|What the SEC says about SOX 404, March 05, 2005|
|Donald T. Nicolaisen, the SEC's Chief Accountant, said, "The Section 404 requirements are among the most important parts of the Sarbanes-Oxley Act, and I encourage public companies to devote the necessary resources to make sure those requirements are implemented effectively. I don't underestimate the effort this will require for smaller companies and foreign private issuers…."|
|Alan L. Beller, Director of the Division of Corporation Finance, added, "Section 404 reporting has the long-term potential to substantially improve the reliability of financial reporting. It is already having that effect for companies with the vast majority of U.S. market capitalization…."|
Companies bound by Sarbanes Oxley need to demonstrate sound financial controls governing their business processes and then test those controls via external qualifying audits. Those that fail to comply face the prospect of stiff penalties that can include large fines or even long prison sentences for willfully disregarding the legislation. According to a Financial Executives International (FEI) survey the average cost of compliance in year one for a company with a revenue above $5 billion was $4.36 million, or 26,000 man hours. In most organizations the financial reporting process is driven by IT which is recognized as critical for achieving the goals of the Act. In the early days, vendors flocked to sell software aimed at Section 404 and many organizations picked up packages that they later found to be excessive, wastefully duplicative or mis-focused. Since year one lessons have been learned and overall costs have fallen, mainly as a result of process improvements and because the initial corporate governance reform set-up costs proved to be one-time expenses. In year two 6.25% of the companies that filed reported ineffective internal controls over financial reporting compared with 15.8% in year one. Crucially, the lessons learned from Sarbanes Oxley can also have the potential to benefit organizations in other areas of compliance.
The SEC, which writes the rules and overseas the implementation of companies responsible for assessing and reporting on internal control, has conducted hearings with companies to talk about implementation and how regulations should be shaped in the future. “In my view technology is not the sole answer to achieve compliance," says Chrisan Herrod, Former CSO and Current Executive Consultant with the SEC. "Good processes are as, if not more, important. Technology can be a helpmate: the SEC is using software to help track internal compliance to Sarbanes Oxley. But it shouldn’t be the sole approach to achieve compliance.”
Implementing the Act involves managing people, processes and technology to document, test, remediate, monitor, and certify the efficiency of controls. Large companies face a significant amount of time and energy in implementation depending on how well documented the company is to begin with. An organization with many scattered locations operating on disparate accounting systems will face challenges and bringing in external auditors can be costly. There is some concern about over regulation and the burden of compliance on small and medium sized businesses. A publicly traded supermarket, for example, that provides groceries as well as banking services and a pharmacy would have to comply with all three major federal regulations (Graham-Leach-Bliley, HIPAA, Sarbanes Oxley). In July of 2006 COSOs released its Internal Control over Financial Reporting guidance intended to reduce compliance burden for small public companies with fewer financial and human resources. But there is some debate about whether the new guidance, which is designed for management not auditors, will actually reduce audit costs. The SEC attempts to craft regulations that are in line with international policies and that dovetail into other regulations thereby reducing overheads. The Public Company Accounting Oversight Board (PCAOB), which provides guidance for external auditors on how to assess controls, encourages auditors to exercise judgment and tailor audit plans based on the level of risk they identify. The government rules won't by themselves drive all the necessary improvements in financial reporting insists Herrod, the industry itself, she says, has to monitor and perform constant due diligence.
There has also been some confusion over whether foreign companies need comply with the Act. But a good number of foreign owned organizations are subject to the same rigors as any other U.S. organization would be. “If a company is listed on the U.S. stock exchange they are required to comply like everyone else. It's just the timings are different in terms of when you have to file,” says David A Richards, President of the Institute of Internal Auditors. The Act has triggered a wave which has touched almost every region of the world and encouraged increased transparency and accountability in financial reporting.
Most regulations emphasize three overlapping areas; ensuring the integrity of processes as well as information, mandatory record retention policies and ensuring the privacy of information. Security is implicit in all three areas. Reducing the cost of compliance will depend on businesses ability to meet the challenges and tackle the issues on a number of different levels, including: effective and efficient processes for evaluating, assessing, remediating, monitoring, and reporting on controls; integrated financial and internal control processes; technology to enable compliance; clearly articulated roles and responsibilities and assigned accountability; education and training to reinforce the "control environment”; and adaptability and flexibility to respond to organizational and regulatory change.
Compliance with section 404 has produced benefits including a heightened focus on internal controls at the top level of companies. This culture of compliance is of critical importance. “Once you have a culture of understanding built into your organization, that every end user, every business owner, every c-level executive, every manager has a role in compliance, the more successful your going to be,” says Herrod. “Because frankly corporate culture up until the implementation of Sarbanes Oxley didn't really have to comply with anything.” Richards adds, “It's important to get the owners of processes to take seriously there responsibility relative to oversight of internal controls and make sure those controls are in place and working.”
Another concern is how to handle financial oversight when a service spans between one organization and another outsourced service provider. “If you are the management of the company that has outsourced the service you have to get a level of understanding of that outsourced provider,” says Richards. “If that outsourced provider does a significant part of work that affects your financial statements you have to get close to it.” The key activities that the firm provides are the ones with financial implications. For example, a bank handling a firms cash transactions and collecting accounts receivable is obviously of more concern than an outsourced provider who is managing an inventory housed on the clients property, says Richards. Outsourcing is certainly a possibility but support must be chosen with care.
Fraud is still possible under Sarbanes Oxley, but Herrod's advice for the future is to adopt a holistic compliance program and plan for the inevitable, such as changes in system design and new hardware implementations. She also suggests keeping up to date with the direction regulation is headed, utilizing government guidelines and measuring the results of the compliance program to ensure continuous improvements. In the end, says Herrod, the cost effective solution to compliance reporting lies in process improvements and related systems improvements.
Hartman, T., Foley & Lardner LLP, The Cost of Being Public in the Era of Sarbanes-Oxley, http://www.fei.org/ June 2006
Herrod, C., Former CSO and Current Executive Consultant, SEC, SOX Section 404: The Next Steps, Xtalks Executive Web Conference, September 12, 2006
Richards, D., President of the Institute of Internal Auditors, SOX Section 404: The Next Steps, Xtalks Executive Web Conference, September 12, 2006