Under Control

Sustaining Compliance with Sarbanes-Oxley in Year Two and Beyond

As used in this document, the term "Deloitte" includes Deloitte & Touche LLP and Deloitte Consulting LLPAlthough this publication contains information on compliance with Sarbanes-Oxley, it is neither a comprehensive nor an exhaustive treatment of the topic. This publication contains general information onlyand should not be relied upon for accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services,nor should it be used as a basis for any decision or action that may affect you or your business. Before making any decision or taking any action that may affect you or your business, you should consult aqualified professional advisor. The information contained in this publication likely will change in material respects; we are under no obligation to update such information. Neither Deloitte & Touche LLP,Deloitte Touche Tohmatsu nor any of their affiliates or related entities shall have any liability to any person or entity who relies on this publication.

Table of ContentsSarbanes-Oxley, Act I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Sarbanes-Oxley, Act II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Year One in Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Year Two in Preview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Sustained Compliance Solution Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

What will you do in Sarbanes-Oxley Year Two? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Under Control

1

SARBANES-OXLEY, ACT I

When Senator Paul Sarbanes and Representative MichaelOxley set out to “fix” corporate disclosure and financialreporting, they sought to quell a volatile situation: corporatescandals arising frequently; market confidence fallingrapidly; and an unnerved public clamoring for correctiveaction.

The lawmakers crafted the Sarbanes-Oxley Act of 20021,which pundits quickly hailed as a landmark remedy.Although prior legislation — most notably the FederalDeposit Insurance Corporation Improvement Act and U.S.Federal Sentencing Guidelines — had tackled formidablebusiness issues, Sarbanes-Oxley set precedent in the far-reaching obligations it placed on public companies. As aresult, no one — from business, government, media, oracademia — could be certain how the law would play outas it evolved from abstract legislation into real-worldapplication.

Among the requirements causing consternation in thebusiness community was section 404 — “ManagementAssessment of Internal Controls” — which called on publiccompanies to identify financial reporting risks, ascertainrelated controls, assess their effectiveness, fix any controldeficiencies, and then re-test and re-document anew. Forcompanies of all sizes, but especially those with complexorganizational structures and far-flung subsidiaries, the taskproved daunting. Indeed, so challenging was section 404implementation that the Securities and Exchange

Commission thrice delayed compliance deadlines, once in2003 and twice during 2004.

Today, the first conformance dates have come and gone formany companies. And with results tallied and lessonslearned, it appears that the initial trepidation was justified.Both empirical and anecdotal evidence show that despitethe substantial resources — in time, personnel, and dollars— companies expended on compliance, the section 404work was often difficult and sometimes chaotic. Manyexecutives, spent from the exertion, reached the sameconclusion: This kind of monumental effort simply can't besustained in perpetuity.

Fortunately, it doesn't have to be.

Under ControlSustaining Compliance with Sarbanes-Oxley in Year Two and Beyond

1 For purposes of this document, the terms “Sarbanes-Oxley” and “the Act” refer to the Sarbanes-Oxley Act of 2002 in its entirety, including all sections of the law enacted by Congress, all associated rulespromulgated by the Securities and Exchange Commission, and all related standards issued by the Public Company Accounting Oversight Board. The term “section 404” refers specifically to the“Management Assessment of Internal Controls” section of Sarbanes-Oxley and all the rules and standards that fall under that section.

Despite the substantial resources — in time, personnel,and dollars — companiesexpended on compliance, the section 404 work was often difficult and sometimes chaotic.

Under Control

2

SARBANES-OXLEY, ACT II

Not to say that companies can now relax; quite thecontrary. Compliance must be rigorously maintained fromnow into the foreseeable future. But moving forward, thestrenuous labor that led to the first-year finish line needn'tbe as frantic and all-consuming.

Indeed, a replay of the year one compliance fire drill is asuntenable as it is unwise: Few companies could againmarshal the resources or survive the disruption. But if yeartwo under Sarbanes-Oxley is to cause less pain and providemore gain, companies must plan, design, and implement anefficient and effective program for sustainable compliance.Anything less will likely result in unacceptably high costs,heightened risk, distraction from the corporate mission,and, ultimately, competitive disadvantage.

Sustainable compliance, on the other hand, may providelong-lasting benefits that transcend the original intent ofthe Act. A well-designed and intelligently implementedsustainable framework potentially can:

• help reduce the cost of compliance

• optimize controls and related processes

• integrate financial reporting and internal controlprocesses

• streamline management's quarterly and annualcertification of financial results and controls

• redirect compliance efforts away from risk aversion andtoward risk intelligence

• improve accountability throughout the organization

• enhance market competitiveness

Critical to the success of this conversion from short-termcompliance to long-term sustainability will be leveraging allthat has been learned. Every company that has met therequirements of section 404 has documented, evaluated,tested, and remediated controls and has gained a betterunderstanding of their operations in the process. Thesection 404 work has provided valuable knowledge andinsights about controls, processes, systems, andorganization, and has shed new light on challenges andopportunities for improvement. Thus, these companies arenow presented with an occasion to exploit this accumulated

knowledge and extract value from their substantialinvestment in compliance.

(Companies that came up short in their compliance efforts— either by failing to meet the reporting deadline or byuncovering material weaknesses — will obviously havedifferent issues to address.)

In other words, companies that successfully navigated thefirst year of Sarbanes-Oxley now have the rare opportunityto convert an expense — compliance — into an asset —sustainability.

YEAR ONE IN REVIEW

When astronauts return from space, they are immediatelywhisked to a debriefing session to capture valuableinformation while it is still fresh. A similar procedure shouldbe employed for Sarbanes-Oxley efforts.

Among the more notable outcomes of year one was theadmirable performance of public companies — as well assome private, nonprofit, and governmental organizations —which distinguished themselves through their commitmentand resolve. A large segment of the business communitymet the challenge of elevating the integrity and reliability offinancial reporting and restoring investor confidence. Thejob is by no means finished, but progress has beensubstantial.

And progress can be accelerated through a clear-eyedexamination of the last year. This includes reviewing andevaluating results of first-year assessment activities;identifying lessons learned and areas requiring improvement;obtaining feedback from the independent auditor andinternal audit; and identifying and considering otherbenefits that may be achieved beyond compliance.

Additional value can be gleaned through a scrutiny ofshortcomings. Compliance efforts may have been impededin the following areas:

1. Project Mindset: With deadlines looming, manycompanies understandably treated section 404 complianceas a discrete project with a clearly defined ending point.

3

Under Control

Employees were borrowed from various departments;internal audit's focus was redirected; consultants werehired; and other business initiatives were postponed whilethe effort was underway.

But this “project” mindset will prove a hindrance to long-term compliance efforts. There is, of course, no end date forsection 404 compliance, any more than there’s an end datefor 10-K filings. Whether companies are closing the bookson the numbers or closing the books on internal control,reporting requirements are rolling and continuous.

Business gurus often use metaphor to describe the properapproach: Good governance must be stitched into thefabric of the company. Strong internal control shouldbecome part of the corporate DNA.

However one wishes to describe it, the underlying messageremains the same: The tenets of good governance andinternal control must become integrated into the mission,culture, and daily activities of the company.

2. Overextension of Internal Audit: The internal auditfunction proved a lifesaver for many companies during yearone, providing key personnel for documenting, evaluating,testing, and remediating controls. But a couple of problemscan arise with continued reliance: One, the regular tasks ofinternal audit — operational, systems, and special projectaudit work — suffer when the function is redeployed. Ifmanagement continues to utilize internal audit for intensivesection 404 and 302 compliance-related work, then asignificant infusion of resources (i.e., budget andheadcount) to accommodate the additional workload willbe needed. And two, if internal audit is placed into theposition of concluding on the effectiveness of the controlson behalf of management, then the function may not beconsidered objective enough to be relied upon by theindependent auditors as they determine the extent oftesting necessary to support their internal control auditprocedures.

3. Poorly Defined Roles: Internal control-related roles andresponsibilities, often poorly defined and segregated fromthe day-to-day routine of employees during the first year,will require greater clarity and integration going forward.

Job descriptions throughout the organization will need revision to reflect new responsibilities. Controlresponsibilities must be thoroughly incorporated intobusiness routines, a process that may well have a more-pervasive impact on the company than any other changemandated by Sarbanes-Oxley (although that realization has not yet hit many companies).

Section 404 has dramatically increased the responsibilities of the average line manager who engages in activities thatfeed the financial reports. Just as supervisors may need tomanage budgets even though they are not necessarilyfinancial “types,” so too must many other employees nowaddress internal control as a core part of their jobs, eventhough they are not control specialists.

Employees must be held accountable for understanding andperforming their proper roles in the post-Sarbanes-Oxleyenvironment. Responsibilities should be explicitly defined,repeatedly communicated, seamlessly integrated, andclosely monitored.

Employee education also takes on new significance insustaining compliance, because allegiance to the creed ofinternal control and good governance does not magicallyappear — it must be cultivated. Employees will onlyembrace the philosophy if they receive proper guidance,

If management continues toutilize internal audit forintensive section 404 and 302compliance-related work, thena significant infusion ofresources (i.e., budget andheadcount) to accommodatethe additional workload will beneeded.

4

Under Control

instruction, and modeling. Thus, the slogan of “tone at thetop” comes into play. And continuing education onbusiness ethics, internal control, Sarbanes-Oxley, and relatedtopics becomes an ongoing need.

Finally, the first-year practice of redeploying staff to fillSarbanes-Oxley gaps will, in most cases, prove unworkableover time. Depending on company size, internal control-specific employees may need to be hired.

4. Improvisational Approach: Another symptom ofdeadline pressure showed up in the jerrybuilt practices thatcarried many companies through the first year. With fewopportunities for high-level planning and little time forweeding out duplication and stripping away inefficiency,makeshift methods were devised to document, evaluate,test, and remediate controls.

This improvisational approach yielded a predictableoutcome: internal control assessment processes both morerisky and less sustainable than might otherwise have beendeveloped.

Thus, savvy managers will make the time for planning andanalysis in year two, knowing that redundant processes,controls, and technologies add burdens and costs to thecompliance effort. The goal is straightforward: Companiesmust put into place carefully considered, well-designed,repeatable processes.

5. Underestimation of Technology Impacts andImplications: Before most section 404 projects got off theground, conventional wisdom held that compliance wouldhave little or no impact on information technology (IT).Today, that viewpoint has been discredited. In fact, IT isrecognized as critical for achieving the goals of the Act, andthe impact and implications of technology are widelyregarded as significant and pervasive.

In many year-one projects, organizations focused heavily onbusiness processes and did not consider the broader rolethat IT plays in managing financial information and enablingcontrols. Working under deadline pressure and without aprescribed roadmap, executives found it difficult to definethe scope of IT’s involvement and the assessment of therelated controls. As such, the effort involved wasunderestimated and attempts to address the technologyaspects were, in some cases, haphazard. Companies oftenfound the IT component of their overall compliance effortto be informal, inconsistent, and manually intensive.

First-year readiness efforts highlighted disconnects betweenthe IT and finance functions. Alignment between IT andbusiness needs is not a new challenge, but the controlsdocumentation and assessment activity shed new light onthe issues. It became clear that IT is critical to efficient andeffective controls, and to the production and maintenanceof high-quality financial information.

Compliance with section 404 also created the need fortechnology solutions to support management of the newlyrequired documentation, evaluation, testing, monitoring,and reporting activities. Although software vendors workeddiligently to address the issues (and the opportunities)presented by Sarbanes-Oxley section 404, inevitably, a lagdeveloped between customer requirements and productdelivery. But technology is catching up to the market needs,and IT will make a huge impact on compliance goingforward.

At a minimum, technology investments will be necessary tosupport sustainable compliance in several areas, includingrepository, work flow, and audit trail functionality.Technology will also be used to enable the integration offinancial and internal control monitoring and reporting — acritical requirement at most large and complex enterprises.

Savvy managers will makethe time for planning andanalysis in year two, knowingthat redundant processes,controls, and technologies add burdens and costs to thecompliance effort.

Especially important will be systems that provide executiveswith a “dashboard” or “portal” view of the status andperformance of controls, linked to financial information.This integrated approach will allow users to drill down fromfinancial results to the underlying controls, andautomatically flag exceptions, unauthorized entries, andother anomalies. Such solutions exist today in rudimentaryforms; however, development will likely proceed at a rapidpace and more sophisticated products will becomeavailable. As the focus on technology increases, the benefitsto companies will be substantial, including more timely andaccurate information regarding controls performance;corroborated data regarding financial reporting and theunderlying controls, and overall improved oversight formanagement and the board.

In most cases, the efficiencies gained by leveraging suchtechnology will rapidly offset the implementation costs.Conversely, the costs and risks of not automating to thefullest extent possible could be significant.

6. Ignored Risks: Effective internal control ispredicated on risk. Indeed, what many consider to bethe heart of a section 404 compliance effort — thecontrols themselves — exist expressly for the purpose ofminimizing the risk of financial reporting errors.

Yet paradoxically, for some companies in year one, riskassessment was treated as an afterthought — if addressedat all. Companies often failed to develop and deploy acomprehensive risk assessment process as part of theircompliance projects, an outcome both surprising —because risk assessment is an inseparable component of theCOSO internal control framework — and unfortunate —because without proper risk assessment, much of the timeand dollars spent documenting and testing controls mayhave been squandered.

In the absence of a risk-based approach, companies had noway to prioritize their activities. Some focused on the wrongareas, which resulted in a disproportionate amount of timespent documenting and testing controls that didn’t mitigatetrue risk, i.e., controls that, if they failed, couldn'tcontribute to a material misstatement.

Which begs the question: If companies haven’t undertakena comprehensive risk assessment process, then how canthey design effective procedures to address those risks?

The answer, of course, is they can’t!

The solution is to get the cart back behind the horse:Establish a company-wide risk management program — aformal, regular process designed to identify key financialreporting risks, assess their potential impact, and link thoserisks to specific areas and activities within the organization.

YEAR TWO IN PREVIEW

Most companies that complied with the first-yearrequirements of section 404 of Sarbanes-Oxley did so atconsiderable expense and significant effort. To ensure thatall the work wasn’t for naught, a key objective in year twowill be to derive value from that undertaking.

Much of the year-one compliance work — from the controlsdocumentation to the test plans, from risk assessment tocommunication strategies — can and should be leveragedfor the future. Sustainability is a cumulative andevolutionary process; companies should endeavor to buildupon their initial gains by developing a holistic internalcontrol plan for the coming year.

The first-year experience also emphasized the point that it ishard to play catch-up. A better tactic is to be proactive:Companies should think about internal control in advanceof organizational initiatives, projects, and potentialacquisitions.

For example, due diligence conducted before a merger oracquisition should take into consideration the system of

5

Under Control

Sustainability is a cumulativeand evolutionary process.

6

Under Control

internal control that will be inherited and integrated uponconsummation of the deal. Similarly, any informationtechnology upgrade or implementation project should have astrong focus on the internal control aspects from inception.

The objective is clear: Year two efforts should focus onsustainability and forward thinking. The risk is real: Withoutsustainability, backsliding may be inevitable, and companiesmay soon fall out of compliance. And thus the question isparamount: How can companies develop a rational,methodical, efficient, and economical approach to theproblem of sustainability?

SUSTAINED COMPLIANCE SOLUTION FRAMEWORK

Judging from the frenetic activities of the last year, onemight reasonably conclude that Sarbanes-Oxley complianceis the number one goal of public companies. Such a notionis, of course, folly. Compliance, while important, shouldnever be mistaken for the corporate raison d’être. Rather, itis a means to an end, a necessary element in the quest forbusiness success.

Year two represents an opportunity to put Sarbanes-Oxleycompliance back in its proper place, alongside otherlegislation, rules, regulations, and standards that businessestypically face. One way to accomplish this, paradoxically, isto so fully integrate compliance activities that they becomean indistinguishable part of the ongoing business, utilizing aframework that simultaneously reduces cost, complexities,and risk.

To help companies move from a project to a program,Deloitte developed the Sustained Compliance SolutionFramework. Among its most notable characteristics, theframework provides for:

• effective and efficient processes for evaluating, testing,remediating, monitoring, and reporting on controls

• integrated financial and internal control processes

• technology to enable compliance

• clearly articulated roles and responsibilities and assignedaccountability

• education and training to reinforce the “controlenvironment”

• adaptability and flexibility to respond to organizationaland regulatory change

Three interlocking components drive the SustainedCompliance Solution Framework: people, process, andtechnology.

PEOPLE

The “people” component of the Sustained ComplianceSolution Framework refers, as one might expect, to thehuman resources and organizational elements necessary tosustain compliance. Tasks required to get people in lineinclude the following:

Formalize the compliance and governance structureMost companies have already drawn up a working blueprintfor this, and may only need to make some minorcorrections. Activities include forming committees (steering,disclosure), teams (internal control), offices (programmanagement), and other organizational structures.

Define roles and responsibilitiesThe more deeply the philosophy of strong internal control isimbedded in the corporate culture, the more sustainablecompliance becomes. Thus, every job function that has anyimpact on or relation to financial reporting (and there aremany more than one might initially expect) may need tohave its job description updated to include internal controlresponsibilities.

Compliance, while important,should never be mistaken for the corporate raison d'être.Rather, it is a means to an end.

7

Under Control

Companies may also have to consider creating new jobs,such as internal control specialists, and even establishingentirely new groups or divisions to assume responsibility forinternal control.

When defining appropriate roles related to section 302 and404 compliance, it’s important to keep this fact top ofmind: Management is explicitly and solely responsible forinternal control. No other party can fill this role.

However, that shouldn’t lead one to conclude that topexecutives need to do all the work themselves. In fact,they can and should leverage all the resources within andoutside the organization necessary to get the job done.

Define the role of internal auditNotable among the resources cited above is internal audit,which should play a significant role in any complianceprogram. As cited previously, internal audit provedindispensable in the first-year compliance efforts at manycompanies. In a survey of Deloitte clients, internal audit ledthe Sarbanes-Oxley section 404 project outright at morethan half the companies. In more than 80 percent of thecases, internal audit was providing all or some of theresources. And rightfully so. After all, who else in thecompany is more knowledgeable about internal control and better versed in developing a testing methodology?

The skills and resources that internal audit brought to thetable in year one can be drawn upon again going forward,with the one caveat described previously: If internal audit isgoing to be called upon to provide its resources, then thefunction’s budget should be revised upwardly to reflectthese new responsibilities. Unlike year one, where internalaudit was often redeployed at the expense of other duties,going forward the function should grow to encompass bothits traditional and new roles.

What, precisely, should this new role be? Recent guidancefrom the Institute of Internal Auditors suggests thatappropriate roles for internal audit include the following2:

• support management and process owner training onproject and risk and control awareness

• perform quality assurance review of processdocumentation and key controls before hand off to the independent auditor

• advise management regarding the design, scope, andfrequency of tests to be performed

• be an independent assessor of management testing and assessment processes

• perform effectiveness testing to support management’sassertions

• aid in identifying control deficiencies and reviewmanagement plans for correcting the same

• perform follow-up reviews to ascertain whether controldeficiencies have been adequately addressed

Certain tasks, however, should remain under the purview of management. The IIA contends that management shouldassume direct responsibility for:

• setting the risk appetite

• creating risk management processes

• performing risk assurance

• making risk response decisions and taking action on them

Attaining the proper balance of responsibilities is critical. If asingle team — be it internal audit or management —performs all of the tasks required to assert to the effectivenessof internal control, then the independent auditors wouldrightfully conclude that the testing process lacks sufficientobjectivity, because those who were responsible for thecontrols would also be testing the controls. This situationwould result in the independent auditor having to perform alleffectiveness testing for purposes of supporting their auditprocedures. But dividing responsibilities as outlined above willallow the independent auditors to rely on the testing work tothe fullest extent possible, thus improving the efficiency andtimeliness of their work.

Management is explicitly andsolely responsible for internalcontrol. No other party canfill this role.

2 Institute of Internal Auditors, "Internal Auditing's Role in Sections 302 and 404 of the Sarbanes-Oxley Act," 2004. Download available at http://www.theiia.org/iia/download.cfm?file=1655

8

Under Control

Identify needed skills and competenciesAs most companies learned over the past year, internalcontrol is a highly specialized subject requiring detailedknowledge, sophisticated judgment, and a multitude ofskills (e.g., people skills and technical skills). Those staff thatare dedicated full-time to internal control should beproperly trained in the required skill-sets. Companies shouldconsider incorporating employees into a careerdevelopment model similar to those of other finance andinternal audit jobs.

Create a staff development strategy and supportingplansIf recruiting difficulties, corporate philosophy, budgetconstraints, or other factors lead a company to keep itstalent search in-house, a strategy must be developed toensure staff competency. Budget allocations, personneldeployment, education and training, and otherconsiderations will require attention.

Keep employee training programs robust and up-to-dateUnder a strong system of internal control, employees arearmed with all the tools and information they need torespond to change.

No system of internal control, however well planned, will be failsafe from the outset. And no person or team willperform error-free, especially in the early years ofcompliance. The key is not so much preventing errors as it isrecognizing and responding to them. A watchful eye shouldbe maintained for patterns of control deficiencies, whichmay indicate an area for additional training.

External factors can also impact compliance. Any piece oflegislation as complex as the Sarbanes-Oxley Act will besubject to frequent change, not necessarily to the Act itself,but rather to the rules and standards that evolve from thelaw. Thus, it is critical to monitor the guidance that isperiodically issued by the Securities and ExchangeCommission and the Public Company Accounting OversightBoard, and augment employee education programs asrequired.

Training that is responsive to changing conditions — bothinternal and external — can take many forms. For example,individuals who are responsible for internal control testingmay need training on methodology, sample sizes, andcontrol deficiency evaluation. Board and audit committeemembers could require guidance on the nuances of internalcontrol, financial analysis, oversight responsibilities, andexpectations and limitations. Senior management maybenefit from instruction on evaluating, classifying, andresponding to control deficiencies. Internal audit mightrequire education on its new role in the sustained complianceinfrastructure. Information technology personnel may needtutoring on the relationship between IT and financialreporting.

Enhance communicationsFrequent and open communication is critical to any systemof internal control. Communication, both vertically (fromboardroom to mailroom) and horizontally (to allgeographical locations), is key to setting the ethical tone ofthe organization and maintaining a strong controlenvironment.

As companies pursue sustained compliance, formal andinformal communication channels will help create anenvironment where business objectives, codes of conduct,and related information can be conveyed consistentlythroughout the company. Using both broad and targetedmessages promotes commonality in expectations,knowledge, and practice. The result is an employeepopulation with a strong understanding of theorganization’s goals and standards, which will enable them to guide their own activities and behaviors.

Ensure knowledge management and capability transferInstitutional knowledge that resides only in an employee’shead is knowledge at risk. Every facet of internal controlshould be thoroughly documented and accessible toqualified employees. Especially important are employeeoperational manuals, which can guide new or temporarypersonnel who are assuming or filling in roles.

9

Under Control

PROCESS

Routine is often a precursor to reliability and sustainability.To create a strong and sustainable system of internalcontrol, reliable and methodical processes are key. Thebenefits of routine can be many; while the drawbacks ofdisorder can be substantial. Here are some importantelements of success:

Engineer processesDuring year one compliance work, some companiesdeveloped ad hoc processes; others had no processeswhatsoever. Year two is the time to put formal structures in place. Companies should develop and document theparticulars around risk assessment, testing, remediation,concluding, and reporting. Certain questions requireattention: Who will conduct the work? Under whosesupervision? During what timeframe? How does this workflow through to support quarterly and annual reportingrequirements?

In designing a sustainable compliance program, it isimportant to remember that management is responsible for maintaining an effective internal control program 365days a year. As such, the process engineering should lookbeyond the quarterly and annual milestones, which, whileimportant, represent only part of the effort. What activitiesand processes must be accomplished routinely to ensure theeffectiveness of the internal control program? What are theday-to-day work elements that make up the program? Howshould existing processes be revised to support sustainablecompliance?

Integrate internal control and financial reportingPre-Sarbanes-Oxley, many executives did not take intoaccount the full life-cycle of financial reporting. Instead,they concerned themselves with the numbers found at thefinal stage of the process — those contained in the financialstatements.

With the passage of the law, however, company leadersmust now personally certify to the accuracy of thefinancials, as well as to the related controls, each quarter.

This requirement gives them a strong incentive to familiarizethemselves not just with the final numbers, but also withthe origin and evolution of those figures. As a result,executives are rediscovering that, like the proverbial iceberg,a company’s financial reports represent just a small part ofthe overall picture. What lurks below the waterline — i.e.,the processes and controls underlying the numbers —demands careful attention.

Or, to put it another way, many executives are learning (orre-learning) that internal control and financial reporting areinextricably linked. They are also realizing: the stronger thelink, the more reliable the financials.

Strengthening this link should become an importantobjective in year two. During the first year of the Sarbanes-Oxley era, many companies focused on documenting,evaluating, and testing controls, but often didn’t have theluxury of time to address the underlying financial reportingprocesses. Today, as companies seek to enhance theircontrols during the move from compliance to sustainability,they should simultaneously work to enhance the underlyingfinancial reporting processes as well — to strengthen the link.This can be accomplished in a number of different internalcontrol areas, including monitoring, reporting, andgovernance.

From a monitoring perspective, companies should combinethe monitoring of financial information and the relatedcontrols, in order to provide management with theintelligence it needs to conduct their certifications. To do

Executives are rediscoveringthat, like the proverbial iceberg,a company's financial reportsrepresent just a small part of theoverall picture.

10

Under Control

so, management should define the information it needs,specify when it is needed, and develop processes that allowmanagement to review control performance concurrentlywith the review of financial results.

From a reporting perspective, in the first-year frenzy, manycompanies developed internal control reporting processesthat were not integrated with their existing financialreporting processes. As companies seek to develop asustainable model, the reporting of internal control shouldbe integrated with financial reporting. The processes thatfeed 10-Q and 10-K filings should be closely linked to thosethat supply the information for section 302 and section404 filings.

From a governance perspective, the audit committee isresponsible for the oversight of financial reporting andinternal control. Therefore, going forward, the auditcommittee should focus, in addition to financial reports, oninternal control and risk management.

Manage internal and external change If a company isn’t changing, it probably isn’t thriving. Newproducts, expanded markets, shifting priorities, growingrevenues, all of these and more are indicators of a dynamicorganization. But while change is often a barometer ofsuccess, it can also be a harbinger of internal controlheadaches.

In this new era, virtually every change that a companyundergoes will have an impact on internal control.Obviously, major events like a merger or acquisition or anew IT implementation will present significant complianceimplications. But smaller, everyday occurrences — personnelmoves, department restructurings, market shifts, IT system

changes, process changes — will also have a ripple effect.Other external factors — such as new accounting andreporting standards — and internal situations — such asrisk of fraud — can have significant implications foreffective internal control.

Change happens. And as a result of this natural andcontinuous evolution, many of the processes andprocedures that were so painstakingly documented over thelast year will be revised, redundant, or retired over time asthe company advances and grows. Additionally, many ofthe conditions and circumstances that existed initially willhave altered. Will this cycle of change repeatedly throwcompanies back to square one in terms of Sarbanes-Oxleycompliance? Or will they have the adaptability and flexibilityto respond to organizational, regulatory, and marketchanges as they occur?

Astute executives will strive for the latter, becausemanaging change is not just a good idea — it’s a legalrequirement. Under section 302 of the Act, companies mustidentify and evaluate any material changes to internalcontrol over financial reporting every quarter.

Address risk So how do managers get their arms around change? Thebest way to identify and address change is through acomprehensive risk assessment process. Companies shouldassess risk at least quarterly to meet the requirements ofsection 302, as well as to keep the organization’s financialreporting risk profile in line with the evolution of thebusiness. This assessment should be especially aggressiveand thorough during the early quarters of the year, whichwill allow the company sufficient time to make appropriatechanges before year-end.

In addition, companies should re-evaluate their financialreporting risk profile every time they undergo a significantbusiness event. This helps management guard againstunpleasant surprises at year-end, when overlooked risks canloom large in an independent auditor’s section 404 internalcontrol audit.

Of course, it’s a risky world out there, and one might easilyget bogged down in the magnitude of the task. But thegoal is not to produce a laundry list of all conceivable risks,

While change is often abarometer of success, it can alsobe a harbinger of internalcontrol headaches.

11

Under Control

but to identify and prioritize risks in the context of thecompany’s unique characteristics and operatingenvironment.

Develop efficient and reliable testing Applying the most appropriate tests to internal control canbe vexing. Self-assessment may be more appropriate forone situation; a dedicated control group for another.Making the proper choices requires knowledge andguidance.

Another variable concerns the use of manual controls vs.automated controls. The latter may be less prone to error ormanipulation, as well as impervious to fatigue, distraction,absenteeism, and associated problems.

Further complicating the situation is the issue of testingfrequency. Unfortunately, few hard-and-fast rules exist.There are no specific standards for the number of selectionsnor the types of tests to be conducted. Factors such as therole of the tester, the nature of the control, and thefrequency of the control’s use will all come into play.Controls that are executed infrequently (annually orquarterly) may require a limited number of transactions totest. Controls in frequent use may require dozens ofselections to verify their effectiveness.

Making these determinations is not a simple matter;expertise is required to ensure that the proper tests aredeployed and utilized at the appropriate intervals. Internalaudit, independent auditors, consultants, and other partiesmay help in this determination.

Of course, all these issues were dealt with to some degreein year one. Going forward, companies should work forrefinement in this area. Equally important, efforts should bemade to evenly spread testing activities throughout the yearto normalize the workload. Actually, a slight imbalance,with the testing schedule skewed toward the first half ofthe year, can yield two important benefits: one, earlytesting can help avoid a year-end crunch; and two, it canprovide enough time for control remediation andretesting should any control deficiencies be uncovered.

Take action based on test resultsTesting is, of course, important. But its value is diminishedunless processes are in place to act upon the test results.

Some testing will yield positive outcomes, which should beduly noted and filed. More important, perhaps, are theprocedures for prioritizing and reporting controldeficiencies. For this, companies need both a controldeficiency governance process and a corporate-levelfunction responsible for gathering, evaluating, andconcluding on control deficiencies.

It should be noted that testing activities may not be the onlymeans of identifying control deficiencies. Other avenuesmay include findings by internal audit, the independentauditor’s management letter comments, anonymousreporting through a whistleblower hotline, and othersources.

There are many benefits associated with a control deficiencygovernance process, and an equal or greater number ofrisks associated with not creating one. On the plus side ofthe ledger:

• Companies are able to maintain consistency in theevaluation and resolution of control deficienciesbecause a central group — with clearly defined rolesand responsibilities — assumes responsibility for theprocess.

• A well-defined process helps demonstrate toindependent auditors that the company has an effectiveinternal control assessment process.

• Since the group responsible for evaluating controldeficiencies will report directly to management and theaudit committee, the magnitude and number of controldeficiencies should be transparent to seniormanagement.

• A good control deficiency governance processdemonstrates a strong tone at the top, which is a coreelement of an effective control environment.

• With a clear process and articulated roles andresponsibilities, the control deficiency governanceprocess will be an integral component of the company’sinfrastructure for sustained compliance.

12

Under Control

Develop a remediation action plan The negative ramifications of a control deficiency that isallowed to fester could be considerable, from a market,regulatory, and public relations standpoint. Furthermore, a significant deficiency that is not corrected may beconstituted in future audits as a material weakness, sincethe failure to correct demonstrates a weak controlenvironment.

To avoid such outcomes, a well-defined process should beestablished for addressing and disclosing internal controlissues. This process should specify the critical elements (i.e., the who, what, where, when, and why) of the issue and must be rigorous in its execution, monitoring, andenforcement. As part of this process, companies shouldmake sure they have a procedure for communicatingfindings to the audit committee.

Design a documentation programWhen it comes to documentation, corners cannot be cut.Independent auditors will examine the recordkeeping;internal personnel will draw upon it; in extreme cases,regulators may wish to inspect it. From scoping andplanning to execution and implementation — all this andmore must be committed to record.

But keeping detailed records is only the start. Attaining theproper level of documentation and maintaining it as acommon standard throughout the organization mayprove a greater challenge.

Like many other aspects of section 404 compliance,documentation cannot be done and forgotten. Virtuallyevery piece of documentation will have a shelf-life and must be refreshed over time.

Enhance qualityCompanies should apply quality improvement processes andapproaches to their internal control program with a goaltoward constant refinement and ongoing improvements.Best practices should be shared within and outside theorganization. The message of quality should be constantlyreinforced.

TECHNOLOGY

Knowledgably deployed and utilized, technology canprovide the margin of difference between compliancesuccess and failure, especially in large and complexenterprises. In most cases, the efficiencies gained byleveraging technology will rapidly offset the implementationcosts. Conversely, the costs and risks of not automating to the fullest extent possible could be significant.

Here are a few steps to make the most out of technology:

Review IT strategy and architectureAs noted above, the rush to finish first-year readiness andtesting left little time to step back and fully assess thepotential impact and implications of informationtechnology. For year two and beyond, developing acomprehensive assessment of what sustainable compliancemeans to the IT function, IT business processes and, ofcourse, the IT architecture will be a critical step. A piecemealapproach risks missing important elements.

As the process elements of the sustainable program areengineered, determine the expectations for technologyenablement. It is almost certain that new requirements willbe defined. Technology vendors have created a wealth ofproducts that can become part of the solution to thevarious needs in managing the internal control program andfinancial reporting processes. A thorough investigation oftechnology options can help extract the most value out ofIT. Starting with a big-picture approach can help frame theoptimal role of information technology in a system ofinternal control.

However one approaches the IT elements of sustainablecompliance, three fundamental areas must be addressed:

1. technology for managing internal controldocumentation, evaluation, testing, monitoring, andreporting

2. technology for integrating the monitoring andreporting of financial information and internal controls

13

Under Control

3. processes to operate and manage the IT environmentin a manner that sustains the effectiveness (and theevidence of effectiveness) on an ongoing basis

Implement technologies for internal controlmanagementThe ongoing management of an effective internal controlprogram will require the use of technology for mostcompanies. Although makeshift methods and interim toolscharacterized many first-year projects, sustainablecompliance will require more than “project tools.” Today, a number of software products are available to enablemanagement of the internal control program. The corefunctionality provide the controls repository, work flow, andaudit trail. But this is only the beginning. Sustainablecompliance must consider ongoing management needs,such as monitoring needs, the ability to drill down fromfinancial results to the underlying controls information, andother requirements such automatically flagging exceptions,unauthorized entries, and other anomalies.

Implement an internal control management “portal”Sustaining compliance through the management of internalcontrol and financial reporting requires ongoing monitoring.The integration of financial information and internal controlis key to monitoring the effectiveness of the program.Enabling “appropriate-time” monitoring, reporting andanalysis capabilities will give management the tools it needsto be confident that the “tone at the top” is truly beingexecuted throughout the organization.

Technology-based solutions, currently in development, willallow for continuous monitoring — often through a Web-based platform — of critical controls and their impact onfinancial information. Using this technology, executivesreceive internal control information alongside financialdata in a coherent and single view. This approach canenhance communication timeliness and efficiency;provide an early-warning system for executives to respondrapidly to internal control issues; and deliver the reliability,economy, and efficiency that are the hallmarks oftechnology-based tools.

Establish sustainable controls in IT business processesIT business processes will be an important area of focus indesigning and building a sustainable compliance program.Management of the IT environment must consider the newrealities of sustainable compliance. The processes,procedures, and enabling technology for managingapplications and the infrastructure must be enhanced tomanage the internal control program on an ongoing basis.The integrity of the financial systems must be assured anddemonstrable, requiring new considerations in changemanagement and system monitoring. This has significantimplications for change management and forimplementation of new systems.

Automate controlsThere will be significant opportunities to leverage technologyto automate controls and achieve improvements in controleffectiveness. The automated control capabilities withinexisting applications are generally not fully utilized. In addition, there are important new areas where technologycan enable controls. Segregation of duties and systemsecurity are two examples of near-term opportunities. While this may be considered to be in the category of“improvement,” it is important to include the assessment of such opportunities in planning the technologyinvestments and projects in year two and beyond.

Although makeshift methodsand interim tools characterizedmany first-year projects,sustainable compliance willrequire more than “projecttools.”

14

Under Control

Anticipate technology needs and issuesCertain events and activities can have a profound impact oninternal control technology. Mergers and acquisitions, forexample, will require integration of the two entities’ ITsystems — a daunting task even before one considers theinternal control aspects. Fortunately, the SEC hasacknowledged that it may be difficult to conduct anassessment of an acquired company’s internal control overfinancial reporting in the period between the acquisitiondate and the date of management’s assessment. In suchcases, the acquired company may be excluded frommanagement’s report on internal control over financialreporting. However, this exclusion must be noted in thereport as well as disclosed on Form 10-K or 10-KSB.Furthermore, companies may only omit an assessment of anacquired company’s internal control over financial reportingfor a period of no more than one year from the date ofacquisition, and from no more than one annualmanagement report on internal control over financialreporting.

No such grace period is granted when new technology isput into place, such as a large-scale enterprise resourceplanning (ERP) system. In fact, controls are going to need tobe in place and functioning on day one. As such, the timingof technology rollouts will have to be carefully considered. Ifthe system goes live during the fourth quarter, for example,management may be hard-pressed to assess and report oncontrols, and any control remediation and retesting will bevirtually impossible.

As companies build their sustainable programs, continuousimprovement will become more important. Improvingfinancial monitoring and reporting will require technologyenhancements, both to speed the process and improvequality. Since data is not knowledge, there will likely be anincreased emphasis on analytics. Longer term, companieswill likely be faced with challenges concerning standardizingand rationalizing their systems.

WHAT WILL YOU DO IN SARBANES-OXLEY YEAR TWO?

Among the positive outcomes of the first year of theSarbanes-Oxley era — and there were many — is thevaluable lessons learned by all those involved in the effort.The struggle to attain compliance helped create nearunanimity among business executives that they don’t wantto — and can’t afford to — endure this process again. So motivated, they will be inspired to fully integrate theprinciples of good governance and internal control into every corner of their organizations.

Year two provides a unique opportunity to leverage all that has been learned. As organizations move beyondcompliance and toward sustainability, they will work toreduce unnecessary complexity and will strive to strengthenthe link between internal control and financial reporting.These activities can potentially provide the multiple benefitsof improved financial reporting, reduced risk, anddecreased cost.

And while the concept of sustainability described in thispaper refers only to long-term compliance with Sarbanes-Oxley sections 302 and 404, executives who act upon the guidance contained herein will also be laying thefoundation for improvements in all areas of their business.Doing so, they will have taken what could have been aregulatory burden and turned it into a competitiveadvantage.

Mergers and acquisitions willrequire integration of the twoentities’ IT systems — adaunting task even before oneconsiders the internal controlaspects.

15

Under Control

Mergers and acquisitions willrequire integration of the twoentities’ IT systems — adaunting task even before oneconsiders the internal controlaspects.

Member of Deloitte Touche TohmatsuCopyright © 2005 Deloitte Development LLC. All rights reserved.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its memberfirms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is anorganization of member firms around the world devoted to excellence in providingprofessional services and advice, focused on client service through a global strategyexecuted locally in nearly 150 countries. With access to the deep intellectual capital of120,000 people worldwide, Deloitte delivers services in four professional areas – audit, tax,consulting, and financial advisory services – and serves more than one-half of the world'slargest companies, as well as large national enterprises, public institutions, locallyimportant clients, and successful, fast-growing global growth companies. Services are notprovided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons,certain member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its memberfirms has any liability for each other's acts or omissions. Each of the member firms is aseparate and independent legal entity operating under the names "Deloitte," "Deloitte &Touche," "Deloitte Touche Tohmatsu," or other related names.

In the U.S., Deloitte & Touche USA LLP is the member firm of Deloitte Touche Tohmatsu,and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte &Touche LLP, Deloitte Consulting LLP, Deloitte Tax LLP, and their subsidiaries) and not byDeloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among thenation's leading professional services firms, providing audit, tax, consulting, and financialadvisory services through nearly 30,000 people in more than 80 cities. Known as employersof choice for innovative human resources programs, they are dedicated to helping theirclients and their people excel. For more information, please visit the U.S. member firm'swebsite at www.deloitte.com/us.

#4299