Risk & Compliance

Happy Birthday, Sarbox!

With compliance costs moderating for bigger companies, the four-year-old Sarbanes-Oxley Act is starting to seem like less of a terror than it used ...
David KatzJuly 28, 2006

When the Sarbanes-Oxley Act came squalling into existence on July 30, 2002, it was widely viewed as an unruly baby, spawning humongous costs and heavy compliance burdens for Corporate America. Now, on its fourth birthday, the law is being viewed in some circles as an amiable child — still difficult in some respects, it’s true, but certainly manageable.

John Hagerty, a vice president and analyst at AMR Research Inc. in Boston who has done a good deal of numbers-crunching on Sarbox-related compliance costs, prefers a different metaphor. The evolution in many companies’ responses to Sarbox, he says, resembles the stages in the way people react to a death: first shock and anger, then acceptance, and finally a sense of moving on.

Now the corporate response resembles a “kind of a maturity,” a recognition “that this is here to stay,” says Hagerty. A measure of the ripening is that foreign issuers, which as of July 15 became the last group to start complying with the act’s internal-controls provisions, are shedding the shock and anger phase, according to the researcher.

That’s because the foreign issuers can learn from the mistakes of their forebearers and avoid past compliance excesses and their attendant costs. In 2003 and 2004, in a common corporate response to Sarbox, “a kind of a total blanket was put over the entire business,” recalls Hagerty. Companies ventured far from just focusing on assessing the controls of their core financial processes, he adds, noting that he’s heard of some “going into the bowels of their supply chains, checking whether every process had appropriate controls.” Others probed every possible information-technology configuration for glitches.

Things, in short, had gone too far. At that point — in the spring of 2005 — the Public Company Accounting Oversight Board issued a guidance calling on auditors to use a “risk-based” approach in their assessments of their clients’ internal-controls compliance efforts.

By steering auditors away from exhaustive checking to a more focused method, the board helped cool down the frenetic compliance efforts of Sarbox’s early years, according to Hagerty. “The scope’s gotten narrower and narrower, and advice from auditors and regulators has gotten more specific,” he says.

As a result, the expense of adhering to the act has been moderating of late. In a survey of 325 business leaders and IT professionals, AMR found that Sarbox-related compliance costs went from $5.5 billion in 2004 to $6.1 billion in 2005 to $6 billion this year. Hagerty expects that figure to start a gradual but definite descent in 2007.

To be sure, small companies — still smarting from the decision by Christopher Cox, chairman of the Securities and Exchange Commission, to make no distinction between them and their larger brethren in terms of internal-controls compliance — aren’t likely to see their costs go down much, says Hagerty. Lacking the staffs of larger companies, smaller ones will have to continue outsourcing a large bulk of their efforts, according to the researcher.

Executives at bigger companies, though, have found that the act has pushed them to strip away redundant data and thus avoid excessive checking of it. “They saw they had many ways to do the same things, [such as] six different ways to book an order,” says Hagerty. “They took what they did and reautomated it,” simplifying their business in the process. At those companies, the Sarbox baby seems likely to be sleeping a bit more soundly.