December 2005 marked the second anniversary that accelerated filers with a Dec. 31 fiscal year-end were required to comply with the Sarbanes-Oxley Act of 2002 (SOX Act or SOX). The act was passed to help ensure that the “creative accounting” practices that led to the sensational financial collapses of Enron, WorldCom and other large companies could never be repeated.
“The SEC filing deadline for companies with a Dec. 31 year-end has just come to pass,” says Blake Sellers, president and CEO of Avvantica Consulting, LLC in Dallas. “As a result, information will soon be available to begin to assess the actual costs of complying with SOX for year two. The results should be interesting.”
Smart Business spoke to Sellers about the costs companies have incurred to comply with the new rules.
How big is the total cost of compliance?
Prior to the completion of year-one compliance, most experts agreed that the additional costs associated with SOX compliance would be about $1 million for every $1 billion in sales. Unfortunately, the experience of many small and mid-sized accelerated filers was much different. For them, the cost of SOX compliance averaged about $1.8 million per $1 billion in sales.
When you add in all the additional costs that contribute to the total cost of compliance (TCC), the average was more in the range of $3 million to $3.2 million per $1 billion of sales.
What are the key components of TCC?
We see four major components, in addition to any direct costs associated with SOX consultants/contractors. The first and most important are the costs in terms of both time and money for a company’s management and staff. To comply with SOX, management is compelled to oversee the company’s compliance project or process, while the staff must now maintain controls documentation, collect evidence and perform remediation.
Second, there are typically a variety of out-of-pocket costs associated with travel, copies, document storage and retention, and overnight packages. These costs can be significant, especially in a company with a high percentage of controls that are decentralized.
The third component is the additional cost charged by the independent auditor to express an opinion on the system of internal controls for financial reporting (ICFR) and management’s assertion on the same.
Finally, the fourth cost component would be associated with any investments the company has made in SOX technology. Examples include costs for software implementation, licenses/maintenance, hardware and application support.
What are the key drivers of a company’s TCC?
- The nature, classification and frequency of a company’s controls are the key drivers. To understand these characteristics, several questions should be addressed, including:
- What is the total number of controls to be maintained and tested?
- Are the processes/systems being controlled centrally or distributed?
- For a given set of process controls (e.g. payroll related), are the controls standard or nonstandard?
- At what rate have the controls tested ineffective in the past?
- How frequently does the controls environment change (e.g. new systems, company reorganization, acquisitions, etc.)?
Why has it cost mid-sized companies more to comply?
First, mid-sized companies have a smaller sales volume over which to spread their compliance costs. As a result, the ratio of compliance costs to sales is generally higher.
Second, mid-sized companies often grow through acquisition, and in many cases the new entity is not really integrated with the rest of the company.
Lastly, mid-sized companies are generally less likely to have an internal audit or consulting group capable of assisting with SOX compliance, so they tend to be more reliant on external consultants or contractors.
Is there a business case for SOX technology?
Long-term benefits from investing in SOX technology may be analogous to the Y2K challenges of the late ’90s. At that time, many companies replaced their code with new ERP systems that addressed the Y2K issue but, more importantly, also improved workflows and provided access to common data bases. The replacement of those systems has had a meaningful impact on productivity gains realized in the U.S. during the past four to five years.
We think that SOX-driven compliance activities could have a similar effect. When management invests in a robust SOX technology solution, they obtain a holistic view of the factors that drive TCC. As a result, it provides management with a roadmap that often identifies significant opportunities for process improvement, cost optimization and business transformation.
BLAKE SELLERS is president and CEO of Avvantica Consulting LLC. Reach him at [email protected] or (214) 379-7920.
