Will governance enforcement decrease or increase in coming years?
I'm convinced it will increase. You can see that the SEC is taking action against companies all the time.
What areas related to Sarbanes-Oxley are people feeling anxiety about?
The issue most talked about around the April 13 hearing was the pressure of reducing the cost of compliance. If you are a small or medium sized company the impact is even bigger. Some of the issues raised included, cost control and the reduction in the cost of fees, driving home the benefits of a good control environment and taking the experiences of the first year and culturalising [sic] that into the organization. Another concern expressed was how to get the owners of processes to take seriously there responsibility relative to oversight of internal controls and making sure those controls are in place and working.
How has Sarbanes Oxley oversight been handled when a service spans between you and a outsourced service provider?
If you are the management of the company that has outsourced the service you have to get a level of understanding of that outsourced provider. If that outsourced provider does a significant part of work that affects your financial statements you have to get close to it. You only need to deal with the key activities that they provide to you that have a financial implication. If they are a bank, handling your cash transactions and collecting accounts receivable, then obviously your level of concern is much greater versus if you have an outsourced provider that is managing an inventory that is housed on your property. I think those two different types of relationship require different types of involvement on behalf of the company that has to provide the assertion as to exactly what the control structure is.
Are most companies implementing a software solution in year two?
I think that a lot of year one activity was done by using in-house developed documentation techniques and monitoring processes for the project itself. I think a lot of companies have been sitting back and waiting to see how this whole thing shakes out to see what kind of solution will best fit their organization. Early on many organizations found that things were in the market that really didn't address the 404 agenda, and people picked up software that they later realized was a waste of time because it really didn't meet their particular needs. So in year two we are really a little more sophisticated and we will see if the marketplace is able to produce better products that can be used by companies to manage this process.
Do you see any changes for small companies coming in relation to 404 compliance?
Obviously everybody is waiting for the COSO small business document that is to be released for public exposure. That should be a significant document to help provide guidance to small business. My insight on that is to say I don't think the principles of good internal controls will vary as a result of that project. The guidance will assist small
businesses in trying to comply with the principles of good internal controls and help them understand other options than that which is used in a big company. So the principles will still apply but maybe the implementation will change.
When will the PCAOB reveal reduced requirements for smaller companies?
I don't think your going to see reduced requirements for small businesses. What will happen is a better understanding and more flexibility in the types of documentation and controls that will be expected in a small business but will still address the good sound internal control environment that needs to be in place to ensure the accuracy of internal control requirements. I don't think the SMBs will get a get out of jail free card that will mean they are exempt from this law.
Should foreign companies comply with Sarbanes-Oxley?
If they are listed on the stock exchange they are required to comply like everyone else. They weren't required in round 1 to comply. You'll find that there are a good number of foreign owned organizations that are listed on the U.S. stock exchange and they are subject to the same rigors as any other U.S. organization would be. Just the timings are different in terms of when they have to file. There is a lot of work being done in many countries, such as Canada and Europe where they have reciprocal legislation that is being implemented in these environments. So its going to come in one way or another. This seems to be a wave that is going around the world.
What impact did Sarbanes-Oxley 404 activities have on the timing of IT spend?
The point that was raised in the April hearing was that companies were delaying their implementation of IT solutions because they didn't think they could get through the process of installing it in the 3rd or 4th quarter and then have enough evidence to support the controls that would get them a clean opinion. Therefore they were delaying this and what the SEC said in their statement in May was that if companies are doing their installation of IT solutions correctly they should have tested their controls and documented long before they go to implementation. All you should be doing at implementation is allowing some time to confirm that that control is functioning as designed. So the idea is to plan your IT implementation with the intention that you have an inbuilt test technique identified that will give you a quick reading that the external auditor buys into. This enables you to say, that's enough evidence this system is producing the kind of level of support to our financial statements that ensures we didn't deteriorate in our overall control environment.
How long does implementation of Sarbanes-Oxley take?
If your starting today and your looking at an $18 billion or more asset company your going to be looking at a significant amount of time and energy depending on how well documented your company is. And you are going to be dealing with at least 12-14 months between start and finish. Its not something you can do mid year without having done a lot of homework prior to that to get yourself ready. Because if your starting from scratch your going to have a lot of work to do.