Editor: For publicly traded companies, Sarbanes-Oxley's provision
on internal controls over financial reporting, Section 404, is crucial. How has
management reacted to the requirements of Section 404?
Goldenberg: Section 404 has added a whole new realm to public company
management. Although public companies have been required to have adequate
financial internal controls long before Sarbanes-Oxley, Section 404 now requires
that management assess and report on the overall effectiveness of internal
controls over financial reporting. Few if any companies, even those with good
internal audit functions, have ever dedicated vast amounts of personnel and
systems to completely document, test and monitor their internal controls. So
management has had to identify and allocate resources, both internal and
external, to get this done.
Clearly, this is a big task to add to any company's management. I think that
the SEC, and the professional community, has provided a lot of information to
management over the last several months. Management has educated themselves
quickly as they get into, or approach the process. Most management first react
in disbelief at the level of work Section 404 requires. The scope quickly
becomes apparent though, as company management starts to think about everything
it does in business, and how it ultimately gets included in their financial
Management is also recognizing some benefits. Processes are being
standardized, process owners are learning the importance of controls and their
benefit in managing those processes, and senior management has greater awareness
of risks within their organizations, and further supports their certifications.
Editor: So clearly companies have not anticipated the details associated
with 404. What advice can you provide to management to help them in developing
their project plan?
Goldenberg: The Section 404 assessment requires acceptance from every
level within the company. Whether they realize it or not, most everyone impacts
the quality of internal controls. For internal controls to operate effectively,
"process owners" must acknowledge controls and buy into the importance of
performing them correctly and consistently. So management should not try to do
the evaluation from just the top looking down.
Also, they should seek outside guidance to help certify the assessment
process. Since the company's auditors are required to audit internal controls,
independence considerations prevent them from providing much if any advice to
management on the Section 404 project. Instead, they should consult with other
auditors familiar with companies similar to their own. And, the requirements are
numerous, and ever more detailed and defined in these years of implementation.
Most companies that have started the process have engaged second auditors to
assist them. Other areas for consideration are internal controls specialists in
information technology, which is a very important consideration, taxes, employee
benefit plans, among others.
Editor: From your experience, what types of firms are best suited
to guide companies through this process?
Goldenberg: The best firms are those that understand both the
Sarbanes-Oxley requirements as well as the company. Information technology
specialists should have knowledge of important information systems. Likewise,
the firms that are consulted with should have a working knowledge of the Section
404 requirements, internal controls and financial reporting. I believe that
audit firms, which already perform SEC audits, and serve clients of a similar
size and industry, provide the best service.
Editor: What about audit committees? They too have greater accountability.
How does Eisner interact with members of the committee?
Goldenberg: Audit committees are by necessity much more involved now.
It is common for audit committees to meet more frequently, be informed sooner of
management decisions, and communicate more with the companies outside
professionals than before Sarbanes-Oxley. Certainly it makes sense for the audit
committee to be intimately involved as sponsors of management's Section 404
assessment. Audit committees should be involved in the risk assessment in
planning the process, and qualifying the advisors. Members of the audit
committee typically have the competencies to provide project guidance, add
"weight" behind the efforts, and are in a unique position to converse openly
with management, the consultants, and the external auditors.
Editor: You lead Eisner's Corporate Governance Team; what is the scope of
your team's activities and how has Eisner's SEC company experience been an
Goldenberg: Eisner is currently providing assistance to companies in
their Section 404 assessments, not only through consulting but also providing
assistance in documentation and testing, and specialists. Since Eisner audits
approximately 60 SEC registrants, it's been pretty seamless providing Section
404 services to these other companies. All of our Section 404 assist projects
have CPAs involved who understand auditing and financial reporting. In fact most
of our engagements are augmented with professionals from our audit staff. These
are people who perform audits every year, and maintain continuing education in,
at least, auditing, financial reporting, and the SEC and PCAOB rules and
regulations. Eisner is providing a level of professionalism that pure internal
audit outsourcing firms generally do not.