SOX 404 Compliance
While completing their first SOX attestation, one of the world’s largest biopharmaceutical outsourcing organizations with operations throughout 43 countries in 56 locations and approximately 6,200 employees, knew that building and maintaining a Sarbanes-Oxley compliance program presented challenges — unearthing and solving the issues that stood in the way of compliance and managing the myriad of spreadsheets and documents that are needed for the task.
In 2005, the Company completed its first year of SOX primarily by performing the tasks in shared services centers in the United States, the United Kingdom and Germany. The Company identified over 1,000 key business controls; remediate and re-tested several hundred key controls and implemented a document control process; tracked remediation; and then tested and re-tested its program.
1 Comment »
Leave a comment
| Next »
About
Ever since its first year of required compliance in 2004, Sarbanes-Oxley and Section 404 in particular has been criticized for the excessive cost and disruption it created for companies. The public debate about whether its been worth the effort has at times reached a fever pitch, as recently noted by the former Chairman of the SEC, Harvey Pitt[1], “As costs mounted, and auditors became defensive in their audits of internal control, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance to make the beneficial purposes of the SOX 404 more obtainable, with lower costs and more focused efforts”. In this regard, certain statements from both the SEC and PCAOB December releases especially stand out[2]. At the same time, greater use of a risk based approach seems to reflect a return to the original principles of SOX and certainly of the COSO Framework.
[1] Compliance Week, March 2007 issue
[2] SEC Release # 33-8762, 34-54976 (12/15/06) and PCAOB Release # 2006-007 (12/19/06)
About the Author
Christopher D. Coigne CPA, CIA, CFE is the Senior Manager of Client Services and Product Development for BI International. For the past 5 years Chris has worked extensively with organizations seeking compliance with Sarbanes-Oxley (SOX). He has performed materiality planning and risk assessments, led facilitated control discussions, participated in client SOX Project Management Organizations, and overseen global control testing. Other projects have included managing outsourced Internal Audit activities, performing forensic and fraud investigations to aid in management’s deterrence and detection of fraud, and working to develop a web-based SOX and Internal Audit tool.
A graduate of Rowan University, Christopher’s experience includes public accounting financial audits, controllership in the insurance industry, internal audit management at Philadelphia-based ARAMARK, and consulting work for a variety of global organizations including McDonald’s, Sony, ING and Waste Management.
-
Archives
- August 2008 (2)
- July 2008 (2)
- May 2008 (1)
- April 2008 (3)
-
Categories
-
RSS
Entries RSS
Comments RSS
Organizations identifying and testing a large number of Key Controls is usually the result of two mistakes:
1. Inclusion of operational controls as Key financial controls - i.e. the control cannot be mapped to an account/assertion intersection.
2. Over-reliance on detailed, transaction level process controls when Entity Level Controls, which occur less frequently and closer the external financial reporting cycle, can often provide the required degree of precsion for identifying material misstatements.