Risk & Compliance

Who’s in Charge of Sarbox Compliance?

Larger companies are split on whether to appoint a single Sarbox compliance officer; many smaller companies hand the task to the internal-audit dep...
Stephen TaubApril 27, 2004

Who’s minding the store when it comes to corporate compliance with the Sarbanes-Oxley Act?

The answer apparently depends on the size of the company, according to a new survey from Parson Consulting. While 25 percent of larger companies favor a single Sarbox compliance officer, another 25 percent believe the task should be spread across all senior management. Among smaller companies, 40 percent say their internal-audit departments should handle compliance. Across both segment sizes, 20 percent of respondents were undecided.

The two camps are split on other compliance-related issues, according to the consulting firm. For instance, larger companies rely on software more than smaller companies do when preparing to meet Sarbanes-Oxley Section 404 compliance deadlines.

Under Section 404, CFOs and chief executive officers must sign off on the effectiveness of their companies’ internal controls involving finance. After two Securities and Exchange Commission postponements, the provision is slated to go into effect in November.

According to the survey, one-third of larger companies view software as critical to 404 compliance, while only 21 percent of smaller companies think that. Indeed, 32 percent of smaller companies say they don’t plan to use software applications; in comparison, 11 percent of larger companies won’t go that route.

There were also marked differences in how companies plan to use the software. For instance, 72 percent of bigger companies that plan to use software are using them now, while 45 percent of smaller companies with such plans are employing them. That suggests that larger companies approach 404 compliance with a greater sense of urgency, Parson claims.

The survey also found that nearly half of larger companies have a narrow focus on 404 compliance, concentrating mainly on the financial-reporting process. That reflects the amount of resources required to address internal controls across the entire organization, Parson points out.

Smaller companies, however, are reviewing processes across the enterprise, according to the firm. Forty percent of those companies plan to use 404 compliance as a springboard to a review of controls involving financial reporting, operational practices, and information technology.

A total of about 100 senior finance and corporate governance professionals participated in the survey. Parson defines larger companies as those with a market capitalization of $1 billion or more, while smaller companies have a market cap ranging from $75 million to $1 billion.