Section 404 Could Cost Big Companies $4.6 Million or More
Complete results of the survey are available at the FEI
website: http://www.fei.org. 
The average cost-of-compliance estimate for all companies in the survey -- where 20 percent of the respondents were from companies with more than $5 billion in annual revenue, compared to 3.3 percent in the under $25 million category-was just under $2 million for roughly 12,000 hours of internal work and 3,000 hours of external work, plus additional auditor fees of $590,000, or a rise of 38 percent.
The compliance effort is significantly larger than estimated in an earlier FEI survey. A smaller survey of 83 companies conducted in May 2003 suggested the average company expected the effort to consume 6,000 hours in total for internal, external and attestation time, and projected a rise in audit fees of 35 percent.
The average respondent expected to spend the most on external costs, which may be good news for software vendors and consultants.
"It stands to reason that larger, more complex companies will incur higher costs for implementing the internal control-related provisions of Section 404, but even for small companies the estimates are almost equally significant in proportion to revenue," said Colleen Sayther, President and CEO of FEI. "Only time will tell how this first-year cost will compare to the benefit for shareholders."
On the sharp rise in audit fees, Sayther cautions, "Until final rules are adopted for Section 404 by the PCAOB and the SEC, companies and auditors can only estimate what the jump in audit fees will be. Ultimately the fees could amount to be much higher."
On average, companies expect to document processes at 80 percent of their locations. Across the board, companies expect the documentation to cover roughly 92 percent of their total revenues. Companies on average expect their auditor to test 57 percent of their documented processes, with the exception of the smallest companies, which expect the percentage of processes tested to be 42 percent.
According to the survey, 25 percent of respondents have already deployed their permanent solution for Section 404 compliance, while another 52 percent expect to do so in 2004. Ten percent plan deployment after 2004, while 14 percent have no specific plans to implement a solution tool at this time.
Requirements of Section 404 -
Section 404 of Sarbanes-Oxley requires each annual report of a company to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the company's auditor to attest to and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting, in accordance with standards established by the Public Company Accounting Oversight Board (PCAOB).