March 29, 2005
Most organizations have tackled 302 compliance by developing ad-hoc cascading certifications which require several layers of management to sign off on the information prior to the CEO and CFO. In addition, most companies have attempted to satisfy by in many cases first-time documentation of the processes which create their financials, in order to satisfy 404 compliance criteria for their external auditors. Finally, most of the efforts to-date has been extremely labor-intensive, without establishing systems designed to improve process efficiencies, nor retain control documentation in a reusable fashion, which will require significant efforts to replicate the control analysis on both a quarterly and annual ongoing basis. This is due in part to no clear front-runner in the marketplace in the development of a continuous monitoring solution. Now that the first year of 404 compliance has occurred, most CFOs are realizing that a significant amount of the efforts previously spent on the attainment of their first 404 attestation will need to be spent again in 2005 on 302 and 404 efforts according to Gartner, 6 Billion will be spent in 2005.
This realization has significant impact on the current trend towards less is more coming from certain camps, especially pertaining to small-to-mid-cap companies. What is truly distressing are recent comments as quoted in CFO magazine that the issue is embedded in COSO itself, versus current efforts to satisfy Sarbanes-Oxley.
COSO, in its purest form, should be equally applicable regardless of size of organization. The key, of course, is in the application of the monitoring layer, using both management and an independent third party, and the frequency of the monitoring. The monitoring layer, along with the timing and depth, is actually what the current furor is about, not the other layers. Ironically, it was the abuse of this layer in recent years that lead to the collapse of huge companies, and the need for the Act in the first place.
The clear answer, for all size companies, is to increase the frequency, ideally to the opitmal state of continuous monitoring. The most logical, and cost-effective, way to accomplish this is through automation, to the extent possible, of the entire COSO model in the organization.
In my opinion, current efforts towards rethinking what has already been done, redirected towards this optimal solution of continuous monitoring, would have signficant benefit for companies of all size, and therefore, their shareholders as well.