Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored up corporate accounting practices — but with lopsided costs compared to benefits gained.
That’s the general consensus of a wide range of business executives and auditors who gathered recently in Washington DC for a roundtable discussion hosted by the US Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB).
The SEC and PCAOB arranged the discussion to solicit feedback about section 404 of the act, which requires companies to attest to the effectiveness of internal controls put in place to protect financial reporting systems and processes.
“The Sarbanes-Oxley Act was a critical step in addressing an unprecedented string of corporate scandals that were rooted in very serious governance, accounting and audit failures,” SEC Chairman Christopher Cox said at the conference. Section 404 has the potential to improve the accuracy and reliability of financial reporting, but only if it’s implemented properly, Cox says. “In practice, it hasn’t always worked out that way.”
Bill Gradison, acting chairman of the PCAOB, says that the guidance the SEC issued last year and PCAOB’s latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls.
“Based on the information we already have, it would seem that some further changes may be in order,” Gradison says.
Participants shared their experiences with the internal control reporting requirements. Philip Ameen, vice president and comptroller at General Electric, said of the benefits of two years of section 404 compliance: “One, we’re certainly more focused on controls, both in our underlying operations and in operations that we’re assessing for acquisition. Two, we are more sophisticated in those assessments and we’re more targeted in analysing and assessing the controls that are important to our reporting processes. And, thirdly, we have a common vocabulary for talking about the controls.”
That said, GE didn’t experience much relief in terms of the scope and cost of compliance in the second year. It tested 38,000 significant controls in 2005, down slightly from 40,000 the year before. In 2004, GE spent about US$33 million (NZ$52 million) on section 404 compliance and costs ran about the same in 2005, Ameen says.
While GE’s tally didn’t decline, research suggests other companies are seeing compliance costs drop in their second year. Colleen Cunningham, chief executive of Financial Executives International, says companies with two years of compliance under their belts report that costs dropped an average of 16%. That said, 85% of respondents to FEI’s latest survey believe the costs of SOX compliance still outweigh the benefits.