Analyzing the cost-benefit of Sarbanes-Oxley
A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings.[5] Conclusions from several of these studies and related criticism are summarized below:
- FEI Survey: Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. For 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million, down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or large divisions) were more than twice those of centralized companies. Auditor costs did not decline. When asked whether the benefits of compliance with Section 404 have exceeded their costs, 22 percent, on average, agreed, with 78 percent saying instead that the costs have exceeded the benefits. 34 percent agreed that compliance with Section 404 has helped prevent or detect fraud.[6]
- Butler/Ribstein: Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.[7]
- Institute of Internal Auditors (IIA): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.[8]
- Skaife/Collins/Kinney/Lefond: This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).[9]
- Zhang: This research paper estimated SOX compliance costs as high as $1.4 trillion, by measuring changes in market value around key SOX legislative “events.” This number is based on the assumption that SOX was the cause of related short-duration market value changes.[10] However, the S&P 500 index, a broad measure of U.S. stock value, increased 6% the day the law passed in Congress on July 24, 2002, and 1% the day after it was signed into law by President Bush on July 30. It then declined 7% in three trading days thereafter, regaining pre-signature levels by August 8.[11] Measuring short-term fluctuations in market value is an acknowledged drawback in this study. One could have easily argued a $1.4 trillion benefit, using the 7% increase leading up to the day after signature, rather than the following 3-day decline.
- Iliev: This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced — rightly or wrongly — stock valuations of small firms.[12] Lower earnings often cause the share price to decrease.
- The Lord & Benoit Report: Do the Benefits Exceed the Cost? It included a population of nearly 2,500 companies, which represented ALL of the calendar year accelerated filers. Lord & Benoit’s SOX research showed that companies with no material weaknesses in their internal controls, or companies who were able to identify and correct material weaknesses in a timely manner, experienced much greater increases in share prices than companies that did not.[13] [14], The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs. Lord & Benoit, a SOX compliance company, issued the report on May 8, 2006. It was also published by the Wall Street Journal.
ERM: A Pragmatic Bottom-Up Approach (to Parallel the Top-Down)
Recent regulatory trends such as Basel II for fi nancial services and Sarbanes-Oxley (SOX) for publicly traded companieshave heightened the importance of better enterprise risk management (ERM). So have trends like globalization, integrated financial markets, the knowledge economy, and political uncertainty. Today, more than ever, how well you take and manage risks affects your cost of capital.
And yet, with the exception of industries such as banking and insurance, many companies fi nd the notion of ERM foreign and diffi cult to implement. The complexity of ERM at every level is daunting?
»How will you determine the universe of all your risks?
»How will you perform an assessment to prioritize which ones are most important?
»How will you design a system of controls that effectively mitigate the risk?
»How will you make sure the controls are working or your risks are at acceptable levels?
»How will you integrate all of this into the daily functioning of the business?
Change Is the Challenge
Anyone who has tried to initiate and gain adoption for an enterprise-wide program, such as Enterprise or Corporate Performance Management, knows that a key reason for failure is change. A fundamental challenge in implementing ERM is the ability to “sell” and “manage” the necessary change in behavior across the entire organization. Managing risk, like managing cost or revenue, cannot be done from the top alone— it must be “owned” by those closest to its occurrence, i.e. the process owners on the front line where managing risk must become just another part of their job. This paper lays out a pragmatic approach for addressing the challenge of change and establishing successful ERM through a series of bottom-up steps that build on existing functional capabilities. These should not be seen as replacing a top-down approach. They should be seen as acting in parallel, in an iterative, mutually re-adjusting and reenforcing manner.
SOX provides a great starting point for a bottom-up approach. When structured properly, the major investment for SOX compliance can now fi nally yield value far beyond an auditor’s attestation. The Internal Audit and IT departments can then integrate and build on this investment, each bringing longstanding experience for identifying and mitigating risk. Lastly, each Line of Business and its respective business functions also manage risk, which can be incorporated with the others together under one clear mapping. The five bottom-up steps below offer a simple, practical path that ensure that you get to this single viewpoint and that your ERM efforts are successful by leveraging existing strengths and gaining “ownership”
from the frontline.
STEP 1
Use Your 404 Documentation to Create a Common Map Section 404 of the Sarbanes-Oxley legislation created a single, consistent, and broad defi nition of the enterprise in contrast to existing fi nancial, operational, HR, or legal defi nitions. These defi nitions served a more narrow purpose and were therefore
not as comprehensive nor were they usually consistent. Until SOX, there was no “Rosetta Stone” to provide a common, universally applicable map of the business, in terms of organizational entities, transaction processes, systems, people, risks, and their overall relationship to fi nancial accounts. A common map is the foundation for identifying risks in a consistent manner across the enterprise. It also ensures alignment across different regulatory environments, risk types, and process owners who may have to address them.
STEP 2
Build on Your Top-Down, Bottom-Up Risk Assessment The new SEC guidelines and the PCAOB’s Auditing Standard No. 5 have heightened the awareness for an integrated top-down and bottom-up risk assessment approach to SOX. The opportunity is to rationalize the number of key controls required and streamline their testing based on relative risk. Besides the effi ciency gains this yields in compliance itself, it creates a precedent for how to defi ne risks hierarchically and so be able to “cascade” and target your efforts where they are most valuable, i.e. where “top-level” assessments can be made based on consolidated views of risk and push “down” to lower levels of assessment, monitoring, and action.
STEP 3
Extend and Integrate With Internal Audit Internal Audit is the next practical step in providing a foundation for an enterprisewide view of risks. Internal Auditors have built up a history of assessing operational, financial, and compliance risks across the enterprise for prioritizing and planning annual audits. These risks and audits share the same core elements of the map— companies, locations, and processes. Of course, the shared Audit Universe created by integrating SOX with IA will also result in greater resource effi ciencies and speed.
STEP 4
Align With IT Governance Practices Sarbanes-Oxley requirements highlighted many existing good governance practices in IT, notably those represented by the COBIT framework. Beyond the general computer and application-level controls required for SOX, IT manages multiple risks on a daily basis, such as Business Continuity Planning, Disaster Recovery, and management of businesscritical projects to name a few, but these typically all can fi t into the structure in the same way as the SOX IT controls already have.
STEP 5
Engage and Leverage Your Process Owners and LOBs The upfront disruption SOX had on process owners enlisted to create documentation, identify controls, provide self-assessments, and perform tests has largely been reduced. Initially overwhelmed in terms of both the time and learning curve required, many process owners are now far more aware of fi nancial misstatement risks within their areas. This “culture” of managing risk locally is a valuable asset, where new types of risks can be layered onto the same risk culture and framework. Finally, risk management is more than tracking and assessing threats. When risks are tracked against a common map of the business, it is easier to establish the relationship between business performance and risk, like fl ip sides of the same coin. How these risks are managed is critical to sustaining the goals in revenue growth, expense management, and longterm investment.
The Right Information Is Critical
Underlying each of these steps is the need for a single, integrated view on enterprise- wide risks that is aligned with and supports each of the functional constituencies above. Furthermore, the nature of this information requires a fairly complex structure to effectively capture the fl exible hierarchies and many-to-many relationships it must convey, e.g. risks need to be dynamically categorized, assessed, and tracked by different “families” and “types” and associated to more than one location, process, activity, event, people, systems, and more. Such complexity is best addressed when the information source is based on business intelligence design, because if the information is in right, the job of slicing and dicing out what you need, when you need it, becomes a much more straightforward task that can be captured by your people and delivered into your culture in a much more expedient and powerful way.
Roland Mosimann, CEO and co-founder of Business Intelligence International is an industry pioneer in helping drive initiatives around risk and performance management that are anchored in business intelligence design. In 2004, he drove the launch of the Aline™ platform for on-demand Governance, Risk, and Compliance. He recently coauthored The Performance Manager: Proven Strategies for Turning Information into Higher Business Performance, itself a follow-up to his earlier book The Multidimensional Manager — 24 Ways to Impact Your Bottom Line in 90 Days with more than 400,000 copies printed that remain in use by organizations worldwide today.
About Business Intelligence International (BII): Business Intelligence International (BI International) is a global software and consulting company specializing in the development of Web-based business intelligence solutions to provide GRC +P functionality to companies of all sizes. Since 1996, BI International has provided robust, fl exible, and secure solutions to enable customers worldwide to cost-effectively manage their compliance, risk, and performance initiatives. Leveraging its Aline™ Software as a Service (SaaS) platform, BI International offers a suite of affordable yet powerful and easy-to-use tools that provide a single business intelligence-designed repository of information along with integrated analytics and standard reporting. This allows clients to gain real-time visibility to critical information to identify key issues and drive critical decision making. Visit www.aline4value.com for more information.
SOX 404 Compliance
While completing their first SOX attestation, one of the world’s largest biopharmaceutical outsourcing organizations with operations throughout 43 countries in 56 locations and approximately 6,200 employees, knew that building and maintaining a Sarbanes-Oxley compliance program presented challenges — unearthing and solving the issues that stood in the way of compliance and managing the myriad of spreadsheets and documents that are needed for the task.
In 2005, the Company completed its first year of SOX primarily by performing the tasks in shared services centers in the United States, the United Kingdom and Germany. The Company identified over 1,000 key business controls; remediate and re-tested several hundred key controls and implemented a document control process; tracked remediation; and then tested and re-tested its program.
About
Ever since its first year of required compliance in 2004, Sarbanes-Oxley and Section 404 in particular has been criticized for the excessive cost and disruption it created for companies. The public debate about whether its been worth the effort has at times reached a fever pitch, as recently noted by the former Chairman of the SEC, Harvey Pitt[1], “As costs mounted, and auditors became defensive in their audits of internal control, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance to make the beneficial purposes of the SOX 404 more obtainable, with lower costs and more focused efforts”. In this regard, certain statements from both the SEC and PCAOB December releases especially stand out[2]. At the same time, greater use of a risk based approach seems to reflect a return to the original principles of SOX and certainly of the COSO Framework.
[1] Compliance Week, March 2007 issue
[2] SEC Release # 33-8762, 34-54976 (12/15/06) and PCAOB Release # 2006-007 (12/19/06)
About the Author
Christopher D. Coigne CPA, CIA, CFE is the Senior Manager of Client Services and Product Development for BI International. For the past 5 years Chris has worked extensively with organizations seeking compliance with Sarbanes-Oxley (SOX). He has performed materiality planning and risk assessments, led facilitated control discussions, participated in client SOX Project Management Organizations, and overseen global control testing. Other projects have included managing outsourced Internal Audit activities, performing forensic and fraud investigations to aid in management’s deterrence and detection of fraud, and working to develop a web-based SOX and Internal Audit tool.
A graduate of Rowan University, Christopher’s experience includes public accounting financial audits, controllership in the insurance industry, internal audit management at Philadelphia-based ARAMARK, and consulting work for a variety of global organizations including McDonald’s, Sony, ING and Waste Management.
-
Archives
- August 2008 (2)
- July 2008 (2)
- May 2008 (1)
- April 2008 (3)
-
Categories
-
RSS
Entries RSS
Comments RSS
