The Benefits and Challenges of Sarbanes-Oxley CompliancePublished: June 29, 2005 in Knowledge@Emory
It’s no secret. Government compliance comes with a major price tag and the cost of complying with the Sarbanes-Oxley Act of 2002 (SOX) tops the list. In fact, a study by AMR Research predicts companies will shell out over $6 billion to comply with SOX this year.
Enacted in July 2002 in the aftermath of accounting scandals at Enron, WorldCom and the subsequent collapse of auditor Arthur Andersen, the authors of SOX hoped to renew investor trust in corporate America by addressing several areas proven vulnerable by the likes of Enron. The law created the Public Company Accounting Oversight Board (PCAOB), which is responsible for auditing standards, the regulation of auditors, and quality control in audits of publicly held companies—largely stripping the accounting profession of its historic self-regulatory status. CEOs and CFOs must now sign off personally on the accuracy of their company’s financial statements. Steps to avoid conflicts of interest between companies, stock analysts, auditors, and investment bankers were taken, and misdeeds now mean stiffer penalties.
Recently, Emory University’s Goizueta Business School hosted a panel discussion in partnership with National Public Radio, addressing the pros and cons of SOX.
The good news is that several surveys indicate that SOX regulations are beginning to make a positive impact on investor confidence. The bad news is that the 66-page act is chock full of new regulatory requirements—and the cost of compliance is considerable.
According to a 2004 survey by law firm Foley & Lardner LLC in association with KRC Research, the average annual cost of being a public company with a revenue under $1 billion jumped from $1.25 million in pre-SOX 2001 to $2.86 million in post-SOX 2003—an increase of 130%. Respondents to the survey note that Section 404, which went into effect last year and requires that public companies assess their internal controls and procedures for financial reporting, will be a major factor in the continuing cost of compliance.
“From an infrastructure standpoint, for many companies Sarbanes-Oxley has required a great deal of investment of time, money and resources,” said Michael Hughes (a Goizueta Executive MBA alum), Partner, Risk Advisory Services, KPMG LLP, one of four panelists who participated in The Goizueta Business School and National Public Radio (NPR) panel discussion on the benefits and challenges of SOX compliance. “Costs were often driven by the steep learning curve, condensed timeline, additional regulatory guidance issued late in the year, the extent of deferred maintenance of controls and related processes, along with the inability to fully achieve an integrated audit and efficiently use the work of others.”
For companies bound by SOX, Section 404 has caused the most angst. Section 404 requires that companies create extensive internal controls and processes that document and verify material information concerning financial results. To meet the November 2004 deadline for large companies to comply with Section 404, KPMG assisted an $18 billion company in becoming compliant. The task engaged not only internal employees to document the company’s internal controls over financial reporting, but also nearly 40,000 man hours of external help, according to Hughes. “SOX compliance has been a tremendous burden for some companies, but a major opportunity as well,” he added.
“Enlightened CEOs are recognizing and seizing every opportunity to derive value from the ‘Section 404 Compliance Journey,’” said Hughes. Indeed, executives can gain new business insights from detailed analyses of their company’s controls “portfolio.” “This knowledge provides corporate leaders with a new lens through which they can evaluate their business—a new means of considering and controlling risk, improving the quality of their financial reporting, and driving a return on the SOX 404 compliance investment,” according to Hughes.
Meanwhile, fees paid to outside auditors have increased by double digits since the enactment of SOX, according to the Foley & Lardner survey, and the increase in SOX-related accounting fees has been steady and sustained, bolstered mainly by the enormous amount of work required by the Act.
Hughes also noted that smaller companies must comply; whether a company passes a dollar or a million dollars through the system, the cost to design, secure, document, implement and remediate gaps in the system is extensive. “It’s a massive undertaking for these companies to understand key processes and controls,” noted Hughes. According to a study by CFO magazine, the cost of maintaining such controls can approach $500,000 per year—whether the company has 200,000 employees or 200 employees.
When asked how the law affects his company’s competitiveness, Reppucci noted that you now must carefully weigh the launch of a new product against the risk of not being able to meet Section 404 certification deadlines. “There’s a lot of that balancing act—juggling the ability to launch new products and comply with SOX,” observed Reppucci, “but I think SOX does enhance the company as a whole.”
Al Hartgraves, professor of accounting at Emory University’s Goizueta Business School, described SOX legislation as “disjointed” but believes SOX enhances the amount and quality of information available to investors who watched their investments in Enron and WorldCom virtually evaporate within a few short months in late 2001 and 2002. “In addition, it’s a mandate for the Securities and Exchange Commission (SEC) to take a look at other issues the law didn’t cover,” said Hartgraves.
SOX called for a number of studies, including a General Accounting Office (GAO) report regarding the consolidation of public accounting firms. "Having gone from the 'Big Eight' to four accounting firms has caused some concern about whether or not there are too few large public accounting firms," noted Hartgraves.
The act also called for studies on credit rating agencies and investment banks, both of which came under fire in the wake of Enron. According to Hartgraves, these and other studies requested under the act have been completed. "I don't know what is going to come out of it," he said, "but the information is there for the regulators and for Congress to do with what they feel is appropriate."
While companies attempt to ensure that they are SOX-compliant, CEOs and CFOs are being required to verify their company’s financial records and are being held liable if they misrepresent the truth about their company’s finances.
According to Ray Hill, a senior lecturer in finance at Goizueta, the common theme in the cases against CEOs whose companies manipulated financial records, was, “We’re not the guilty people. We were duped by the people under us,” Hill said. “[The CEO] may have had no idea what his company did…I don’t know if that’s against the law, but it ought to be.” SOX legislation links top executives to what happens on their watch. If corporate misdeeds occur, CEOs and CFOs can find themselves paying up to $5 million in fines or spending up to 20 years in prison. “SOX beefs up the fear factor for behavior of that type,” added Hill.
None of the panelists believed SOX would eliminate fraud, but they were optimistic that the law and its regulations and requirements might boost corporate honesty and work to woo back investors stung by recent corporate scandals. They acknowledged that although the cost of compliance is immediate, it might be years before the benefits of SOX are apparent. But Reppucci is optimistic. “Overall, SOX provides value to the company and to the shareholders,” he said.