To paraphrase Epicetus, "[w]hat concerns me is not the way things are, but rather the way people think things are." Most companies seem to be adopting one of two diametrically opposed, but equally ill-advised, approaches: Some take the new requirements at face value, while others, like Henny Penny, act as if the sky is falling.

Both extremes are ill-advised.

Prior to the promulgation of SOX 404, the task of verifying numbers in a company's financial statements often had been relegated to external auditors, who provide verification services as part of their annual review.

SOX 404 changes this arrangement by requiring public companies to have access to an internal audit function separate from the external audit functions provided by a company's outside auditors.

The changes necessitated by SOX 404 may take many companies by surprise, and most assuredly will require adequate time and advance planning. Companies either will have to create an internal audit function if they haven't had one, or outsource that function if they can't — or choose not to — create one.

For those companies that have had internal audit functions, serious consideration should be given to upgrading internal audit in light of the new requirements.

Although no particular evaluation framework was mandated by the SEC, most U.S. companies will attempt to implement the COSO framework.

The internal audit function that conforms to the COSO framework may be larger and more extensive than the internal audit function some companies currently have in place. The framework envisioned by COSO may preclude internal auditors from working in areas they're auditing, deprive them of operating responsibilities, and lead to the development of clear reporting lines away from management. As a result, implementing the COSO framework may require staff increases at some companies. Alternatively, these tasks may be outsourced to auditors that are unaffiliated with the company's external auditors.

The PCAOB addressed the new roles of external and internal audit in its proposed standards for attestation of Section 404 compliance by independent (external) auditors. The proposed standards state that independent auditors may rely on procedures done by management or others except for controls relating to:

• Fraud
• Period-end financial reporting (consolidating entries, adjustments, classifications)
• Controls that have a pervasive effect on the financials (information technology)
• Walk-throughs
• Significant non-routine and nonsystematic adjustments (valuation reserves)
• Controls over significant accounts, processes or procedures where the risk of control failure is high

In something akin to the Delphic Oracle, however, the PCAOB also specifically noted that "the auditor's own work must provide the principal evidence for the audit opinion" regarding compliance with SOX 404. The PCAOB's comment has caused some audit firms to insist upon repeating all the verification processes required to be compliant with SOX 404.

While the PCAOB's concerns are understandable, the comment should not be used to produce massive, undue, replication of efforts. As a result, it is incumbent upon companies to reassess, with their external auditors, the scope of work to be performed by their external auditors in arriving at a satisfactory certification.

The strength of a company's internal audit function will determine the level of work needed to be repeated by external auditors. If there is a well-established internal audit function, or third party audit function, and few problems have surfaced in the past, external auditors probably can rely upon the efforts of others, except in the categories where the PCAOB has specifically precluded such reliance.

If a company's internal audit function has been recently expanded to meet the SOX 404 requirements, auditors may require further assurances before agreeing to limit the amount of their own retesting.

At the present time, the PCAOB is in the process of attempting to resolve this issue.

If companies have questions whether their revised procedures conform to the COSO framework, they should document the rationale for their changes, and make certain their outside auditors are on board with these changes.

Some aspects of the COSO framework may be either uneconomic or difficult to implement for certain companies. Ultimately, the process and procedures adopted must fit the company, not the other way around.

As companies begin to map out changes they intend to make, they should focus carefully on any areas where they may need to deviate from COSO. Any exceptions or deviations should be discussed with the company's external auditors and evaluated to see if they raise any concern.

The rationale for any deviation should be carefully documented. Companies may need to bring these matters to the attention of the SEC prior to filing, so that they can work together with the SEC staff to find solutions. Talking to the PCAOB and SEC in advance of filing may be worthwhile, because a minor misunderstanding can have a greater implication at a later date.

Corporate financial reporting should improve materially if the SEC's SOX 404 rules are implemented carefully and appropriately. Most public companies will need to consider redesigning their internal audit function, in order to comply with the SEC's SOX 404 rules.

Although complying with Section 404 may be a painful process for many companies, at least at the outset, the end result will make it worthwhile. With proper planning, the critical information needed to run the business intelligently will flow efficiently from throughout the organization up to management. The speed and reliability of information that is collected and disseminated should improve, and management will have greater confidence in the numbers upon which they base their decision-making.

Moreover, improving the process should also provide senior management with greater comfort when certifying their companies' financial statements, as now required by SOX.