Review sox globally an create light version 1788



  • SOX has indeed been the catalyst for a lot of things that companies should have been doing already.

    • COSO has been around since Ronnie Reagan was in the White House.
    • COBIT’s been around for more than a decade. But I think many IT managers/CIOs saw an opportunity to action a lot of things on their wish list - I certainly have seen plenty of unnecessary remediation.
    • Auditor’s have been trying to get their clients to improve controls over business processes and IT for a long time. But I think they have used SOX to get itmes that have been on management letters for years actioned.


  • Who cares? Europe and foreign markets will continue to benefit from a poorly thought out knee-jerk reaction from the US. Those of us raking in the money in the audit firms and big businesses can count our blessings.



  • It’s only a matter of time before something very similar comes in Europe as well.%0AI have to agree 100% with what Denis is saying.%0AThe biggest cost for us were the auditors who had to have a few extra hours in the company going over the controls. The work itself didn’t cost much.



  • There is abosultely no way that an equivalent to section 404, the key element of SOX that is upsetting the business commuity as it drains resources and lines the pockets of accountants, will be introduced in Europe.
    I thought Canada did the very same by passing something akin to SOX but without 404?
    I also question whether there is the same commitment to/momentum for such a draconian Act as SOX in Europe when we read that the UK are deliberately taking action to prevent SOX hitting the London Stock Exchange should the NYSE buy them out.



  • Draconian, eh?
    My dictionary says that draconian means ‘Exceedingly harsh; very severe’. Which provisions of SOx are actually draconian?



  • FYI
    Canada and Japan have their own SOX version. Did anybody ask a question why did they go for such a law? Europe is not far away.
    All the best.



  • Good question. Perhaps I am unfairly tarring the SOX Act with the exceedingly harsh interpretation of it by the External Auditors who have the terrible task of trying to maximise profit whilst minimising the risk of any adverse review of their SOX work. Either way I believe that the burdon of proof required for ‘coal face’ operations is exceedingly harsh, particularly when SOX was born in an environment of Board room deliberations/manipulations.
    That being said I have seen two positives. SOX has focused the attention of both the IT and change management functions to ensure that their processes are more robust and better controlled.



  • You must be under some misaprehension here.
    The SOx Act places a great many burdens on the CEO and CFO - ultimately exposing them to lengthy prison terms if they fail to comply. Onerous requirements are placed on boards as a whole and non-executive directors.
    Some hefty requiremetns are also placed on those money grabbing auditors as well as taking major income streams away from them.
    The Sox act creates no ‘coal-face’ requirements by itself - Boards of Directors do that to protect themselves.



  • Hello,
    It’s true that severe measures can be taken when one’s not compliant with sox. However, it hasn’t been the case so far and I doubt if it will ever come to that. CEO/CFO can officially get 20 years but when it comes to that I beleive that the responsibility will be shared over the board of directors and the auditing firm.
    I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    Besides the big 4 auditing for sox, it would be good if they could do an extra audit to decrease sox-cost by reducing unnecessary controls and measures taken.



  • Good debate,
    I like what SOX says in theory, but in practice I do feel there is too much focus on the lower levels. Its top mgt that needs to be controlled, and their egos dampened.
    However, while I agree with some of StopSox’s points I’ve got to admit to being pro-ethics and governance. Its about time that doing things right was actually at the forefront of people’s thinking. I can only see a continuing upward trend in the coming years for increased corp. responsibility and governance.
    Which is why fundamentally Im in favour of SOX and what its trying to achieve. It just needs a bit tweeking.
    HOWEVER,
    The main concern is the costs involved with compliance. Does anybody know if the high costs of SOX has had a negative effect on companies’ abilities to carry out other socially responsible activities?
    SOX may actually be more trouble than its worth.



  • I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    FYI, I’m not an auditor, and my company have had lots of benefits come out of the SOX process. Although we weren’t badly managed before, we’re even better now.
    Personally, I would think all the reasons you list has to do with bad project management for the SOX projects, not the Act itself. Yes, we’ve had issues too, but nothing that we can’t overcome. All in all, as far as I know, we’ve spent way below what the industri average for a international company our size has.



  • I get the feeling that a lot of auditors here focus too much on the positive side of sox.
    Adding more regulations and controls wasn’t welcome by most firms. As the SOX standards had to be written for self-regulation of a wide range of industries, it’s subject to interpretation and improper implementations.
    Still after a few years now, most public companies have accepted it as a cost of doing business. There’s not a lot choice other than to see the glass as ‘half full’ and get the most out of the effort and expense. Whether, you see SOX as positive or negative, it’s better to plan and get the most of the required effort.
    There are benefits, if companies use SOX as an opportunity for improvement in the financial and IT controls in an optimal manner. For example, they have much more accurate financial information, it can be helpful to management in planning new business ventures. As an IT person, I’ve even seen cases where automation and improved workflows have helped things.
    The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    I agree that SOX requirements need more clarity, better examples, and perhaps other improvements. However, a half-hearted and poorly implemented effort may lead to these factors as well. Certainly, more has to be done in simplifying many areas subject to interpretation.
    I’d also like to see costs reduced but that may not be realistic. In some ways, we’re like the whole class of students being punished for the acts of a few. Still companies can help themselves by planning and getting good up-front training before forging ahead too far.
    Costs and implementation experiences also depend on the company’s IT, audit and financial control standards prior to implementing SOX. SOX has fit better into very well run companies using the best IT, audit, and financial practices.



  • I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    For the record I am not an auditor and work for a (very) large multinational. I have now worked on 5 SOx projects and have performed s404- like work for more than a decade.
    My experience is that the companies who are having the most troubles are the ones that are seeing SOx compliance as just a box-ticking exercise. As I said before I see a far bigger issue in execution than I do in the Act itself.
    These companies often make themselves over-reliant on consultants to achieve compliance for them without a clear idea of what it is they are trying to achieve - this creates a twin problem of lack of ownership and having setting up the consultants to fleece you becaues you don’t really know what you want. This is often compounded by not devoting the right internal resource to support the project/ongoing compliance. All of this also makes it harder for the auditors to get what they need to fullfill their obligation - thus pushing up costs.
    I have met countless directors and senior management in many companies that can talk the talk on how important SOX is - but few of them ever really mean it.



  • To sum it up high SOX costs due to bad project management (not planning proper resources management), hiring incompetent consultants(suggesting extra controls and not challenging big 4 save face strategies) and not using internal synergies(by overrelying on incompetent consultants instead of cross functional control self assessments).



  • Chaava
    spot on - we spent most of our first year pushing back against our Externals - now in year three and total ‘key’ controls is down from 265 to 67 for our BME division. (Mainly due to changes at senior levels in our external auditor).
    The workload does reduce once controls are automated / part of the culture of the company - i.e. if people know they have to comply (and will be found out if they don’t) then they will comply making your life easier.
    Yes SOX was painful to implement but the key points are too make sure management lead it and not the external auditors, plan it up front and treat it as a project, and ensure the board buy in - and makes sure the management team are targeted on acheiving compliance (i.e. hit their pay packet if you don’t.) works wonders
    cheers



  • I agree that poor project management (or in our case bad advise/changing advise from our external auditor) contribute significantly to up front costs of complying with SOX.
    What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.
    Where the debate may be complicated is that the legislation is a broad brush approach across a variety of business. I am no business expert but I’d wager that there is a significantly greater burden for a financial services organisation seeking to comply with SOX than for a widget manufacturer.



  • You said Financial Services, well, you may have one more compliance viz. Basel II. Please confirm this.



  • What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.

    Why the cost for new management structures?
    SOX does not mandate that we change our management structure in order to comply? Just because you have a thin organization does not mean that you cannot have good internal controls.
    Now, if you previously relied on your external auditor to assist with your tax calculations and SEC filings and to find errors before your financial statements were issues, then I can see the expense for additional management costs, but in that scenario, auditors are not really independent and the management team needs to be beefed up.



  • Oooh the arrogance to assume we have thin management structures. In a highly regulated industry with products that are heavily scrutinised by goverment, policy-holders, other FS bodies and third parties, I would say we already have more than enough staff focused on risk, compliance, fraud, etc. But for all these staff, for all these controls, these are not good enough for the auditors interpretation of SOX because they want to look at it from a different angle and not rely/cannot rely on these controls.
    No matter how much everyone rambles on about risk based auditing, likelihood of material mis-statement, etc, I would suggest that the auditors are primarily still concerned with maximising profit whilst minimising the risk of any litigation. As a result they remain focused on controls that gives them comfort (after all they still build the goal posts between which we have to score) irrespective of our own views.
    Tax calculations and SEC filings are easy. They’re self contained within the environs of the Finance Departments and are easily controlled. The complexity comes from the need to go into every aspect of the business, because everything is financial, and test the variety of financial products sitting on a number of different systems. This takes up most of our own and our auditors time yet is very low risk given the high volume, low value transations that are then scrutinised by all the parties referred to earlier.
    Why additional management costs? Because all this information has to be gathered up and presented back to the auditors so that they can understand it. We considered self certification, minimal staff time but insufficient for auditor relaince. With one member of staff dedicated to SOX complaince/testing and costing be 50,000 per annum can save me more than that in reduced audit fees. We have considered removing the SOX team but the cost benefit analysis shows that the external audit fees will increase such that it would be more expensive to satisfy SOX requirements without them.
    Chhaava - Basel II will have an impact although my knowledge is somewhat limited here. I am hoping our SOX work will help (so that is a bonus.) although does this only really impact Banks? I have not looked into this yet as we have a separate team and I am dedicated to resolving SOX issues. What confuses me is that this standard keeps getting postponed and I am never quite sure what we are going to need to do - perhaps the sponsoring organisations have forseen the possible compliance costs and questioned whether cost outweighs the value.



  • The SOX work should complement BASEL II. Other requirements for BASEL II are deemed operational for SOX. Self Assessment is the best solution and Big 4 are researching whether they can rely on Self Assessments performed by client. They should atleast for remote locations.


Log in to reply