In mid-May the US regulators issued further guidance on Sarbanes-Oxley
Section 404, prompted by an SEC’s round table a month earlier, at which many
commentators recognised benefits arising from the first-time application of s404
but, at the same time, voiced concerns over costs.
Adding up the cost of compliance is difficult but it is true that US
corporations have found the first-time application of s404 far more expensive
than anyone envisaged. Earlier this year the finance director of one
multinational bank wrote to the SEC predicting that external costs of
implementing s404 would be in the region of $50m, and internal resource
reallocated to s404 likely to be twice this. Early indications suggest that many
US corporations spent at least this much on first-time compliance. Some spent
Much of this expenditure can be attributed to two factors. First, the initial
set-up costs are very high – for example, it is necessary to document relevant
systems of control in year one, but few are expecting to carry out a major
documentation exercise in future years. Second, many US companies geared their
s404 projects towards the end of the calendar year and, as a result, efficiency
suffered as pressure to complete them intensified.
In response to the perceived high costs, the US regulators have sought to
emphasise opportunities for companies to conduct s404 efficiently. Companies and
auditors are being urged to apply concepts of risk and judgement in deciding the
scope of s404 work to avoid unnecessary testing plans. Auditors are expected to
rely on management’s testing where appropriate and to take reliance on the
findings of controls work in the conduct of the financial statements audit.
In substance, there is relatively little that is new here – and many believe
that significant savings would have arisen through the natural process of
determining efficient methods to comply. However, these reminders will
undoubtedly help to reduce the cost of second-year compliance in the US.
For foreign private issuers (FPIs), implementation of s404 is to happen two
years after their US counterparts Management teams at UK FPIs are looking to
their counterparts in the US for practical guidance on how to carry out s404 as
efficiently as possible.
What then of the benefits arising from s404? What is becoming clear is that
the US regulators are primarily driven by the perceived benefits to
shareholders, in terms of improved reliability of financial reporting. This was
well summed up at the SEC round table by Mark Anson, chief investment officer at
CalPERS (the California Public Employees’ Retirement System).
‘We’re willing to bear these costs, because if these costs can prevent one
more Enron or WorldCom… that is money well spent in our opinion. As an
investor, if I can’t trust the integrity of the financial statements, they’re
worthless to me.’
There can be no doubt that a rigorous approach to financial reporting is
vital to the integrity of the capital markets, but it seems optimistic to
believe that s404 will act as a panacea to prevent management override and
fraud. Ultimately we may never know the extent to which s404 certification
proves to be an effective deterrent.
For management, notions of benefit or value are not always easy to deal with.
Staff working on s404 projects need to be highly capable and will wish to be
appropriately incentivised. But normal measures of benefits, such as cost
savings or improved efficiencies, are very difficult to apply to the day-to-day
task of implementing s404. Without appropriate recognition for the key
individuals, the retention of people on this project will be a struggle for
What is not disputed is that, where financial controls are currently in poor
shape and the year-end financial statements process yields many problems for
companies and auditors to address, the disciplines required by s404 will be an
important factor in turning these situations around. This is to be welcomed.
There are some practical suggestions for foreign private issuers to ensure
that the beneficial effects of s404 are implemented in a cost-effective way.
Fast-tracking the documentation, assessment, testing and potential
strengthening of company level controls is a smart move. Company level controls
are the far-reaching controls that affect the way the organisation addresses the
preparation of financial information. The regulators have re-emphasised their
power and importance, particularly in the way that strong company-level controls
can minimise the need for further testing throughout the company.
The scope of the project may need to be revisited to ensure that the real
risks of material misstatement have been fully understood – and specifically
that lower-risk areas are not over-tested as a result of the application of
purely numerical parameters. It is also important to consider whether any risks
have been omitted from the scope.
Organisations should plan to test controls throughout the year. This should
lead to an efficient approach to testing and will allow the external auditors to
rely on management’s work to the maximum extent permitted.
The regulators have re-affirmed the importance of IT controls in underpinning
the preparation of financial statements in large groups. Put simply, many
accounting processes rely heavily on basic IT disciplines, which can sometimes
be overlooked. In the absence of evidence of strong IT controls, there can be a
tendency to revert to time-consuming manual controls as the basis of evidence
for s404 – so it’s best to plan to cover the IT controls early on.
There are ways to help keep costs down, but there should be little doubt that
in its current form s404 is going to remain a rigorous and costly process. In
the eyes of the regulators it would seem that the value articulated by major
shareholders is sufficient to warrant that cost.
Jon Rowden is a director at PwC who advises on the effect of the
For our management briefing on s404 and internal controls go to