Chief financial officers at 2 insurers agree that complying with Section 404 of the Sarbanes-Oxley Act costs far more than it should.[@@]

Patrick Erlandson, CFO at UnitedHealth Group Inc., Minnetonka, Minn., and David Foy, CFO at White Mountains Insurance Group Ltd., Hamilton, Bermuda, have written letters asking the U.S. Securities and Exchange Commission to find ways to focus compliance efforts more on analyzing controls and less on obsessing about paperwork.

The SEC is holding a panel discussion about SOX Section 404 Wednesday, and SEC officials asked for comments about the section from the public to help guide the discussion.

Congress enacted SOX in an effort to root out the kinds of management and financial reporting concerns that have rocked companies such as WorldCom, Enron and, on a smaller scale, Oxford Health Plans, a company recently acquired by UnitedHealth.

Section 404 requires company managers to have auditors conduct thorough reviews of company internal controls and financial reports and for managers to attest to the effectiveness of internal controls.

Improving internal controls and financial reporting is important, but the kind of assessment work “designed to address breakdowns like those experienced at Enron, Tyco and WorldCom represents a very small fraction of the time and cost of compliance with Section 404,” Erlandson writes in his letter to the SEC. “Conversely, the very detailed documentation and testing of routine transaction processing and internal controls that comprises the bulk of the time and cost for Section 404 does little to prevent the types of frauds that the act was meant to address.”

The SEC ought to consider letting auditors place more reliance on past assessments of a company’s controls during annual audits; letting auditors pay more to general principles and less to documentation when assessing internal controls; and making the auditing firms disclose how much revenue they are getting for SOX Section 404 audits, Erlandson writes.

Foy makes similar arguments about reducing scrutiny of documentation, and he suggests that the SEC should go easier on a company during its first year as a public company.

“Allowing a new public company a 1-year grace period?would provide them the opportunity to do a thorough and effective evaluation of their controls without limiting their access to the public capital markets,” Foy writes.

Another executive, Leon Level, chief financial officer of Computer Sciences Corp., El Segundo, Calif., a company that sells technology services to many insurers, notes that surveys have shown that SOX Section 404 compliance is costing big public companies an average of about $8 million per year and that CSC has spent a total of about $10 million on SOX Section 404 compliance.

“Costs of this magnitude adversely impede the competitiveness of U.S. businesses and impose a drag on our economy,” Level writes.

But one anonymous accountant writes that SOX Section 404 expenses are immaterial for most big public companies and that SOX has led to a healthy, overdue change in the relationship between big companies and their auditors.

The SEC has posted SOX Section 404 comment letters on the Web at http://www.sec.gov/news/press/4-497.shtml