A recent study on the costs of Section 404 compliance for small companies was woefully understated, observers agree.
Alix Stuart, CFO.com | US
January 29, 2008
In my experience of doing SOX compliance work since Fall 2002 for both large and small companies, Anne Westfall's comment is on target. Much of what has been labeled as SOX compliance costs is little more than companies finally doing the work they should have been doing all along in establishing, documenting, and maintaining internal controls. Effective internal control systems have been included in SEC regs for public companies for at least 30 years. First encounter I had with the requirement was after the early and mid 1970's financial statement frauds that led to what were then viewed by companies as excessive regulatory requirements related to disclosures and controls. Compliance under AS2 was definitely a cost problem because external auditors were generally able to demand that companies provide internal control system and management testing documentation in certain forms for use in SOX control audits. Plus, the fixed % of accounts value coverage requirement resulted in full testing of areas that would likely have been defined as very low risk under a risk-based approach, such as AS5. However, even under AS2, a portion of the documentation costs were due to companies not having kept their internal control system documentation up to date, not because of any new regulatory requirement. Under AS5, where auditors must use any internal control system documentation that the client has that is adequate to identify internal controls for audit purposes, there is no company that should be incurring any significant SOX compliance costs except in the following situations: 1) The company has not met the existing SEC requirements to have an effective system of internal controls. 2) The company has not documented its system of internal controls in any form at all, not even by having an adequate policy & procedure manual that has been kept up to date. 3) Management of the company has not done anything to monitor internal controls to ensure that they are being performed effectively. If the above 3 conditions exist, then the company's additional costs are not SOX compliance. Any new costs are for doing what should have been done already. SOX does not require any specific internal control procedure to exist. It only requires that the existing internal controls be documented and monitored/tested for effectiveness. Having previously held controller positions, that seems more like a normal business management responsibility. If you are working at a small cap company that has decent internal controls that are documented in some reasonable form and are monitored by management, then your SOX compliance costs should be minimal. Basically having someone upgrade your documentation to flag key controls and ensure that those are properly described so that you can test them properly. If not, SOX shouldn't be blamed for the company needing to finally do what should have been done all along.
Posted by Richard Archer | February 03, 2010 10:33 am
My experience has been that much of the cost associated with 404 compliance are for other, necessary, functions. As a provider of outsourced Internal Audit, I have seen expenses labled "Sarbanes Oxley" for consulting services such as employee manuals, operating manuals for newly established divisions, and basic internal audit functions. Many public companies still operate with no formal Internal Audit department. To be compliant with 404, it was necessary to outsource this function. These expenses are labled "Sarbanes Oxley". It is rediculous that any public company should be operating in today's atmosphere with no designated Internal Audit function...with or without Sarbanes Oxley. Even more rediculous was one particular CEO who proclaimed on CNBC that items "like Sarbanes Oxley" cost his company more than his salary. His salary is in the mid 8 figures. This was a blatent lie.
Posted by Anne Westfall | February 06, 2008 03:54 pm
I believe the author of the article, Alix Stuart, and the RAND Corporation are right: only time will tell if the heavily extrapolated and wide ranging Sarbox estimates for small co's in particular - which don't have as much experience behind them nor hard quotes from auditors - are in the ballpark or out of the park. We comment further on this article in our FEI blog post Feb 1, the day the SEC announced it is formally proposing a delay of Sarbox 404(b) for small co's while it conducts its own study of the 'real world' cost-benefit of reporting under the latest SEC & PCAOB 404 guidance; you can read more at http://www.financialexecutives.org/blog
Posted by Edith Orenstein | February 05, 2008 02:37 pm© CFO Publishing Corporation 2009. All rights reserved.