Add your name to the FMW e-mail list:

Everyone’s been told, at one point or another, that two heads are better than one. One may be inclined to question that philosophy, however, when the situation involves the Securities and Exchange Commission and the Public Company Accounting Oversight Board, and the matter to regard is Sarbanes-Oxley Act of 2002 Section 404 requirements.

The intention of Section 404 is to make readily available to investors reports detailing the management’s responsibilities regarding ‘adequate’ implementation and continued maintenance of a company’s “internal control structure and procedures for financial reporting.” A reasonable expectation. However, the Section 404 summary also includes the mandate that the reports “assess the effectiveness of such internal controls and procedures,” and that “the registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.” All that’s left is the requirement for investors to report that they’ve read the filed reports and they feel management’s actions and opinions, and those of the accounting firm, are ‘adequate’.

Section 404 begs the question “When is enough, enough?” The SEC has gone so far as to put in place a task force, whose intention it is to publish instructions for smaller companies to better apply the framework of the Committee of Sponsoring Organization. So while the SEC is creating positions and opportunities for its own structure, smaller firms are left trying to figure out how they can afford to comply with the Act due to not only their limited funds, but also their limited manpower because, after all, there still is a business to run. But for how long? “In the long run, internal controls may be the most important single step in increasing reliability,” stated Alan Beller, director of the SEC’s division of corporation finance. The key to Beller’s comment is the reference to ‘internal controls’ rather than the opinion of management and the accounting staff.

While the SEC and its task force are concerning themselves with opinions, smaller business – and certainly the larger ones as well – are scrambling to figure out how to meet Section 404’s requirements, not limited to figuring out how to obtain the technology that would undoubtedly ease the time and long-term cost to comply. According to Korn/Ferry International’s 31^st Annual Board of Director’s Study in November of last year, US companies spent an average of $5.1 million in order to achieve compliance with SOX. Charles King, head of Korn/Ferry’s Global Board Services Practice, commented, “What is surprising, however, is just how significant the cost of Sarbanes-Oxley has been. When you consider that our respondents reported that ongoing compliance will average another $3.7 million – this has been an expensive proposition.”

Expensive indeed, and one has to consider the lost production costs as a result of time put into achieving compliance, as well as the change in flow of spending – rather than investing in research and development and IT that would be directly related to the business’s everyday functions, funds have been funneled into supporting the task of complying with SOX. A 2004 AMR Research release identified that 42% of overall IT compliance budgets was spent on Sarbanes-Oxley compliance measures, with a focus on records management and security. In addition, AMR Research projected that 28% of SOX spending budgets will be directed toward technology, an increase of 43% from $1.13 billion in IT spending in 2004 to $1.62 billion in 2005.

A study released last December by Oversight Systems Inc., a company that offers real-time monitoring solutions to achieve and maintain Section 404 compliance, revealed that, although 57% of financial executives felt SOX compliance was a good investment for stockholders, a third of respondents said SOX compliance created a cost burden that directly impacted stock prices, and 14% felt that the cost of compliance was so much of a drain on earnings that it created a decreased ability to pay out dividends. Further, "We've seen a negative reaction to Sarbanes-Oxley because it's easy to quantify the cost and extremely difficult to quantify the benefits," said Dr. Todd DeZoort, Accounting Advisory Board Fellow at The University of Alabama and an advisor to Oversight Systems.

The SEC has tentatively scheduled a roundtable for this April in order to discuss internal control reporting requirements, and the deadline for small companies to comply has once again been pushed. The penalty for non-compliance is de-listing of the company. That so many companies still have not yet been able to achieve compliance, even taking into consideration the extended deadlines, it should be clear to authorities the expectation is unrealistic. The SEC is not foolish enough to carry out a mass de-listing, as the impacts on the exchanges and securities associations through which the stocks are traded would be of insupportable proportions.

The silver lining belongs to the technology vendors who have designed products to help ease the strain of managing access controls in order to put financial data in a secure position as well as those who have access to it. With the signing of SOX, essentially what was created was a niche market for vendors – firms are required to comply, and part of the inability to comply is wrapped up in the use of spreadsheets and therefore manual processes. A market need emerged, and vendors took to the starting line to see who could offer what, and when.

Ecora Software offers Solution Express, a support initiative for Enterprise Auditor clients who are working to comply with SOX. Scott Carpenter, Product Manager at Ecora, reported that "Ecora's Enterprise Auditor gives users an out-of-the-box solution that reports on a significant portion of network infrastructures. We cover the major operating systems, databases, and infrastructure applications.” Axentis, a provider of governance, risk and compliance management solutions, launched in October of last year Axentis Enterprise. Ae is designed to aid clients in achieving regulatory compliance, as well as provide a solution to carry out the maintenance following certification.

Oversight Systems also has developed a tool to monitor financial systems for unusual and unauthorized activity of authorized users in an attempt to “detect, prevent, and deter financial loss from systems-based fraud, misuse and errors,” according to their release early last year. "By monitoring the procure-to-pay process, Oversight Systems provides enterprises with an effective means to significantly reduce fraud and payment errors that industry reports say drain a significant percent of corporate earnings every year," said Patrick Taylor, CEO of Oversight Systems. Although Oversight Systems’ monitoring tool was not specifically designed in response to Sarbanes-Oxley, it certainly is a demonstration of vendors looking to get a foothold on the post-compliance environment, and looking to reduce the manpower necessary for companies to remain compliant.

The SEC and PCAOB must bear in mind the events that were behind the design of Sarbanes-Oxley, namely such market catastrophes as Enron and WorldCom, which emerged from bankruptcy as MCI. In addition, there comes a time when one has the ability to admit that, although the best of intentions were in place with the initial design of the plan, the cost has become significantly more than originally estimated, and the burden more than some – who may or may not have been committing wrongdoings from the start – can bear. In apparent attempts to defend it in the event of future collapses due to inappropriate accounting practices, the SEC has gone overboard with the extensive requirements outlined in SOX and applying them as a blanket on the industry.  Sarbanes-Oxley is not a one-size-fits-all solution, but it is being treated as just that, and its impact on the marketplace is developing into something that will soon no longer be viewed as dirt that can be brushed under the carpet. The SEC can install as many absolute, drop-dead deadlines it very well pleases, but how many will it take before it finally becomes clear that the task is not a practical achievement? It is not a perfect solution; it is time we stop treating it as though it is.