Complying with Sarbanes-Oxley: Are We There Yet?

What do you think about this article? Rate it using the stars above and let us know what you think in the comments below.

Sarbanes-Oxley (SOX) — the mere mention of it invokes painful memories of the investors involved in the Enron, Worldcom, and Tyco debacles. These scandals lost investors billions of dollars when the share prices of the affected companies fell into tailspins, resulting in a drastic loss in public confidence. The scandals also raised serious questions about corporate governance, financial disclosures, and the adequacy and enforcement of regulatory requirements. The outcome of all these events was the enactment of the Sarbanes-Oxley Act in 2002.

The need for a strict regulatory environment is not limited to the U.S. The French are considering whether corporate governance provisions in MiFID, similar to those mandated by SOX, could really prevent the likes of the recent Societe Generale debacle. Meanwhile, Japan's own ICFR (nicknamed JSOX) will come into effect for all publicly listed companies in April 2008.

Now that SOX is a reality and the memory of investors continues to fade, SEC fines have actually come down over the years, even as companies continue to navigate the legal quagmire: Morgan Stanley claims to have lost emails in the 9/11 terror attack that would have settled arbitration cases out-of-court, while Nortel Networks continues to inflate its balance sheet.

The costs are real:

“The one thing we know about the effects of Sarbanes-Oxley is that it produced much more cost, paperwork, and bureaucracy than anybody intended or anybody thought, and the thing to remember is that cost is always paid by investors. That's, by definition, bad for investors if costs are greater than benefits. But even if costs are just a lot more than they need to be, that, by definition, is bad for investors, and that's all in spite of the idea that this is supposedly protecting investors.”

- Alex Pollock, American Enterprise Institute

SOX forces an organization to reinforce its risk management and decision making capabilities, basing them on credible financial reporting. Forcing a system of checks and balances has marginally added to the bureaucracy within the organizations today. In order to negate its affect on the organizations operational efficiency, enterprise systems have been modified to reduce the probability of human error by incorporating automated checks in the systems themselves. Hence, the focus of auditing the organization, which was limited to employees and processes, must now include enterprise systems as well.

The benefits are apparent:

“The companies last year that had many of these numerous restatements, many of the weaknesses in their controls significantly underperformed the market 15 to 20%.”

- Lynn Turner, (former) Chief Accountant of the SEC

SOX increases the financial responsibility of all publicly listed companies by mandating tight control over data used in financial reports. The quality of financial data is assured through risk-based auditing as opposed to the sampling methods previously in vogue. The given organization maps the control points where risks due to inaccurate data are very high, and greater amounts of control are exercised at those control points. AS 5 (Auditing Standard #5) already provides good support for achieving the goals set out by SOX.

Not all the organizations took SOX on the chin; some simply chose to move away and get listed in London where the regulatory compliance requirements worked out to be cheaper.

Some companies chose to sell out to private firms and delist from US stock exchanges. Some of those left are questioning the credibility of the external auditors, with the likes of E&Y and Deloitte & Touche regularly failing to keep their customer's data confidential, exposing these organizations to non-compliance with one regulatory requirement (Data Privacy) while fulfilling another regulatory requirement (Sarbanes-Oxley).

Key Provisions for SOX Compliance

SOX contains 11 titles that describe specific mandates and requirements for financial reporting. The SOX Act aims at tightening controls in order to meet a wide array of objectives including the prevention of insider trading, higher transparency in financial disclosures, and the removal of conflicting interests in auditing and lending.

SOX Section 302: Internal Control Certifications

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosures. The officers responsible for the proper enforcement of the internal controls should classify themselves accordingly. They must also certify the efficacy of internal controls with regard to the transparency and availability of the accurate data. Simply translated, this holds an individual (an actual person) responsible, rather than a company (a legal person).

SOX Section 404: Assessment of Internal Control

Section 404 requires the management and the auditor to submit an assessment report of the internal controls and certify the adequacy of the company's internal control over financial reporting. Sec 404 requires a significant compliance effort and a review of the financial accounting in its entirety. The entire system needs to be checked for any potential misrepresentations and frauds, and each control point needs to be validated in relation to the same. Simply put, this ties the responsibility of meeting the regulatory compliance with an actual, individual person.

Lessons Learned, the Hard Way

Costs will go down: as a result of the learning curve, organizations will benefit from implementing mature practices like COSO in financial reporting. Enterprise systems will benefit from process maturity practices like CMMI — the key thing being change management in their enterprise systems. Apart from the initial sunk costs in SOX compliance, prudent management will not have to take any further significant hits on its bottom line.

External audits will become a breeze: as a direct result of tighter internal control and increases in the efficiency of internal audits, the time and resource productivity in these areas will go up.

The quality of management decisions will improve: executive management will have access to a better quality data for basing their decisions upon.

Overall risk management will improve: the overall risk management for an organization will improve. Executive management can make everyday decisions with a far greater confidence level than previously possible.

Compliance: The Continuing Challenges for Organizations

The burden of regulatory compliance is only increasing, with new regulations being enforced frequently. On average, a publicly listed company in the U.S. will have to manage somewhere between six and10 federal and state regulatory compliance programs. Executive management is thus left pondering ways to ensure due diligence even as systems are being constantly changed to comply with the regulatory changes. The answer lies in continuous testing and integration of every change that the regulatory authorities dictate to the enterprise systems.

Continuous testing and integration of enterprise systems brings its own challenges to the mix, namely, complexity, increased costs, and expanding timelines. With numerous frequent changes to the enterprise systems, documentation of systems is often ignored leading to a gap between the controls forced upon the enterprise systems and their efficacy.

The Importance of Testing

Testing (software quality assurance) is akin to auditing and provides a similar value to the organization — confidence in their enterprise systems. Third-party testing offers an added advantage akin to that of external auditing and due diligence. Ask yourselves this: since the last change to my ERP, are the controls still working 100%? If the answer is “yes,” then where is the document that supports the assertion? Is that document from a credible source? Is that source free from conflict-of-interest issues? The approaches suggested in following the section help make this a reality.

Strategy for Approaching Enterprise Applications

Separate the development and testing resources (infrastructure, people, and processes): this is easily achieved by separating the vendors for software development and software quality assurance processes. Third-party testing offers a necessary system of checks and balances on the software used on enterprise systems.

Documentation: as with any quality process, documentation is essential. What’s even more important is to verify and validate the documentation in existence periodically. Use the checks and balances to your advantage: make the testing teams rely heavily on documentation and very minimally on hand holding from development. This will protect the organization from inefficient practices being followed by their software services vendor.

Disclosure: disclose the inefficiencies in any enterprise system and the plan to overcome them on a periodic basis. Timely disclosure can help protect the organization and its business partners.

Take advantage of outsourcing to crunch time-to-market: it’s possible to have development and testing in different time zones. The positive side effect of the above is the ability to have a round-the-clock develop-test feedback cycle. If a large system integration project would have normally taken 15 months, it may be possible in eight months. It’s complicated, sure, but certainly possible.

Set the standards high: make it a requirement for the enterprise service vendors (development, testing, and maintenance) to follow process maturity practices and to provide you with higher visibility into their processes.

Use automated test suites: automating the routine test cases can further help crunch the time-to-market by reducing the time spent in verification. It becomes cheaper in terms of time and effort to judge the state of a system under development or maintenance.

In Conclusion

SOX compliance has proven to be a major challenge for companies in view of the significant effort and costs involved. Section 404, which requires management to certify the internal controls in place, requires a significant effort on an ongoing basis. However, the availability of an established independent testing process can greatly reduce the effort and costs involved in achieving SOX compliance, while at the same time enabling an organization to meet any future regulatory changes in a fast and confident manner.

About the Author

Neekhil Kumar Singh is an associate business analyst for AppLabs, the world’s largest independent testing, quality management, and certification solutions company. His interests include following technological changes in the financial services landscape.

For more information about AppLabs please email or visit

If this article has helped you in some way, will you say thanks by sharing it through a share, like, a link, or an email to someone you think would appreciate the reference.

Popular tags:

 managers  external auditors  Sarbanes-Oxley  benefits  methods  spite  environments  SOX Act  objectives  Tyco

By using Employment Crossing, I was able to find a job that I was qualified for and a place that I wanted to work at.
Madison Currin - Greenville, NC
  • All we do is research jobs.
  • Our team of researchers, programmers, and analysts find you jobs from over 1,000 career pages and other sources
  • Our members get more interviews and jobs than people who use "public job boards"
Shoot for the moon. Even if you miss it, you will land among the stars.
ComplianceCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
ComplianceCrossing is the first job consolidation service in the employment industry to seek to include every job that exists in the world.
Copyright © 2024 ComplianceCrossing - All rights reserved. 169