The Sarbanes-Oxley Act of 2002 (SOX) was designed to combat corporate fraud, to restore investor and public confidence in American capital markets, and to promote sound accounting practices.
Accomplishing these goals has been costly. In the first year, companies spent an average of $4.36 million to comply with SOX Section 404 based on a 2005 Financial Executives International survey of 217 publicly traded companies. Some spent more. A second 2005 survey of 90 Big Four accounting firm clients found that companies spent an average of $7.8 million on compliance, or about 0.10 of their revenue. On the flip side, of course, the danger of not complying with SOX is far costlier. SO X has increased awareness of the corporate fraud problem. Between 2002 and July 2004, federal prosecutors filed criminal charges on 14 major corporate fraud scandals. The charges were tied to 69 separate but related prosecutions. Two-thirds of the cases resulted in convictions. In nine of the major corporate frauds, 152 CEOs or other high-ranking executives were criminally charged. In 14 of the investigations, CFO s or other high-ranking financial officers were charged.
This article discusses SOX in its regulatory framework, with emphasis on the ramifications and impact on IT and what the future of SOX and other compliance measures holds.
The Regulatory Chain of SOX Enforcement
The chain of compliance enforcement for SOX begins with the Securities and Exchange Commission (SEC ). It oversees the Public Company Accounting Oversight Board (PCAOB), which regulates auditors. Auditors oversee compliance requirements for company internal management teams, which must make assertions about corporate compliance. Finally, internal management dictates requirements to IT.
Christi Harlan, public affairs director for PCAOB, notes, “Sarbanes-Oxley required our board to issue a standard for auditors to assess internal controls over financial reporting in public companies. We have heard a lot of angst since the advent of Sarbanes-Oxley, although public companies since 1977 were required to have effective internal controls. Sarbanes-Oxley simply focused on this need. It gave auditors a new role in confirming what management was saying. In that regard, our board has been and currently is working very hard to assist accounting firms as they implement the requirements.”
SOX and IT
Although implementing SOX proved chaotic for auditors and companies in its first year, SOX became more formal for the financial area in year two. Now in year three, there’s also significant formality of process for IT. Despite this, a recent KPMG survey reveals that 50 percent of 1,000 surveyed corporate executives find IT still to be the most challenging area for achieving SO X compliance, says Richard Anderson, a principal in KPMG’s Information Risk Management practice.
Matt Dillon, managing director in Philadelphia for Protiviti, a provider of independent internal audit and business and technology risk consulting services, observes that corporate IT is “now looking at key company processes, and asking themselves how they can get a more discrete set of controls and improve efficiency.”
Organizations also are seeking opportunities to re-engineer business processes and tools as a byproduct of SOX—and they’re implementing software- driven automation that can monitor and report back on critical internal controls.