The Sarbanes-Oxley Act of 2002 (“Act”) was passed in response to some very unfortunate financial disasters in the stock market. Enron, WorldCom and Tyco were the poster children for the lack of internal controls over financial reporting. The accounting industry was self-regulated with little governmental oversight. Thousands of shareholders and employees lost significant amounts of their retirement funds. The government response was a radical increase in regulation over financial reporting by public companies.
Is Your SOX Documentation Up-to-Par?
In the early stages of Sarbanes-Oxley (“SOX”) in 2003, all public companies were basically treated the same, except smaller companies were given a bit more time to become compliant. The Act required public companies to document, test and certify to the quality of their internal controls. Accountability was now placed not just with management but with audit committee members and the board.
These new requirements gave birth to an entire industry of internal control documentation experts. Because of the relatively short timeline allowed to be in compliance, public companies scrambled to find sufficient talent and time to comprehensively document their processes and controls in a fashion that would satisfy their independent public accountants. The original Sarbanes-Oxley guidelines were broad and vague. As a result, there were many interpretations of the degree of granularity required to properly document and test internal controls. Among the big four accounting firms they were wide swings in the requirements to “pass” the test. Because the act required the independent accountants to certify to the quality of internal controls over financial reporting, audit fees across the board increased significantly. Some have suggested that the major accounting firms took advantage of the Sarbanes-Oxley Act. Revenues of the big accounting firms reached record levels.
Historically much of the public accountants’ approach to audit involved substantively testing the account balances. The detailed support of the account balances provided comfort to the audit firms that they were materially correct. While there was a test and evaluation of internal controls to determine the nature, timing and extent of reliance, there truly was limited reliance on those internal controls. The substantive testing was relied upon much more heavily to provide the basis for the auditors’ opinion.
The audit firms had based much of their training and audit emphasis on testing balances. For the first time, they would now be required to become experts in internal controls. The documentation of process and controls was a skill set rather uncommon among public accountants. However, the accounting firms did their best to quickly ramp up education and assist their clients in the best way they could.
The result however, was less than optimal. The documentation was prepared by relatively untrained accountants based upon broad and vague guidance from the regulators. A new arm of the government, the Public Company Accounting Oversight Board (PCAOB) was assigned responsibility of overseeing the accounting firms auditing public companies. They, too, were scrambling with deadlines and attracting qualified talent to provide that oversight.
CFOs of public companies were grappling for guidance, information, talent and comfort that their controls were sufficient and operating effectively. The Sarbanes-Oxley Act and the PCAOB put in place a Chinese wall, which prohibited their auditors from guiding their clients in a way to which they had grown accustomed. Historically, CFOs presented with an accounting issue would call their audit partner and ask for guidance. Under the new regulations, that sort of counsel was considered to be a violation of the independence required by the public accountants. In fact, it could be perceived as a deficiency, or worse, a material weakness if the CFO failed to identify his own solutions. The CFOs, many of which were graduates from the public accounting profession, were struggling with the same lack of regulatory guidance, internal control experience and talent that challenged the public accounting firms. The CFO’s world was further challenged by the loss of resources and guidance previously provided by his audit partner.
Despite these many challenges most public companies successfully documented and tested their internal controls and certified to them within the prescribed deadlines. But there was significant variation in the quality and level of detail of the documentation of internal controls between the audit firms. As is the case in many situations, the documentation and testing effort continued to evolve over time.
The Cost of Compliance
In 2004, AMR Research estimated that SOX compliance in the US cost $5.5 billion. The average cost of compliance for a public company was $1.9 million. The Financial Executives international estimated compliance costs at somewhat higher $6.0 billion.
The cost of compliance with Sarbanes-Oxley was being seriously challenged by public companies, particularly the smaller ones which spent a disproportionately higher amount relative to their revenue streams. Many studies were performed evaluating the cost of compliance. In virtually every large public company, millions of shareholder dollars were now expended in compliance requirements that some suggested was overkill. Public accounting firms and financial consulting firms were working overtime to help their clients achieve compliance. The cost was significant. Public companies pressured the federal government to relieve the stress of the very broad and general Sarbanes-Oxley Act. There was even discussion of appealing the act.
In 2007, the PCAOB issued Auditing Standard No. 5, which was intended to simplify and clarify some of the regulations and compliance requirements. Additionally, the new pronouncement introduced the integrated audit, whereby the internal control testing for Sarbanes-Oxley could be utilized in performing the financial statement audit. The new pronouncement provided smaller public companies some relief from compliance. The remaining companies reaped some benefit through welcomed clarifications published by the PCAOB. They were now in their fifth year of compliance, finally with a little more clarity. Public accountants were reprimanded by the PCAOB because of their excessive fees. While compliance still was required, it appeared that such compliance would now be somewhat easier.
Depending on the industry the Sarbanes-Oxley documentation is generally broken down into 12 or 13 financial cycles. In addition to these financial cycles the “Tone at the Top” and Entity Level Controls were also documented and relied upon. Entity level controls are those controls that are pervasive throughout the organization affecting management’s oversight, the Boards oversight and the climate for the attention to accuracy in financial reporting. The corporate culture and “Tone at the Top” has become more significant over the years. If senior management and the Board is constantly validating and challenging the financial reports, the chances are greater that an error or misstatement will be caught before it is released. In the early years of Sarbanes-Oxley the Entity Level Controls were substantially documented using a checklist. As Sarbanes-Oxley compliance matured the Entity Level Control documentation was much more robust and customized to each company. However, financial cycle documentation remained virtually unchanged.
In the 12 or 13 financial cycles that were documented, management identified the controls on which they placed reliance for accurate and timely financial reporting as “key”. And these are the controls that the public accounting firms tested to determine management’s compliance with their own internal controls. Remember, management is required to test their controls, typically through the internal audit department as well as having the external auditors test those controls.
Testing of internal controls is a compliance test. A sample of transactions is selected and certain specified attributes of those samples are tested to confirm that there was evidence that the internal control was operating effectively throughout the year. The compliance tests of these controls were developed in the early years of Sarbanes-Oxley. The control testing carried forward from year-to-year; only the size and scope of the sample changed.
Over the last 10 years, there have been many changes affecting public companies. They have experienced mergers, divestitures, new product lines introductions, organic growth, new regulations, discontinued operations and the like. Operations have evolved to manage these changes in the industry and in the company. However, the control documentation for the financial cycles has not kept up with the changes in operations. Most all of the controls documented in the early days of Sarbanes-Oxley remain as controls in the current documentation. They are being tested and relied upon for financial reporting accuracy and timeliness.
The cost of Sarbanes-Oxley, while down somewhat from the initial years, continues to be significant. The testing requirements on a quarterly and annual basis continue. While the test scripts have been written and continue to be executed, documentation and the testing approach is due for a fresh examination to confirm its currency and efficiency. It is estimated that a single compliance test of a control could cost $10,000 in external audit time. In addition, the cost of internal testing could be around $2,000. Assuming compliance can be confirmed through testing, each test therefore has a price tag of approximately $12,000.
The bottom line on the cost of testing
Generally speaking, there are 12 or 13 financial cycles. Each cycle typically has between 10 and 15 key controls. So, as a ballpark figure, a public company would have between 150 and 190 key internal controls. The testing of say, 150 internal controls at $12,000 each totals approximately $1.8 million.
It is time for public companies to re-examine the documentation of their internal controls developed in the early stages of Sarbanes-Oxley. There are significant savings available by reevaluating internal controls in a fashion that explores achieving the company’s objectives and mitigating risks with less and perhaps more comprehensive internal controls. The following are approaches to reducing the cost of SOX compliance.
Comprehensive Controls Evaluation
A more cost-effective route to Sarbanes-Oxley compliance includes a comprehensive reevaluation of the existing internal control documentation and related testing.
The objectives of accurate and timely financial reporting are well-established and have been clarified over the years. More fully understanding the objectives of the Sarbanes-Oxley Act and the level of precision required, a reevaluation would likely provide for more robust and streamlined internal control processes.
You may have heard of zero-based budgeting where a financial budget is not based upon what happened in the past but rather, is established relying upon expected activities in the future, starting with a blank sheet of paper. Similarly, the reevaluation of internal control documentation should be performed using a sort of zero base approach. A fresh set of eyes exploring the undoubtedly more efficient approach to satisfying the objectives for timely and accurate financial reporting, results in fewer key controls, better compliance and less cost of maintaining the Sarbanes-Oxley required documentation.
Operational changes have evolved over the last 10 years including technology improvements that have automated processes and controls previously relied upon that were manual. There may be ways to further automate controls within existing systems that have not been pursued. This is especially true of companies with installed ERP systems. Automated controls are much easier to test and rely upon. Properly controlled, an automated control can be tested with a sample of one. And, one automated control may supplant reliance on several manual controls.
In addition, there are opportunities for reducing the number of controls, and therefore the compliance cost, through standardization. Each location or entity should be compared to ensure controls are consistent. Through standardization, controls can be tested entity-wide, eliminating unique controls testing at different locations.
Process Level Data Mining
The Act requires that management perform compliance testing. Traditionally, the testing has been a sample based approach. Innovative organizations are implementing process level data mining through the use of audit software to derive process performance insights. Utilizing a software tool, the company can effectively view 100% of the transactions electronically, with less effort.
Regulations are usually costly. The Sarbanes-Oxley Act is no exception. However, there were some good things that resulted from it. The quality of financial reporting has improved. Over time, the number of control deficiencies and material weaknesses have decreased. In addition, since the initiation of the Act, the CFO has gained influence and stature. Audit committees have become more active and involved in the finance functions. Significantly more discipline has been injected into the internal controls over financial reporting.
It is clear that Sarbanes-Oxley is not going away. Companies cannot assume that because they have been SOX compliant in the past that the SOX effort is on cruise control. Rather, activities to eliminate, simplify, streamline, focus and automate processes must be actively pursued. It is time for a fresh look at the Sarbanes-Oxley approach and documentation. The investment will pay dividends in a more comprehensive and concise set of internal controls and a marked reduction in ongoing compliance costs. If you would like to know how to implement Sarbanes-Oxley, we provide a comprehensive "How To Implementation Guide" which you can get by pressing the button below.
Carrtegra is a Houston, Texas based management consulting firm specializing in Compliance, Controls and Ethics; Internal Controls; Financial Advisory; Technology Services; Risk and Security; and Financial Talent. We work closely with your company to provide carefully tailored high-value solutions.
Our professionals are subject matter experts in the financial regulatory environment and provide guidance by leveraging our experience, industry knowledge, familiarity with laws and regulations and creativity. Carrtegra brings years of experience in designing and reviewing processes, evaluating controls and system risks, and making critical recommendations that increase process efficiency, reduce risks and enhance system security. While you are managing your business, we can dedicate full time to designing and helping you implement solutions. We do the work; you own the solution.
Sam H. Carr is the Managing Partner of Carrtegra, LLC. Sam has over 30 years of experience in accounting, auditing, financial management and consulting. Sam has focused much of his career on process improvement and redesign. Sam holds an MBA and is a CPA, CIA, CISA and a Certified Compliance and Ethics Professional (CCEP). Sam is a finance and operations executive with broad-based experience that includes 12 years as a CFO or Chief Accounting Officer in both public corporations and private entities, and fourteen years with an international public accounting firm. Sam orchestrated an Initial Public Offering of a consolidation of dental practices throughout the United States. In addition to his IPO experience, he owns a powerful track record of demonstrated skills in a wide range of business environments including designing financing, mergers and acquisitions and growth companies. Sam has been the Chief Executive of a management consulting firm for the most recent 10 years. Sam’s focus has been substantially on quality of services and valued solutions as well as client and employee retention.