With the Sarbanes-Oxley compliance deadline for US-headquartered companies imminent (the first reporting date is November 2004), what lessons can be learned by those UK companies that also have to com

The 2002 Sarbanes-Oxley Act (SOX) was implemented to address many of the identified weakness in control and accountability which have led to notable corporate failures in recent years, including Enron and WorldCom.

However, the US domestic corporate market has had two distinct disadvantages in terms of achieving initial compliance with SOX. Firstly, the implementation timescales for accelerated filers were very tight, and, secondly, many issues of detail have only emerged during the course of implementation.

Even now, a number of issues are not clear and are being debated with the audit firms that will have to attest to compliance (or lack of compliance as the case may be).

SOX is wide-reaching in its impact, but there are two principal sections that drive the processes that have to be implemented and maintained.

- Section 302 requires that a company's CEO and CFO each certify quarterly the accuracy of the financial returns being presented and that internal controls and procedures are in place and have been evaluated.

- Section 404 requires, on an annual basis, CEO/CFO certification of the effectiveness of internal controls and procedures for financial reporting, and that the external auditors attest to and report on this assessment.

UK companies caught under SOX (and there are over 60 in the FTSE 350), benefit from an extra year to achieve compliance. Is this time being used wisely and will the deadline of the end of 2005 be met?

Let us consider the basic steps of a typical programme.

PLAN AND ANALYSE - Establishing a proper steering committee and project team with clear objectives and proper governance is vital to the success of the project. Initial plans must be put in place, based on a proper assessment of the scope, scale and geographic coverage of the company.

An organisation that is still at this stage has a lot of catching up to do.

DESIGN - Finalisation of the approach, scope and control objectives will enable the detailed plan to be confirmed. Pilot processes to test tools, documentation approach and external auditor co-ordination should be established.

Good progress if this phase has been reached, but some of the problems and hurdles will also be emerging.

BUILD - Processes will be mapped, and existing documentation enhanced to deliver a comprehensive view of the organisation's control framework.

Testing of the controls will then commence.

A well-planned project that is going to meet the deadlines in comfort should be at this stage by now.

IMPLEMENT - Existing controls will be compared to best practice frameworks, including COSO and COBIT. Any identified gaps will be evaluated for severity and remediation plans developed.

A programme at this stage is well on track to deliver.

SUSTAIN Weaknesses must be remedied, providing opportunities for process improvement, while knowledge is transferred to the future compliance process owner for the move to steady state compliance.

Is anyone really at this stage?

Framework

The benchmark evaluation framework for SOX is the COSO framework that dates back to 1985 and is named after the US Committee of Sponsoring Organisations.

This framework is used by virtually all organisations seeking SOX compliance.

COSO is complemented by the COBIT framework (Control Objectives for Information and related Technology) issued by the US IT Governance Institute.

So, with legislation in place and a comprehensive target framework available, what experiences from the US should be applied to projects now under way in the UK and beyond?

- EXTERNAL AUDITORS - Agree terms of reference and processes to engage with the external auditors at the earliest opportunity. Achieve assurance that assessments, documentation, testing and reporting are heading in the right direction through pilot audits. Avoid last minute surprises.

- CONSISTENCY - Companies that are not able to demonstrate consistency and standardisation of approach across their business run the risk that some areas may not be compliant. A lack of consistency at the start also runs the risk of divergence over time, and may significantly increase the cost of external audit reviews.

- QUALITY CONTROL - The recording and mapping of processes, the analysis of controls, identification of gaps and remedial actions must all be undertaken to high standards of quality. Quality controls must be built into the programme - they cannot be audited in after the event. Quality goes hand-in-hand with consistency to deliver a successful programme and a compliant organisation.

- OUTSOURCED SERVICES - Prepare an analysis of outsourced services at the earliest opportunity and determine which fall within the scope of SOX, based on materiality. Service providers that are themselves SOX reporters should be able to provide SAS 70 (Statement of Accounting Standard for Service Organisations) - Type II certification. Others may represent more of a challenge.

- SOFTWARE TOOLS - The market is awash with software tools claiming to address SOX requirements. Many organisations bought software before working out what it was required for, and whether it was suited to the needs of the organisation. Consider a pilot test of a product before making a commitment to a full purchase.

- ONGOING COMPLIANCE - SOX is not just about delivering a one-off compliance exercise. A compliant infrastructure must be monitored and maintained. The SOX project must be geared to provide this framework.

Turnbull to be reviewed

With the UK Financial Reporting Council's recent confirmation of a review of the 1999 Turnbull guidance, all listed companies should anticipate change. It is expected that the revised guidance will take effect in January 2006, a year after SOX first applies to UK companies. Given the experiences of SOX, companies should take an early look at the likely implications and plan accordingly.

Geoff Booth is financial services practice director, London, and Anne Swaller is practice director, Chicago, of Parson Consulting, www.parsongroup.com