SOX 404 compliance: Efficiency is key

Gain a better understanding of SOX Section 404 and learn how to improve your compliance efficiency.

What you will learn from this tip: How to better understand SOX Section 404 and improve compliance efficiency.

The intent of Sarbanes-Oxley (SOX) Section 404 is to improve internal control over financial reporting. The number and scale of accounting scandals in the wake of the 1990s stock market bubble forced a change from informal to formal control mechanisms. SOX was enacted so investors in public companies could have reasonable confidence that financial reports are prepared according to generally accepted accounting principles (GAAP) and therefore fairly represent the results and condition of the company.

More on Sarbanes-Oxely compliance:
Keeping SOX 404 under control

Five steps for SOX compliance
Although the word "control" stresses fraud prevention, it also carries a broader context of safeguarding assets (i.e., preventing undue risk), managing spending and maintaining a sound accounting environment. To address the shenanigans instigated by senior executives, the law made them responsible for having adequate controls over financial reporting, periodically attesting to the effectiveness of their internal controls and reporting any issues with the control systems and methods used to assess their effectiveness.

The vagueness of the law's language, the lack of enforcement history and the potential severity of failing to "pass" has created a great deal of anxiety among senior executives of public companies. Since SOX is here to stay, companies should focus on improving compliance efficiency. One important way to improve compliance efficiency is to reduce the number of points of control. There are at least two ways to do this.

  1. Automate (or otherwise eliminate) manual steps in a financial process.
    Companies were required to document their financial processes in detail in the first stage of the compliance process. They should go through these process maps and look for manual steps that can be automated by passing information from one system to another (rather than manually re-keying it), using statutory consolidation software to perform certain calculations they may be doing on spreadsheets, and so on. Manual steps should be avoided whenever possible because they pose a control risk (for fraud or error) and therefore require auditors to sample or inspect transactions. Moreover, since manual steps create errors they also drive up the cost of detecting and correcting those mistakes –- cost senior executives underestimate.

    Spreadsheets should be avoided as much as possible, but especially in processes where errors or mis-statements will affect external financial reports. By themselves, electronic spreadsheets are inherently unauditable and research shows it is surprisingly easy for them to contain errors regardless of the number of times they are checked. A company that calculates allocations in a spreadsheet and then creates journal entries manually should look for ways to automate this part of the process within their accounting or consolidation software.

  2. Reduce the number of controls the company needs to monitor and test.
    In the wake of their initial compliance effort, many companies have realized they can simplify their control environment and still maintain effective control. Often, they can achieve simplification by relying on higher-level controls

    Many companies will find they can reduce the complexity of their operations by applying process commonality to financial systems wherever possible. It is not uncommon for companies to find they had more than a dozen ways of handling a payables process or billing exception. While some variation is inevitable, simplification is usually practical and pays off in a more common set of controls and systems for monitoring and testing.

How well SOX addresses the original impetus of preventing large-scale, high-level financial fraud remains to be seen. Since public companies are required to comply with the law, many of the actions they take to improve their compliance efficiency will have the added benefit of making their finance operations more efficient.


Robert D. Kugel is CFA, VP and Research Director at Ventana Research. He heads up the Financial Performance Management (FPM) practice, focusing on the intersection of information technology and the finance organization. The FPM research agenda includes the application of IT to financial process optimization and collaborative systems, control systems and analytics, profitability management and advanced budgeting and planning. Rob has been a technology analyst for over 20 years.
This was last published in June 2005

Dig Deeper on Security audit, compliance and standards