Chief financial officers at 2 insurers agree that complying with Section 404 of the Sarbanes-Oxley Act costs far more than it should.[@@]
Patrick Erlandson, CFO at UnitedHealth Group Inc., Minnetonka, Minn., and David Foy, CFO at White Mountains Insurance Group Ltd., Hamilton, Bermuda, have written letters asking the U.S. Securities and Exchange Commission to find ways to focus compliance efforts more on analyzing controls and less on obsessing about paperwork.
The SEC is holding a panel discussion about SOX Section 404 Wednesday, and SEC officials asked for comments about the section from the public to help guide the discussion.
Congress enacted SOX in an effort to root out the kinds of management and financial reporting concerns that have rocked companies such as WorldCom, Enron and, on a smaller scale, Oxford Health Plans, a company recently acquired by UnitedHealth.
Section 404 requires company managers to have auditors conduct thorough reviews of company internal controls and financial reports and for managers to attest to the effectiveness of internal controls.
Improving internal controls and financial reporting is important, but the kind of assessment work “designed to address breakdowns like those experienced at Enron, Tyco and WorldCom represents a very small fraction of the time and cost of compliance with Section 404,” Erlandson writes in his letter to the SEC. “Conversely, the very detailed documentation and testing of routine transaction processing and internal controls that comprises the bulk of the time and cost for Section 404 does little to prevent the types of frauds that the act was meant to address.”
The SEC ought to consider letting auditors place more reliance on past assessments of a company’s controls during annual audits; letting auditors pay more to general principles and less to documentation when assessing internal controls; and making the auditing firms disclose how much revenue they are getting for SOX Section 404 audits, Erlandson writes.