Just three years ago, thoughts like these kept many executives up nights as they considered whether they were using the best strategies for implementing internal controls and reporting to gain compliance with the newly enacted Sarbanes-Oxley Act of 2002 (SOX).
If they didn't comply, some firms' leaders worried, they could be lumped in the same category as corporate crooks, but only for committing the crime of inconclusive financial reports or murky internal controls.
Now those fears are mostly in the rearview mirror for corporate executives, as two years of experience with the regulations — plus a lack of SOX-related prosecutions — have put minds at ease with the federal mandate. Many forward-looking companies are also realizing that they can use SOX to their advantage to create best practices.
Well aware of the public outrage Enron, WorldCom and other corporate scandals garnered, executives were literally scared into SOX compliance because it brought corporate governance into the boardroom, says Anne Bonaparte, president and CEO of Tablus, a San Mateo, Calif.-based data protection firm.
"I think that the biggest change we've seen is that in the first couple of years, there was almost a knee-jerk reaction, which makes sense because there's jail as a consequence," she says. "A lot of money was spent on consulting and, in the last year, we're seeing more of an evolution toward a thoughtful response."
As shocking as the threat of years in the slammer was to CEOs, perhaps equally overwhelming was the amount of money they had to consider spending to ensure proper internal controls were in place to keep the auditors happy. After the cost of hiring outside auditing and consulting personnel, and bringing in hardware to implement internal controls, many executives severely underestimated the cost of making their companies compliant, says Rick Cobb, CTO of Approva, an enterprise management control software vendor based in Reston, Va.
"Three years ago, people were increasingly surprised by every turn of events. Leading CEOs would say they didn't believe the investment they were making in SOX would be any great deal. Those people were shocked just by the process of going through the document controls. They were surprised by how much it cost, and how many personnel hours it required," he says. "People have had several years now to discern what does and does not need to be tested. They increasingly want to turn this into something that returns a value to their company."
Three years ago, corporate executives were no strangers to regulations, but there was a major difference between SOX and other regulations: "teeth" — or the threat of serious consequences for firms that ignored or were unable to comply with the regulations.
Other regulations sounded big and terrible, but had no teeth, says Chris Farrow, director of Configuresoft's Center for Policy and Compliance, Colorado Springs, Colo. "It changed how the board works. Organizations are looking at governance and trying to be fair and partial and make sure everything's on the up-and-up," he says. "It might have been the poster children on the front page of the newspaper, or the thousands of people losing so much money, or the people going off to jail. No one ever went to jail for HIPAA (the Health Insurance Portability and Accountability Act) or GLBA (the Gramm-Leach-Bliley Act)."
As time passed, and executives saw few prosecutions for alleged SOX violators, most began to concentrate more on process, and less on panicking, says Hugh Taylor, vice president of marketing communications for SOA Software, and the author of The Joy of SOX.
"After the first year, where people had spent an excessive amount of time and money on this, very few people were actually getting prosecuted for SOX," he says. "The second and third years have been a lot more about process."
For IT professionals, the most time-consuming portion of SOX is Section 404, which requires corporate managers to produce an annual report detailing internal controls and procedures. To do so, many managers are using a detailed framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
"It comes down to a core issue that any executive can relate to — that there's this sort of covenant between investors and management. If you take someone's money to run a business, you have to show that you have the adequate controls in place for the financial reports. You're going to be doing this kind of work anyway," says Taylor. "People say that Sarbanes-Oxley is obsessive. If it's done reasonably, you will contribute to making sure your financial reports are accurate."
The confusion seen in the dawning years of SOX was a boon to the auditing industry as auditors became more important to public companies' good standing with the federal government. Some corporations even went so far as to create a new position to oversee SOX compliance.
"I am now seeing a lot of SOX officers. I'm seeing that compliance officers are gaining a lot more power within an organization. The compliance officer role is morphing into a risk officer role, looking at security as part of the business content," says Kristin Lovejoy, CTO of Consul risk management. "Think about it from the corporate perspective. That would be considered operational risk."
Those corporate employees now earning their paychecks under the title of compliance officer owe a great deal of thanks to the 423 U.S. representatives and 99 senators who voted for the bill. Without it, their positions wouldn't exist — or at least wouldn't have the clout that they now enjoy, says Configuresoft's Farrow.
"I think it almost did create the compliance officer. There are a lot of organizations that would never have considered making that position available," he says. "Internal audits spun off from being a small part of the organization — it had pull, but not the kind of pull that the SOX team has at some companies."
Automation and convergence
Because of the complexities of making sure major national and international corporations are compliant with numerous state, federal and, in some cases, foreign standards, many companies are now using automated processes. Some are also bringing departments into the compliance process, which wasn't the case just two years ago, says Approva's Cobb.
"People have started to resort to automation to get sustainability in compliance. It's helped reduce costs, and it's helped people get a far better handle on their business," he says. "We'll go into rooms today that used to be populated by security people, and now it's people from across the business."
Those businesses are also attempting to take care of numerous compliance regulations with the same technology. Some firms using tools for COSO, which were created to identify the factors causing faulty financial reports, and Control Objectives for Information and related Technology (COBIT), a set of best practices for IT administration, can use the same tools for Sarbanes-Oxley, says Andy Lark, chief marketing officer for LogLogic, San Jose, Calif.
"We're seeing an enormous interest in anything that automates SOX, as well as anything that regulates other regulations," he says. "What we say to people
is that rather than building a SOX dashboard, you're going to be much better off building a COBIT 4 board that can be used for SOX. We definitely see a lot of elevated interest in anything that automates manual processes."
Smaller public companies and their larger counterparts must adhere to the same standards to become SOX compliant. Thus, smaller firms generally spend a higher percentage of their revenue on SOX-related expenses.
Some are expressing the shock that larger firms felt just a few years ago. Others are threatening to cut public holdings out completely, says Marne Gordon, director of regulatory affairs, Cybertrust, Herndon, Va.
"I know that a lot of small companies were threatening to go private instead of filing. I don't think that's reasonable at all, but it shows you the level of panic about Section 404 compliance. For small companies this is comparable to the annual financial audit," she says. "The smaller companies are afraid of being put out of business. That's absolutely realistic, although it seems like grandstanding to me."
Just because Sarbanes-Oxley hasn't delivered the jail time for top company officials that many predicted it would, that doesn't mean executives can afford to not take it seriously or overlook other compliance standards.
"Companies that take any requirement as a one-off are going to be scrambling," says Marv Goldschmidt, vice president of business development for Tizor, Maynard, Mass. "If they only look at SOX, they're going to have problems. If you look at other standards for PCI [payment card industry], the second requirement is to monitor privileged users. If you do data governance correctly, you view it as a corporate asset in the same way you'd view your financial records."
While executives certainly still complain about SOX and the cost of enforcing it across a corporation, some have realized that compliance means their business is practicing proper controls to keep it functioning more effectively — as well as keeping the CEO out of a jail cell.
"They tell me that there is a silver lining to SOX, and there is," says Bonaparte. "At the bottom line, you protect the customers and employees and information. That's the underlying meaning. That's the spirit of SOX."
Five things you can do
- Use industry-standard risk assessment techniques to determine where you need to spend time and money on SOX. Not all internal control risks are created equal, so don't overdo it!
- Commit to training your people on the ins and outs of SOX. Ignorance is very costly when measured in terms of overdone, underdone or incorrect internal controls.
- Watch out for compliance solutions that lock down business processes and strangle strategic agility and operational effectiveness. You can be compliant and agile at the same time.
- Show your commitment to compliance by establishing the right "tone at the top." Good ethics in the CEO's office trickles down. If people think the boss is unethical, then no amount of internal controls will work.
- Be circumspect regarding technological solutions that claim to be "SOX compliant." There is no such thing.
Source: Hugh Taylor, author of The Joy of SOX (Wiley Publishing)
A report satisfying Section 404 of Sarbanes-Oxley should have the following:
- A statement of responsibility from management over internal controls of financial reporting;
- A statement identifying management's framework to evaluate the controls' effectiveness;
- A management assessment of internal control effectiveness at the end of the most recent fiscal year;
- Disclosure of material weaknesses;
- An attestation from an auditor.
Source: McGladrey and Pullen, CPAs