A global pharmaceutical company wanted to transform its first-year Sarbanes-Oxley Section 404 readiness project into a sustainable, company-wide internal control and Sarbanes-Oxley compliance capability.
The client needed to answer several key questions. Among them:
- What is line management's responsibility for internal control over financial reporting? Should the company manage internal control centrally or with a distributed model?
- What ongoing support does management need? What is the optimal resourcing approach?
- What control activities will the company execute going forward? How will the company monitor these activities?
- What oversight is needed to ensure the proper design and effectiveness of controls?
- How does Section 404 impact the company’s representation letter process?
- How does the role of Internal Audit change in the 404 environment?
- What is the role of the Audit Committee and the company’s Executive Committee? What type of reporting is required and with what frequency?
- How will management drive improvement in the control environment?
How We Helped
Working with the client's legal and finance leadership, Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP and Deloitte Tax LLP developed an internal control roles-and-responsibilities framework to guide the client’s Sarbanes-Oxley compliance and internal control activities in 2005 and beyond. Two key components in this framework:
- The establishment of the client's first-year "404 Committee," the leadership group that supervised its first-year Section 404 compliance activities, as a standing Internal Control Committee to provide oversight over ongoing compliance efforts
- The expansion of the client's first-year "404 SOX Team," which conducted the bulk of the first-year Section 404 documentation, testing and remediation activities, into a permanent Internal Controls Function reporting to the corporate controller
In addition, we were helping the client address the following issues in establishing an effective sustained compliance program:
- Knowledge sharing and organizing compliance activities by process . In the client’s first-year compliance project, each region and business unit carried out its own process documentation activities independently with no central coordination. For the 2005 sustainability program, we had identified several key processes (e.g., procure-to-pay; order-to-cash; GLFR, or GIAC Law of Fraud, GIAC being Global Information Assurance Certification; payroll; inventory), each of which would be managed by a “Process Champion” across the global enterprise to:
- Standardize procedures and improve quality and consistency in documentation across the different regions and business units
- Reduce duplication of effort in multiple locations
- Facilitate knowledge sharing among documentation teams in different regions and business units
- Staffing. Our client experienced severe resource constraints in its first-year Section 404 compliance project. To reduce this problem in future years, we created a competency model and a career path development model for the client’s sustainability program and then assisted in identifying resources to fill all the necessary roles.
- Knowledge transfer. We helped define a training and knowledge transfer plan for the next year. We also provided the company’s management with significant training, tools and guidelines throughout the compliance and sustainability projects to prepare it for internal control management responsibilities. For example, we conducted person-to-person training with key executives to help them understand their Section 404 subcertification responsibilities.
At the end of this project, the client gained efficient and effective processes for ongoing Sarbanes-Oxley compliance, reducing annual and quarterly compliance costs and disruption, as well as an internal controls governance model designed to foster continuous improvement in the company’s internal controls environment.