Tuesday, February 15, 2005
The Compliance Chasm
A central debate in the effort to comply with Sarbanes-Oxley (Sarbox), particularly sections 302 and 404 which govern financial reporting and documentation of internal controls respectively, is whether operational benefits will outweigh the costs. RevenueRecognition.com and International Data Corp. conducted a survey of 220 business leaders in December 2004. The results suggest that while costs are front loaded, there is proportional value once companies get through the full compliance process. However, there are distinct differences between companies that crossed the compliance chasm and rated the effectiveness of major compliance activities equal to or higher than costs and those that did not.
Overall Effectiveness Offsets Overall Cost
In the survey, respondents were asked to rate the cost of six major Sarbanes-Oxley compliance tasks as well the effectiveness of those tasks for improving risk management. As shown in Figure 1 below, the costs and effectiveness ratings were approximately even for activities such as documenting accounting policies, certification and sign off on internal controls, certification of financial statements, and responding to external audit attestation processes. However, there were two exceptions:
1) The cost of documenting internal controls was rated substantially higher than its effectiveness for improving risk management; and
2) The cost of remediation of weaknesses found was rated substantially lower than its effectiveness for improving risk management.
The Compliance Chasm
While the overall cost and effectiveness ratings are equivalent, there is a distinct chasm between companies that rated effectiveness lower than costs and those who rated effectiveness equal to or greater than costs. Figure 2 presents the cost-effectiveness indexes for 79 public companies. There are 43 companies to the left of the green line and 36 companies to the right.
The group that did cross the compliance chasm required only 83% of the effort and achieved more satisfactory results than the second group. This seems to indicate that they had a smaller gap between existing practices and those required by Sarbox. As a result, their human resources were more focused on external auditing activities which represent a much smaller portion of the overall labor cost.
But there is more to the story. Surprisingly, those who crossed the compliance chasm are actually less likely to be planning to keep their existing processes and technology in 2005 than those have not crossed the chasm. The key factor being that they are much more likely to have plans to deploy new technology for key compliance activities in 2005.
Crossing the compliance chasm may be easier for companies that have a culture of continuous improvement and are therefore more prepared and able to manage the enterprise-wide changes required by Sarbox compliance. Not only were these companies more prepared to begin with, they also plan to do more in the future.
The High Cost of Compliance
The survey focused on costs for internal resources and outside consulting from both Big 4 and non-Big 4 audit firms. Total resource requirements to support Sarbox increased in direct proportion to the size of organization based upon revenue. For public enterprises with more than $1 billion in revenue, the average amount of labor spent on compliance activities was more than twelve person-years. Companies in the $200 million to $1 billion revenue range averaged more than six and a half person-years of effort.
Furthermore, the cost of external auditing services increased 52% for public companies. Mid-sized companies with $200 million to $1 billion in revenue reported an 81% average increase.
“Sarbanes-Oxley compliance is a major undertaking,” said Kathleen Wilhide, compliance research director, IDC. “2004 was a baseline year for organizations to understand and execute on Sarbox section 404. Companies will now shift into sustainability mode, looking to optimize Sarbox processes through the use of technology and with an eye towards broader performance and risk management goals. While Sarbox 404 has been costly, the fact that organizations perceive real value in these efforts as they identify and remediate weaknesses is key.”
Where Risk Remains
When asked which financial processes present the most risk of restating financial results, approximately 40% of respondents selected revenue accounting—no other process received more than 15% as illustrated in Figure 3.
It is no surprise therefore to find that 83% of respondents from public companies indicated that in 2005 they plan to deploy or evaluate solutions for revenue accounting, billing, and/or financial consolidation—three areas that have a direct bearing on revenue reporting.
“All revenue related processes are under a high degree of scrutiny as a result of Sarbanes-Oxley,” said Gottfried Sehringer, executive editor of www.RevenueRecognition.com. “Having reliable internal controls in place with an audit trail for key revenue transactions, and the ability to fully document, analyze, report and forecast revenue is crucial to staying in compliance. With the costs of Sarbox compliance so high, it is encouraging to see that companies are seeing real benefits with improved processes and technologies.”
The survey was conducted during December 2004. In all, 220 high-ranking finance officials, including CFOs, controllers and vice presidents of finance, were surveyed.
posted by Brian Moran @ 9:02 AM