zondag 7 september 2008

SOX turns 5 (092008)

Sarbanes-Oxley compliance has caused IT headaches for half a decade

Five years after the controversial Sarbanes-Oxley Act was enacted to prevent Enron-like scandals, the law’s financial control requirements are having myriad impacts: large companies have cleaned up their accounting, but at great cost; foreign businesses are dropping out of U.S. stock exchanges to avoid SOX requirements; and many small public companies are scrambling to meet a crucial compliance deadline in December.
Signed into law by President Bush on July 30, 2002, SOX forces public companies to prepare reliable financial statements and bring material weaknesses into public view, with mandated testing for integrity and ethical behavior, IT controls related to financial reporting, whistleblower programs, antifraud provisions and other requirements.


Read the latest WhitePaper - Troubleshooting Remote Site Networks - Best Practices

  • The cost of SOXA sampling of SOX facts, figures and projections:
  • Spending on SOX compliance will surpass $32 billion by the end of 2008.
    $6 billion will be spent this year alone.
  • July 30, 2002, is when President Bush signed Sarbanes-Oxley into law.
  • Nov. 15, 2004, is when companies with more than $75 million in market capitalization were expected to comply. 4,862 companies with market caps that high have reported under SOXĂ•s Section 404. 1,035 of those have failed to comply at some point.
  • About 7,400 companies with market caps under $75 million face a compliance deadline of Dec. 15, 2007.
    SOURCES: AMR RESEARCH, AUDIT ANALYTICSClick to see: SPX timeline

Compliance has become “pretty much routine” for large companies, who have faced SOX requirements since 2004, says Bob Benoit of Lord & Benoit, which performs SOX research and helps companies comply.

Related Content

It hasn’t been cheap: spending on SOX compliance was $5.5 billion in 2004 and is now more than $6 billion annually, according to AMR Research.
1,035 large public companies have at some point failed to comply with SOX, out of a total of 4,862 that have reported under the law’s Section 404, Benoit says, citing figures from Audit Analytics.

Yet many individual enterprises spent far more on SOX compliance than they had to because the federal government initially failed to issue clear instructions.
“It was millions of dollars extra that was spent. This was due to people overcomplying, doing far more testing than was necessary,” says Michael Kamens, who was global network and security manager at Thermo Electron when the $2 billion company in Waltham, Mass., had to comply with SOX.

For about a year, companies thought they had to document and put controls in for every business process they have, since almost anything can impact financial statements, says John Hagerty, an analyst for AMR Research. Later it became clear that SOX only required such oversight for matters directly related to financial processes, Hagerty says.

Want to compare security products? Visit the IT Buyer's Guides now.
“The biggest pain companies reported was they felt like they were getting conflicted advice,” he says. “People didn’t want to get caught in a situation where they didn’t do enough, so they ended up doing too much.”

Advice from the Public Company Accounting Oversight Board, created by SOX and the Big Four auditing firms was excessive at best, says Kamens, who now works for auditing firm Accume Partners. Whereas today companies focus on 31 so-called key controls, in the days after SOX, public firms were testing for as many as 200 controls, he says.

“It was extremely painful for everybody. Nobody really knew how to comply,” Kamens says. “Because there was so much pressure on public companies to pass, everybody was scared and they did exactly whatever auditors told them to do. Failure was not an option.”

Some private companies have decided to comply with SOX even though they don’t have to, either because they think they might be purchased by a public company or go public themselves, or because they want better control over financial accounting.
“There are more people who realize this is just good business practice,” Hagerty says. “The whole concept of control of your financial environment is a bedrock principle of financial accounting.”
But the cost of SOX also has driven foreign businesses out of American stock exchanges. On Wednesday, BG Group, an oil and natural gas company in the United Kingdom, became the 18th non-U.S. company to quit the New York Stock Exchange since the Securities and Exchange Commision (SEC) made it easier to delist in December, the Bloomberg news service reported. The number of foreign companies traded on the NYSE has dropped 9.5% since SOX became law.
BG Group blamed its decision to leave NYSE on “U.S.-specific obligations [that] carry a cost and administrative complexity.”
Benoit doesn’t quite understand what all the fuss is about. “Internal controls have been around a long time. It’s not rocket science. It’s just a matter of doing it,” he says.

Small companies and SOX
Small public companies face just as complex a task as do larger ones, but compliance costs will be relatively higher as a percentage of a smaller company’s revenue, Hagerty says. Smaller public companies — technically those with less than $75 million of stock in the hands of public investors — have been granted numerous extensions allowing them to postpone compliance. Currently, they are scheduled to face the requirements of SOX on Dec. 15.

Benoit criticized the SEC in a Network World interview last December for not issuing specific guidelines to smaller public companies. Now he says the SEC addressed his concerns with guidance issued May 23.
A compliance project approached correctly should cost 50% to 75% less than what companies have been spending, but many businesses insist on an inefficient, bottom-up approach that audits process-level controls like expenditures, payroll and property, Benoit says.
“Accountants are kind of used to that approach, but internal control is the opposite,” he says. “It’s looking at significant items of risk, identifying those and testing those controls. … When you approach it from the risk perspective, which is what the SEC guidance has made very clear, there are definite and huge savings.”
The SEC on Wednesday adopted a new auditing standard that encourages an even less costly approach to SOX compliance.
That’s good news for smaller public companies that may find their backs against the wall come Dec. 15. Benoit says his firm has contacted about 4,000 companies and “far less than 1%” have started the process of SOX compliance.
“We’re starting to see a small population of companies come alive and start to start their process,” he says. “There’s a small window of opportunity right now. If they start working on the projects now they’ll be OK.”
Small companies face many challenges, according to research by Lord & Benoit. Among them are accounting and disclosure controls, control of treasury functions, competency and training of accountants, revenue recognition, inadequate account reconciliation, consolidations and mergers, and information technology weaknesses.
Software vendors are champing at the bit trying to sell products that automate compliance and reduce cost by taking people out of the process as much as possible. Some built new technology to meet the law’s demands while other vendors took old technologies and repackaged them as SOX compliance tools.

Even former U.S. Attorney General John Ashcroft has gotten in on the game, advising a software company called D2C Solutions that detects internal fraud and makes SOX compliance easier.

The “software [industry] has been the primary beneficiary of this automation phase,” Hagerty says.

Gepost door op

Geen opmerkingen:

Een reactie posten

Abonneren op: Reacties posten (Atom)