Tuesday, February 15, 2005
SOX: Measuring the Costs and Searching for Tangible Benefits
By Patrick Taylor
After spending millions in 2004 to comply with the first phase of Sarbanes-Oxley (SOX), compliance officers and financial executives should evaluate their return on compliance. While the tangible benefits may be difficult to value today, most financial executives (57%) describe their company's SOX compliance as a good investment for stockholders, and 70% say they have stronger internal controls after complying with the law, according to the 2004 Oversight Systems Financial Executive Report On Sarbanes-Oxley Compliance.
About the Report
Through a combination of an invitation-only online survey and survey intercepts, 222 corporate financial leaders from across the U.S. participated in this study. Titles of those surveyed included CFO, controller, treasurer, vice president and director. Of the sample, 25% were in companies with more than $5 billion in annual revenues, 23% with revenues from $1 billion to $5 billion, 22% between $251 million and $999 million, and 30% with revenues of $250 million or less.
While still cataloguing the costs and difficulty of compliance, executives can identify the benefits they've achieved through their compliance efforts. The Sarbanes-Oxley legislation is far from perfect, but the survey shows that the law -- despite its costs and burdens -- has achieved at least one of its intended goals: to strengthen internal controls.
According to the survey, 16% of executives say their controls were already documented and sufficient for SOX compliance, 24% say their controls were in place but now have been fully documented, 18% say they've implemented more manual controls, 8% say they've implemented more systems-based controls, and 33% say they've implemented more manual and systems-based controls.
Nearly three-quarters (74%) say their companies realized a benefit from SOX compliance. When asked to identify the benefits from SOX, the Oversight Systems' survey reports that:
46% say SOX compliance ensures the accountability of individuals involved in financial reports and operations
33% say SOX compliance decreases the risk of financial fraud
31% say they have reduced errors in their financial operations
27% say SOX improvements in the accuracy of financial reports
25% say SOX compliance empowers the board audit committee by providing it with deeper information, and
20% say SOX strengthens investors' views of the company.
Tangible Costs and Perceived Benefits
As for the costs and work required in complying with Sarbanes-Oxley, 54% of financial executives surveyed in the Oversight report say they spent more than originally projected, and 63% describe their SOX compliance as "difficult" or "very difficult."
Many of those surveyed -- 37% -- say SOX increased shareholder value because investors know they operate as an ethical business, and 25% report that SOX boosts shareholder value by building overall confidence in the market. However, 33% say SOX compliance created a cost burden that suppresses stock prices, and 14% feel that SOX decreased their ability to pay out dividends because compliance expenses are a significant drain on earnings. (Respondents could select all that applied).
The negative reaction to SOX is understandable because the hard costs of compliance are easy to quantify - thousands of staff hours for controls documentation, increased audit fees, dozens of new internal auditors on the payroll and the ongoing testing of internal controls. As companies report their earnings, most reference SOX as a primary driver of increased operations costs.
However, the benefits of compliance are much harder to value in hard currency. In reality, preventing financial statement fraud or even preventing a restatement of earnings from an error protects billions of dollars of shareholder value.
The survey also shows other benefits of the law - how financial executives view SOX's effect on their own investments. Forty-four percent say "as an individual investor, SOX disclosures and compliance requirements allow you make better investment decisions or feel more confident in investments in public companies." Interestingly, 11% say they do not purchase stock in public companies, and 45% say SOX has no impact on their investment decisions or investor confidence.
Ongoing Compliance Costs and Controls Testing
Financial executives are more divided on their projected costs of SOX compliance for 2005 and their approach to ongoing compliance with Section 404 of the law that requires testing and reporting on the effectiveness of internal controls. The survey reports that:
26% say year-two compliance costs will total between 50% and 74% of first-year costs;
¥5% say year-two compliance costs will total between 25% and 49% of first-year costs;
17% say year-two compliance costs will total less than 25% of first-year costs;
16% say year-two compliance costs will total about the same as first-year costs;
12% say year-two compliance costs will total between 75% and 99% of first-year costs, and
3% say year-two compliance costs will be more than first-year costs.
The Oversight survey showed wide variation in the frequency of testing and monitoring of internal controls, where 38% say once a quarter, 23% say continuously as transaction are processed, 22% say monthly, 10% say weekly and 7% say daily.
This lack of a consensus on controls testing is most likely a result of the exhaustive work required in the first phase of SOX 404 compliance -- documentation. After spending 2004 to document their controls, executives are just now evaluating how they will address this recurring demand of the law.
However, ongoing costs of SOX compliance remain high because many companies will still rely on manual testing. When asked how they intend to monitor and test their internal controls, the Oversight survey showed that:
51% will run manual tests by independent observers, such as internal auditors or compliance consultants;
48% will rely on a control self-assessment program;
35% will utilize reports and monitoring features within financial applications such as SAP, Oracle, etc.;
34% say Internal auditors will test historical transactions for control violations with audit software; and
25% will implement a technology solution to continuously monitor key controls and transactions. (Participants could check more than one answer.)
Minimum SOX compliance demands at least quarterly testing of controls, and many executives may think they are reducing their ongoing compliance costs by simply shooting for the minimum. To these executives, continuous monitoring may sound expensive. However, technology solutions that continuously monitor the effectiveness of controls can actually reduce the costs of compliance by automating some of the manual work of internal auditors or SOX consultants.
A quarter of those surveyed (25%) say they plan to implement a technology solution to continuously monitor key controls and transactions to maintain SOX 404 compliance. However, we should expect this number to rise in the next 2 years as companies develop their plans for ongoing compliance.
As companies move toward continuous monitoring, the benefits of compliance should also expand. The initial cost saving from automated controls testing should also lead to a secondary savings by identifying and correcting control deficiencies before they become a "material weakness" as determined by external auditors. Essentially, executives can correct a problem when only two or three transactions are affected instead of testing at the end of the quarter when the same problem could cause a few hundred exceptions.
Continuous monitoring of controls for Sarbanes-Oxley compliance can produce other direct benefits from improving financial operations and reducing transaction errors in corporate expenditures, revenue and financial reporting. This concept borrows the idea of Six Sigma to continually strive to improve the business process by measuring and analyzing activity.
Active Audit Committees
While financial executives are divided on ongoing costs and controls testing, most are experiencing increased involvement from their board audit committees. Forty-five percent describe their board audit committee's involvement with SOX compliance as "active," and 19% say "highly active and interested in the details of our efforts."
The survey shows that SOX has compelled audit committee members who have not been as active have increased their involvement. While many are motivated by their own accountability, audit committee members should look to encompass the best practices of corporate governance.
As part of the survey, respondents were also asked to define their feelings toward SOX legislation. Of the group, 52% say Congress had good intentions when it passed SOX, but the costs of compliance were not fully considered. Thirty-eight percent say SOX was Congress's over-reaction to the unethical behavior of a few executives, and 28% say the market requires regulations like SOX to boost investor confidence in the market's integrity. Only 13% say the benefits of SOX outweigh the costs of complying, while 25% say the costs of complying with SOX outweigh the benefits. (Respondents could select all that applied).
With this mindset, it's no surprise that 81% of financial executives say Congress needs to revisit Sarbanes-Oxley. However, when asked about the most demanding sections of the law, an overwhelming majority say that if they were members of Congress, they would include those sections in the law. In regard to Section 302 that requires CFOs and CEOs to sign off on financial reports, 87% say they would include this section. In regard to Section 404 that requires the documentation, monitoring, reporting and attestation of internal controls, 75% say they would include this section. And 85% would include Section 409, which requires the timely disclosure of material changes that affect financial conditions or operations.
Other interesting data points show that 31% of financial executives say that more than 50% of their financial department professionals hold financial certifications (such as CMA, CFM, CIA, CPA, etc.) from an organization with enforceable ethical codes. When asked how many full-time employees are dedicated to SOX compliance, 18% said more than 15, and 37% report that they spend more time with their CEO as a result of SOX compliance.
After complying with the first year of Sarbanes-Oxley's demands, many finance and audit departments may be quick to celebrate their accomplishments or -- more likely -- to suffer from extreme burn out. However, financial executives should understand the ongoing requirements for compliance. Instead of repeating the same fire drill exercise for 2004 compliance, companies should look toward investments that derive real business value from the value process. And after spending millions to comply with the law, executives should evaluate their return on compliance. This survey shows that forward-thinking businesses are realizing valuable benefits. While the costs of compliance can squeeze any organization, the best-run companies will make SOX work for their businesses.
posted by Brian Moran @ 3:24 PM