Headwaters Inc., like most public companies, had slogged through the disagreeable task of testing all its internal controls to comply with the tenets of Section 404 of the Sarbanes-Oxley Act (SOX). In the first two years, compliance boiled down to lots of segregation of duty documentation and lots of spreadsheet analysis, but not a lot of monitoring that really seemed to connect with either performance or better risk management.

But the $1.12 billion energy products and construction materials company wanted to do it differently. So before it began work on the company's FY2006 SOX drill, Headwaters internal audit staff went to its external audit team with an idea–making Headwaters' 404 audit top-down and principles-based and not a documentation free-for-all. "At Headwaters, we wanted to make SOX compliance part of our normal flow of business," recalls Niel Nickolaisen, Headwaters' director of internal audit. "Our goal was to be fully compliant in as simple a way as possible."

The outside auditors essentially refused, despite the fact that the Public Company Accounting Oversight Board (PCAOB) was already beginning to chastise audit firms for bullying companies into too much testing and too much documentation. Finally, with the help of Headwaters' audit committee, Nickolaisen and Tim Davis, the internal audit manager, won out–unfortunately, not in time to do much with the '06 audit. Even so, the simplification they did push through for that audit and the work they have been able to accomplish in the current year already has allowed the company to slice 25% off the audit time and slash the number of controls tested by a stunning 70%. "We have streamlined the process considerably and cut costs along the way," says Davis.