SOX 404 Compliance

Sarbanes Oxley Sections 302 and 404

What is a “Key” Control?

It still surprises me that, after nearly 5 years of SOX history, many organizations I encounter still struggle with the question - “what is a key control?”.

Sarbanes Oxley requires the materially accurate reporting of financial results for publicly traded organizations.  Consequently, the easiest way to identify which controls are key is to ask yourself - ”does this control impact an account in the financial statements or a disclosure in the footnotes?”.  For many of the controls identified by my clients the answer is “no”.

As an example, let’s examine a control which obviously impacts the financial statements - the bank reconciliation.  When an individual performs the monthly bank reconciliation, they are utilizing an independent, third-party provided document to ensure the existence and accuracy (and probably completeness and cut-off) of transactions related to the Cash account.  There is little doubt that every organization executes this control and that it is essential to the accuracy of reported financial results.

As a counterpoint, let’s consider a control encountered time and again in the Human Resources or Payroll cycles of large organizations throughout the U.S - “Employee benefit requests and transactions are appropriately reviewed, approved, and validated to support”.  In my estimation, this is not a key control for SOX purposes.

Although many have argued the point with me, I submit the following:

  • How material is any amount related to these types of transactions at any point in time, especially at a quarter end?
  • For balance sheet-related escrow/liability accounts, isn’t the periodic account reconciliation sufficient?
  • For income statement-related expense accounts (employer 401k, employer portion of health insurance, etc) any variance from actual would likely be identified during a fluctuation analysis - current to prior or current to budget or both.

My point is this - what might be “key” to a process may not necessarily be key when looking at the financial balance being evaluated because multiple cycles/processes likely impact that balance and a control in another process may be sufficient for management to make assertions about that balance.  In short, sourcing the account/assertion intersection from the top-down to a sufficiently robust and precise control should enable management to avoid testing controls that may be important to a process, but less so for getting the reported balance materially correct.

August 12, 2008 Posted by ccoigne | SOX 404 & 302, SOX Testing, sarbanes oxley | , | 1 Comment

Analyzing the cost-benefit of Sarbanes-Oxley

A significant body of academic research and opinion exists regarding the costs and benefits of SOX, with significant differences in conclusions. This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings.[5] Conclusions from several of these studies and related criticism are summarized below:

  • FEI Survey: Finance Executives International (FEI) provides an annual survey on SOX Section 404 costs. For 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million, down 23% from 2005. Cost for decentralized companies (i.e., those with multiple segments or large divisions) were more than twice those of centralized companies. Auditor costs did not decline. When asked whether the benefits of compliance with Section 404 have exceeded their costs, 22 percent, on average, agreed, with 78 percent saying instead that the costs have exceeded the benefits. 34 percent agreed that compliance with Section 404 has helped prevent or detect fraud.[6]
  • Butler/Ribstein: Their book proposed a comprehensive overhaul or repeal of SOX and a variety of other reforms. For example, they indicate that investors could diversify their stock investments, efficiently managing the risk of a few catastrophic corporate failures, whether due to fraud or competition. However, if each company is required to spend a significant amount of money and resources on SOX compliance, this cost is borne across all publicly traded companies and therefore cannot be diversified away by the investor.[7]
  • Institute of Internal Auditors (IIA): The research paper indicates that corporations have improved their internal controls and that financial statements are perceived to be more reliable.[8]
  • Skaife/Collins/Kinney/Lefond: This research paper indicates that borrowing costs are lower for companies that improved their internal control, by between 50 and 150 basis points (.5 to 1.5 percentage points).[9]
  • Zhang: This research paper estimated SOX compliance costs as high as $1.4 trillion, by measuring changes in market value around key SOX legislative “events.” This number is based on the assumption that SOX was the cause of related short-duration market value changes.[10] However, the S&P 500 index, a broad measure of U.S. stock value, increased 6% the day the law passed in Congress on July 24, 2002, and 1% the day after it was signed into law by President Bush on July 30. It then declined 7% in three trading days thereafter, regaining pre-signature levels by August 8.[11] Measuring short-term fluctuations in market value is an acknowledged drawback in this study. One could have easily argued a $1.4 trillion benefit, using the 7% increase leading up to the day after signature, rather than the following 3-day decline.
  • Iliev: This research paper indicated that SOX 404 indeed led to conservative reported earnings, but also reduced — rightly or wrongly — stock valuations of small firms.[12] Lower earnings often cause the share price to decrease.
  • The Lord & Benoit Report: Do the Benefits Exceed the Cost? It included a population of nearly 2,500 companies, which represented ALL of the calendar year accelerated filers. Lord & Benoit’s SOX research showed that companies with no material weaknesses in their internal controls, or companies who were able to identify and correct material weaknesses in a timely manner, experienced much greater increases in share prices than companies that did not.[13] [14], The report indicated that the benefits to a compliant company in share price (10% above Russell 3000 index) were greater than their SOX Section 404 costs. Lord & Benoit, a SOX compliance company, issued the report on May 8, 2006. It was also published by the Wall Street Journal.

May 14, 2008 Posted by Nick | SOX 404 & 302, compliance, sarbanes oxley | , , | 1 Comment

SOX 404 Compliance

While completing their first SOX attestation, one of the world’s largest biopharmaceutical outsourcing organizations with operations throughout 43 countries in 56 locations and approximately 6,200 employees, knew that building and maintaining a Sarbanes-Oxley compliance program presented challenges — unearthing and solving the issues that stood in the way of compliance and managing the myriad of spreadsheets and documents that are needed for the task.

In 2005, the Company completed its first year of SOX primarily by performing the tasks in shared services centers in the United States, the United Kingdom and Germany. The Company identified over 1,000 key business controls; remediate and re-tested several hundred key controls and implemented a document control process; tracked remediation; and then tested and re-tested its program.

The company passed the first year of SOX compliance, but at what cost ? Approximately 25,000 internal and external labor hours were needed, and several million dollars were invested.The Company knew it needed to find a better way.
 

 

April 28, 2008 Posted by Nick | SOX 404 & 302, sarbanes oxley | | 1 Comment