Significant opportunities still exist for optimization of Sarbanes Oxley (SOX) Section 404 programs and reductions in compliance cost, according to a new report released by BMR Advisors and Financial Executives Research Foundation (FERF), the research affiliate of Financial Executives International (FEI).
The report, entitled SOX 404 Optimization: Operational Trends, was distributed this week in conjunction with Financial Executives International's Current Financial Reporting Issues conference in New York, and identifies program scope and program structure as the two principal drivers of SOX program efficiency. Exploring a variety of ways in which these factors can be balanced to create a customized operational model, the report is based on qualitative interviews with more than 30 senior finance and internal control professionals, carried out during September and October 2008.
"In the years since its enactment, Sarbanes-Oxley has been a constant focus of attention and countless research initiatives – but many of these have focused mainly on quantitative issues," said report author Sanjay Mehta, Senior Partner with BMR. "We wanted our study to delve even deeper into the issue – to look behind the headline numbers of key controls, compliance costs and so on and to explore how SOX compliance is actually being managed on an operational basis since the implementation of AS5."
"We were encouraged to find that significant upside opportunities still exist – particularly for those companies lower down the maturity curve in terms of their SOX compliance," said Cheryl de Mesa Graziano, Vice President, Research and Operations for FERF. "This will be considerably valuable for those companies that have yet to adopt SOX."
Key findings of the report include:
Gauging operational maturity of SOX programs
Optimization of (a) program scope and (b) program structure are the key metrics to use in evaluating the maturity of a SOX compliance program. Although scope has the more direct impact on overall compliance cost, companies at the higher levels of SOX maturity have also made efforts to optimize the structure of their SOX programs such that internal and external costs are controlled.
Introduction of AS5
Many organizations began to benefit from AS5 (and the new SEC interpretive guidance) before they officially came into effect, and the overwhelming feedback is that the new approach has driven significant cost reductions. However, by no means all companies have reaped the full reward of AS5, and some have shown little or no reduction in scope since the early days of SOX.
A continuum of SOX operating models is emerging, where the core distinguishing factor is the extent to which responsibility for management and execution is either centralized or decentralized. Which model an organization chooses to follow is driven by such factors as business complexity; business dynamism; control culture; technology infrastructure; and so forth. In optimizing program structure under AS5, SOX leaders must balance the need to maximize the external auditor's reliance upon management testing with the need to ensure that internal resources are deployed in an efficient way.
Opportunities for further rationalization
Beyond AS5, opportunities for further rationalization still remain, in four main areas:
- Transformation of control environment to focus less on manual controls and more on (a) automated and (b) entity-level controls;
- Consolidation of processes onto a reduced number of systems, or into a reduced number of locations, through a shared-services or BPO approach;
- Adoption of more sophisticated testing strategies, including remote testing; and
- Selective strategic sourcing of SOX testing work.
General feedback on SOX
SOX has brought some significant benefits – some of which were unexpected, such as the value that it has brought in integrating processes after a merger, or when establishing a new business unit. Among the suggested improvements to the Act and its interpretation, four stand out:
- Acceptance of a degree of rotational testing;
- Integration of SOX into a broader, more holistic view of business risk;
- Simplification to better align with future migration to International Financial Reporting Standards (IFRS); and
- Re-definition of SOX thresholds for smaller companies.
Full copies of SOX Optimization: Operational Trends are available for download at the FERF Web site, under "reports" section.