Costs: Financial Impact of Sarbanes-Oxley Compliance

Compliance with SOX Approaches Costs Implications of SOX Questions to Answer Section 404 Preparation Checklist The Basics Governance Corporate Governance COSO/COBIT IT Governance SEC and PCAOB Security The Act Itself Humor Dear Ms. SarBox Shocking SOX Stuff In the Spotlight Companies & People in the Spotlight Compensation Hall of Shame Sarbanes & Oxley News & Commentary Commentary Latest News Ms. Sarbox's Private Collection: News Archive by Topics Press Releases Numbers & Words Quote Us Soundbites Statistics Surveys

What will it cost the average company to comply with Sarbanes-Oxley? The answer depends on who you ask, and when. At first, the SEC projected conservatively that compliance with Section 404 alone would cost $1.24 billion (or $91,000 per company) annually to implement Section 404(a) of the Sarbanes-Oxley Act. Read the details in their PRA burden estimates. In this same document, the SEC estimated 5,396,266 aggregate annual burden hours for this effort. Industry and auditors agreed that those figures would be very low for some companies, although how low was in dispute. As late as early summer, some auditors were still estimating 404 costs based on financial accounting controls. So what has changed? Now most auditors, according to AMR Research Center and others, are taking the stance that to accurately certify financial controls, they must "follow the money" as it flows through an organization's people, processes, and IT systems. That means 404 attestation will have to dive into Operations and IT when they are the point at which the company does (or should) insert a control over financial data or the databases that house financial data or the IT systems than manipulate or move that data. A comment from those of us who have spent our careers building or managing Financial IT systems: Ya Think !!???!! The new line of thought is that when it comes to Sarbanes-Oxley Section 404 compliance, a company is only as compliant as its weakest link in the control of its data. Put another way, that means a company needs to take a lesson from the police, who are used to having to prove "chain-of-custody" for evidence. CEOs and CFOs need to attest that their companies have adequate "chains-of-control" for their financial data. As financial data enters the company and moves from person to person and from IT system to IT system, the company must have adequate controls on WHO can change the data, the databases holding the data, the utilities and programs that extract, transform, and load data, and the reports that display data. These controls need to specify WHEN changes can occur, and WHY. They need to indicate WHO is accountable for every link in these data chains, and HOW accountability is managed. So now estimates are climbing. AMR Research Center estimates that Fortune 1000 companies will spend up to $2.5B this year in Sarbanes-Oxley Act compliance-related work. What happened? It's not just that the scope of audit preparation activities is spreading into new areas of a business. Indeed, some of the tough choices of the past few years are catching up with companies: Cost-cutting that resulted in skimping on documentation Rapid application development techniques that got results but didn't leave an auditable trail of controls Aggressive schedules for consolidating systems or migrating to new technologies that resulting in changing - but undocumented - accountabilities and controls New applications or environments that have not yet been subjected to a complete security scan Formal IT Change Management programs that fail to encompass databases or data warehouses/marts with the same rigor used for applications and systems. What's the upshot? As well as Section 404 pre-audit activities in the Finance Department, most public companies also face some catch-up in three key IT areas: They probably need a complete Security Assessment to find any broken links in their chains of control. They probably need to perform Data Analysis to follow the chains of control for financial data, identifying any weak links and taking steps to strengthen those links." They probably have some known holes in their system or data documentation. They'll want to determine which if any holes could result in serious concerns, and then deal with them. Who should perform this work? That will differ from company to company. Most experts recommend using external resources for security audits and to use only the best - an assessment that looks only at some links will hardly demonstrate a commitment to security. Do you need external consultants for your data analyses and remediation efforts? Maybe, maybe not. A word of advice: Don't overlook your own technical documentation resources that know your systems inside and out. They probably will require little time to come up to speed, and will probably be an economical approach to compliance. That's our opinion. You'll find lots of other information about the financial impact of Sarbanes-Oxley compliance collected by our own Ms. Sarbox.