As 2003′s halfway point approaches, finance departments are beginning to tackle the next big hurdle in the Sarbanes-Oxley obstacle course: the infamous Section 404, which requires managements to document annually the adequacy of their companies’ internal controls and then have auditors attest to their reports. To a large extent, companies are flying blind because neither the Securities and Exchange Commission nor the Public Company Accounting Oversight Board has issued final regulations for the section. But executives can’t afford to wait either, since 404 compels companies with fiscal years ending after Sept. 15, 2003 to be in compliance by the time they file their 2003 annual reports next year. “If there are companies out there who have decided they are going to wait for final rules before they start to understand the specific controls they rely on for their financial reporting and to document them, they are potentially putting themselves in a very difficult position,” says Miles Everson, a New York-based partner at PricewaterhouseCoopers who works on operational and enterprise risk.
Consultants say documentation is the biggest challenge for companies. Even those with sophisticated controls have paid little attention in the past to how they might actually prove that their controls are thorough and effective. But without hard evidence, it will be almost impossible for an auditor to feel confident enough to sign off on them. “The auditor attestation brings a whole different level of rigor to the process,” says Nicholas Grabar, a partner at Cleary Gottlieb Steen & Hamilton in New York. Auditors will need “documentation of controls and documentation of the testing of controls–that’s stuff that companies hitherto have not had to have,” he says.