Making the Most of Life after SOX
It’s been four years since the first accelerated filers were required to achieve compliance with Sarbanes-Oxley, but that doesn’t mean that all their SOX challenges are behind them. For many public companies, they’ve merely shifted to bringing costs down while continuing to refine their compliance processes.
The good news is that, based on one recent survey, the battle is at least partially won.
The seventh annual SOX compliance survey by Financial Executives International (FEI) found that compliance costs continue to decline. In particular, declines were seen in compliance-related costs that were under companies’ direct control, such as internal and external people hours and auditor attestation fees.
“The majority of respondents reported Section 404 work, and work to prepare the annual audit is now more integrated, with auditors using a more risk-based approach to 404 adoption,” said FEI President and CEO Michael P. Cangemi.
Companies also reported an increased use of judgment by auditors versus the “check box” approach and greater external auditor reliance on the work of others.
Many of the improvements that resulted in reduced compliance costs for accelerated filers can be traced back to the acclimation of SOX requirements into corporate culture and business processes. Once the necessary adjustments were made, companies were able to turn their attention toward improving compliance processes.
“Process owners needed to take ownership of the control activities; they had to understand what compliance was and that they were the group charged with verifying it. As time wore on, they made SOX compliance part of their business process instead of separate from it,” said Paul Finney, Vice President, Internal Assurance Services, Kforce Inc.
Once that integration of compliance into business processes took place, the firm began realizing some of the benefits associated with SOX compliance, particularly in the areas of application security and financial reporting.
“Those are two examples of areas where we became more consistent with documenting management review,” said Finney, who says that the firm has also added quarterly reports to the audit committee and periodic management updates to their ongoing compliance activities.
Altera Corporation, which delivers programmable logic solutions for system and semiconductor companies, has also seen its SOX compliance efforts facilitate overall process improvements as the changes have been acclimated into the corporate culture.
According to Michael J. Baker, Altera Senior Director of Internal Audit & Compliance, achieving initial compliance in 2004 required the involvement of nearly every department within the corporation as they worked to develop narratives and control matrixes and to re-engineer processes.
Because there wasn’t a full understanding of the need for so many new controls or the extent to which they needed to be reviewed, resistance to the changes necessary for SOX compliance was common in the early years. That has fallen away, however, as the enhancements made for SOX have begun to benefit other aspects of the company’s operations.
“At this point in time, the SOX tests and ground rules have been institutionalized and accepted. Although there was a significant expense and a lot of work for a lot of people initially to reengineer the processes, that really was the benefit that we gained and we are continuing to improve,” said Baker.
Compliance encouraged Altera to streamline and strengthen IT controls and many other internal processes – processes that might not have been scrutinized were it not for SOX. Those improvements, coupled with the introduction of Auditing Standard No. 5 (AS5), which directs auditors to use a risk-based approach and focus only on areas that could harbor material misstatements, have also helped the company reduce the costs associated with compliance.
“We as a company constantly are looking at all aspects of our business to improve efficiency and reduce costs. Over the last two years, there’s been significant progress in that direction and it has improved our end results,” said Baker.
He estimates that Altera spent more than $2.5 million on its initial compliance efforts, including consultant and external audit fees, as well as people hours and costs related to IT and process enhancements.
Today, although they still bring in consultants when extra hands are needed, the company has seen a decrease in people hours required to maintain compliance. Re-evaluating their controls and constantly rationalizing processes to ensure that they are still relevant and essential to the business in an ever changing environment, and focusing only on those controls that are truly key has also helped bring down costs and capture efficiencies.
Finally, Altera has seen its auditor attestation fees decline, thanks in large part to AS5 and process improvements that result in external auditors now accepting approximately 65 percent of internal auditors’ work on SOX.
“That in itself reduces the fees, and it is possible because we’ve focused so adamantly on SOX compliance and improving processes. It’s a combination of having the right processes in place, doing very comprehensive internal audit work and, of course, all the supporting work papers and documentation and presentation that goes with that,” said Baker. “…The simplification process we’re going through, assigning different groups of the company to look at specific processes, that is really helpful with compliance. There is also the benefit of more efficiency and lower costs.”
Finney notes that Kforce has also seen a decrease in its compliance costs, including people hours and external audit fees, to the point where SOX-related expenditures are most likely stabilized.
“I think it’s close to being normalized. We don’t expect to have any new costs that could be attributed to compliance efforts,” he said.
For those companies that are either working toward compliance or seeking ways to streamline the process to maximize the effectiveness of SOX-mandated changes, Finney recommends leveraging external auditors and testing only those controls that are truly key control activities.
“Focus on the higher level controls to the extent possible, and allow management to own as much as they are willing to take on,” he said.
According to Baker, some of the most important actions companies can take to reduce compliance challenges, streamline processes and begin realizing the benefits that can result from SOX include being organized, systematic in approach, thorough in review and securing buy-in of compliance needs throughout the organization, starting from the top of the business and spreading across the company. Most important is for internal audit to work closely with their external audit counterparts to avoid duplicative testing and review to the extent possible and to maximize resources.
Companies need to look at their processes as a whole and identify those controls that are truly key controls and therefore require documentation for compliance purposes. The question to ask is “If I don’t look at this section, what could go wrong?”
“That way, you can really hone down your key controls and gain a benefit,” said Baker. “Rather than looking at SOX as a negative – it’s with us and it’s not going away – turn it into a positive… Engineering processes, identifying control processes and reducing costs. These are all positives coming out of what was originally a negative because, initially, it was so bureaucratic.”
Back to Top