February 23, 2005
We are a large Fortune 500 company and recently completed the 2004 certification. Due to the size of the company we had to spend a great deal of time and resources in generating the documentation and testing of the most relevant internal controls. In our case we have a good amount of documentation before SOX but it was not designed with internal controls in mind, so we were forced to re-do the narratives of processes to focus on linking them to the pertinent internal controls. Our company had few deficiencies that were for the most part remediated. Nothing that would in any way affect the financial statements.
My complain with 404 is that in my opinion the Law assumed an "atomic bomb" approach to documentation and testing instead of a "laser guided missile" strategy. I believe it would have been much more effective to focus on the general internal control environment, the most critical controls that affect the most significant accounts (at the transaction level), and the non-routine processes that can directly affect the financial statements (e.g.: accounting estimations). If that would've been the case we could've spend half of the time and resources and get to the same conclusion.
Other problem is that from the get go the law as well as the PCAOB had many grey areas with no concrete definition. For example:
I as the team leader for 404 always felt like I was going to the math test but I was not sure if the professor was going to test addition and subtraction or algebra and geometry. To be on the safe side we decided to test and document more instead of less which is not of great value for the shareholders.
On the bright side, as a by-product of the project we came up with a good list of efficiency opportunities that can save money to the corporation.