of their next SEC returns, they have an extra year to enter their auditor reports.
Experience in the US, where larger companies have now completed their second year of Sarbox filings, has underlined the scale, complexity and, not least, cost of compliance. However, the good news from PricewaterhouseCoopers analysis of the latest returns is that the proportion of US firms receiving adverse reports identifying material weaknesses fell from 15% in 2004 to 6% in 2005. The results for financial institutions are especially encouraging. The proportion of banks receiving adverse reports decreased from 12% to 4%, insurers from 7% to 5% and investment managers from 7% to zero.
However, the costs and diversion of management resources are still needlessly high within many organisations. In particular, it would appear that many companies may be identifying and testing more controls than may be necessary. The documentation of internal controls is also often excessive and may be difficult to maintain on an ongoing basis.
The first and in many ways most important step towards more straightforward and sustainable compliance is simply allowing enough time. From judging what are the "key" controls through to verification and documentation has taken firms far longer than most originally envisaged. Ironing out any problems can also often take more time than expected. It is telling that 40% of the adverse opinions in year two related to weaknesses that had yet to be corrected from year one.
In setting their priorities, organisations also need to ascertain what aspects of their business pose the greatest risks to the reliability of their financial reporting. Year-end reconciliations are likely to be a particular focus as the most frequent material weaknesses within financial institutions in the US have related to audit adjustments or restatements. As such weaknesses are often pinpointed after the year-end, there is also little opportunity to remediate them before they generate adverse reports.
How PwC is assisting financial services organisations
PricewaterhouseCoopers is at the forefront of helping companies to embed Sarbanes-Oxley. This includes validation of key controls, integrating Sarbanes-Oxley into effective
anti-money laundering and
enterprise-wide management structures and helping to maximise the systems synergies of alignment with
Basel II,
Solvency II and
International Financial Reporting Standards.
