The Holy Grail of Sustainable Compliance

Integrating compliance into a company's DNA requires shifting its mind-set from project to process.

The year-one accelerated filing period for Section 404 of the Sarbanes-Oxley Act has ended. So, have CFOs put that experience behind them and moved on? Hardly. The sighs of relief emanating from corporate finance functions have been short-lived. Plenty of work awaits.

Compliance with Sarbanes-Oxley and other regulations has become a fixture on corporate to-do lists. The goal of accelerated filers during year two is to make the job as effective and efficient as possible so that ongoing compliance activities become entrenched without devouring human and monetary resources. Finance executives are now deciding on the most cost-effective methods of reaching that goal, which may include investing in automation. A select few public companies are collecting compliance best practices from all corners of their organization and implementing them on an enterprisewide basis. Some organizations have extended compliance activities to improve their financial procedures.

As companies move into the next phase of Sarbanes-Oxley compliance, the theme of "internal controls culture" is gradually replacing "tone at the top." The sustainability and cost-effectiveness of responsibility handoffs, training, software investments and internal-controls monitoring that will impact companies' middle layers will show whether the climate established by top executives has permeated their organization.

"Our main goal is to continue to make Sarbanes-Oxley compliance a part of our culture," says Donald P. Hileman, senior vice president, finance, with Sky Financial Group Inc. in Bowling Green, Ohio. "We're already starting to gain benefits from that process during our second year [of Section 404 work]."

The commercial and consumer banking company has expanded its quarterly internal controls review process and worked closely with external auditors to identify which of the internal audit function's control evaluations the auditors can accept without repeating them. And it has launched an initiative to weave compliance responsibilities into the job descriptions of business-department managers.

Most public companies -- even businesses like Sky Financial Group -- that shared their initial Section 404 reports with auditors in December 2004, have largely concentrated their year-two efforts on correcting problems unearthed in year-one Section 404 work. "Many organizations have not yet developed a comprehensive, detailed, ongoing compliance plan because they have spent year two concentrating on clean-up work from year one, such as gap, deficiency and weakness remediation," reports Anne Marchetti, practice director of Sarbanes-Oxley services for Parson Consulting in Chicago.

Complications that flared up during year-one Section 404 activities still need attention. Most of the 530 public companies that responded to a recent KPMG survey indicated that they harbor concerns about several Section 404 areas, such as the adequacy of resources (identified by 71 percent of respondents), competing priorities (70 percent), IT changes (70 percent), process changes (66 percent) and ongoing costs (64 percent).