IT Management

The first round of Sarbanes-Oxley auditing is complete for the largest U.S. public companies. The news isn’t great. About 14 percent of companies failed their audits. Several haven’t been able to file their required annual reports and have been notified by the Securities and Exchange Commission (SEC) that they may be de-listed. Plus, word has come down that IT departments should prepare themselves for a much more stringent review next year.

Aside from the warning that more work—and closer scrutiny—is coming, why should database professionals be concerned about Sarbanes-Oxley (SOX) compliance? The answer: Their jobs may depend on the results of their companies’ audits.

This implication would be easy to miss. Most of the focus on SOX compliance has been on members of boards and CEOs or CFOs. The impact of the Act on these groups is significant. Board members have a slew of new responsibilities. CEOs and CFOs are prohibited from certain common practices of the past, such as overseeing the work of external auditors. These executives are now required by law to attest to the accuracy of their company’s financial statements and must also attest that they have personal knowledge of the adequacy of their company’s controls over financial reporting. If the CEO or CFO submit a bad certification, they could be liable for fines up to $1 million and imprisonment for up to 10 years. (If the certification was submitted “willfully,” the fine could be increased up to $5 million and the prison term could be up to 20 years.)

Executives and board members aren’t the only ones, however, who suffer if a company fails its audit. The SEC doesn’t impose a direct penalty on a company that does all that’s required but still receives an adverse opinion from its auditors. Instead, capitalism steps in, in the form of market reaction—a rise or fall in stock price.

The market has had many opportunities to react to SOX news. In 2004, SOX provisions forced at least 582 companies to disclose material weaknesses or significant deficiencies in internal controls. (Some counts bring the number up to nearly 750.)

As late as January of this year, estimates for the number of public companies that might fail the SOX 404 test for this last round of audits varied from as low as 10 percent to as high as 20 percent. The final numbers for the year aren’t in yet, since so many companies were unable to meet year-end deadlines for filing financial reports.

Data collected by the firm IVES Group, Inc., a leading independent research provider focused on the accounting, insurance, and investment communities, and published at AuditAnalytics.com, shows an estimated failure rate of about 14 percent and a typical market reaction to failure of a 1 to 3 percent drop in stock price.

What does this mean? Consider General Electric, the largest company to have had to disclose a material weakness this year. With a market capitalization of more than $300 billion, a 1 percent drop in the stock price could be interpreted to mean that—at least for a day—the company was worth more than $3 billion less than it was worth before. Even for a company with smaller market capitalization—$75 million—a 1 percent drop in price translates to $750,000. A 3 percent drop would be $2.25 million.

What happens to company workers if the stock price drops for a day? Maybe nothing. What if it drops and stays down? Executives tend to spring into action, looking for ways to reassure investors. Often, this reassurance takes the form of promises to achieve “new efficiencies.” Those of us who work in a corporate department considered “overhead” (as are many database management groups) have probably learned to shudder at these terms, which are often synonymous with layoffs or outsourcing.

What can database professionals do to protect themselves and their companies from SOX failure? You’d be surprised.

6 Pages