S-Ox 404 Costs 741
SOX-Migration last edited by
We are a small bank holding company (bank is asset size of approx USD150 million, plus a lending call center as the only other subsidiary) that is publicly traded. We need to comply w/ 404 beginning with our fiscal year end June 30, 2007.
We are looking hard at de-listing due to the costs that are anticipated to be associated with 404. A recent Independent Community Bankers Assoc. survey of banks similar to our size estimated annual cost in excess of USD200,000.
I am looking for info from some of you who have been through it and are similar in size or nature to our organization, concerning costs, staff hours involved, etc. We are planning to use a third party consulting firm to do a lot of the work, but hoping to accomplish a lot of the controls documentation on our own, internally.
Can anyone help me with cost estimates? Thanks.
Not only I have no idea about the costs, but neither about the procedure to follow … But it may depend on the stock exchange you are listed in.
Anyone has an idea where to find information on the steps to follow the delisting process. I have been in SEC web where they publicize the companies that requested to be delisted from any stock exchange. But no guidelines…
MikeE last edited by
As ever, I don’t know if this will help but hopefully it might point you in something approaching the right direction.
http://www.sec.gov/rules/sro/9731not.htm seems to go some way towards explaining the process for delisting from the NYSE at least.
http://www.sec.gov/rules/proposed/34-49858.htm gives further lengthy discussion on delisting.
Maybe check out the ‘Forms’ section of the SEC website as well. ‘Form 25’ is a notification of delisting; there may be others more applicable to your needs. Failing that, you can search the site for, for example, ‘voluntary withdrawal’, ‘delisting’… anyone know any other standard SEC-friendly phrases which might apply?
SOX-Migration last edited by
This is a BANK holding company right?
Banks usually have strong control environments because of the fact they are dealing with money, and also because they are regulated heavily. You may not have to do a lot extra to be compliant if you are complying with banking legislation.
Denis last edited by
Also, banks can’t get out of compliance by delisting. Special case.
SOXBriefs last edited by
The cost of your project will be entirely dependent on how efficiently it is run. Much of the excess cost incurred so far has been because companies did not have a good understanding of what exactly the end result was that they were shooting for.
By educating yourself and doing some research to ensure that you design your compliance from the start in an efficient manner, you will be able to comply without spending every dime of profit that you have. It is important that you understand that the cost savings are up to you, your consultants do not necessarily have the information or the inclination to work as few hours as possible on your project. T
hat is not to say that consultants are the wrong decision, I think they are very necessary since you will not need the increased staff in the long run. However, you should consider having someone independent of your consultants design your compliance plan and methods for saving money (whether this is an internal person or a consultant whose is independent of the workers that you hire to ensure that the plan is efficient).
Just one example of ways to save money: There are many ways to document a process. Written documentation can get very detailed. This detail is not specifically required by the Sarbanes-Oxley Act, yet many companies are spending countless hours writing and revising their documentation. Flowcharting can be much less time consuming, especially if the flowcharting is designed specifically to comply with SOX.
Hope this helps.
As a bank you might have gone through the ‘BASEL’ requirements already. I had a quick reading on it recently, ‘Basel Committee on Banking Supervision Sound Practices for the Management and Supervision
of Operational Risk - February 2003’ and found very much similarities with the requirement of the Section 404 of Soxa, which is the one far most expensive and time consuming of all other sections.
That is it might not be a good decision to delist just because of SOXA. Of course, it does not retain you to be listed in Stock exchange of other countries, but soon or later, I believe, similar requirements - thought might not be as mandatory as SOX - would be proposed by other national corporate governance. And consider who are your shareholders. Would they be satisfied with such decision or prefer to incurr the additional costs?
It certainly does not help to take such important decision, this is my humble contribution
A few words about BASEL II - in order to understand the previous excellent comments from angie:
The New Basel Capital Accord (Basel II)
*The New Basel Capital Accord, more commonly known as Basel II, is fundamentally about improving risk and asset management to avoid financial disasters. Compliance requires all banking institutions to have sufficient assets to offset any risks they may face.
*If banks are going to have to set aside assets to balance possible risks, then analyzing and measuring those risks is going to be paramount.
*Nearly all jurisdictions with active banking markets require banking organizations to maintain at least a minimum level of capital. Capital serves as a foundation for a bank’s future growth and as a cushion against its unexpected losses.
*Adequately capitalized banks that are well managed are better able to withstand losses and to provide credit to consumers and businesses alike throughout the business cycle, including during downturns. Adequate levels of capital thereby help to promote public confidence in the banking system.
*The technical challenge for both banks and supervisors has been to determine how much capital is necessary to serve as a sufficient buffer against unexpected losses.
*If capital levels are too low, banks may be unable to absorb high levels of losses. Excessively low levels of capital increase the risk of bank failures which, in turn, may put depositors’ funds at risk.
*If capital levels are too high, banks may not be able to make the most efficient use of their resources, which may constrain their ability to make credit available.
***Within the financial services industry, the more widely understood financial risks, such as market risk and credit risk, have taken precedence at both senior management and board levels.
***Recently, operational risk has become increasingly prominent on the agenda of regulators, investors and management.
***Operational risk is the risk of direct or indirect losses resulting from inadequate or failed internal processes, people and systems or from external events. It includes, but is not limited to, the risk of inadequate or failed internal systems such as computer failures or fraud, compliance issues, as well as external events, including lawsuits.
Operational risk is a real challenge for Basel II, Sarbanes Oxley and many other regulations
Basel II and Sarbanes-Oxley have little in common.
Thanks Georges for ‘elucidating’ us about the Basel II accord though on the SOX Forum.
As I could understand from your last sentence, the SOX (and specially 404 Section) is a measure to prevent financial reporting risks while Basel II objective is to mitigate the operational risk of the financial services entities.
Personally, I believe both (Basel and SOX) request a thorough risk and methodological assessment to be undertaken by management in a continuous basis. Though SOX focus is mainly financial risk, the risk assessement would not be complete if you do not included the evaluation about the business, transaction and operations risks to end up with the list of the related financial risks of the business environment analysed. So, It requires also an operational risk assessment, though entities, uder SOX, will still get the attestation even if operation risk will not be addressed. Within Basel II requirements, banks have to address them.
Am I right?
I agree with you angie.
I wrote that operational risk is a real challenge for Basel II, Sarbanes Oxley and many other regulations.
For that reason, I absolutely agree that both (Basel and SOX) request a thorough risk and methodological assessment to be undertaken by management in a continuous basis.
I wrote also that Basel II and Sarbanes-Oxley have little in common.
There are some good reasons for that. For example:
- The scope of the risk assessment is different.
Basel II operational risk project focuses on risk aspects like determining the level of capital international banks must hold to offset unforeseen risks.
SOX 404 project focuses on financial reporting. Sarbanes-Oxley attempts to ensure that financial reports are accurate and reliable. Organisations must have strong controls around financial reporting, that must be documented, tested and attested by the external auditor.
Sarbanes Oxley Act behoves companies to comply or face penalties and even executive jail time. The gravity of the consequences of failing to comply with Sarbanes-Oxley means organisations are often throwing money at the problem in a way they have been reluctant to do for Basel II or operational risk management.
Basel II seeks to convince banks to put risk controls in place, in exchange for which they’ll be able to put less capital up against it.
- Basel II is a European initiative that impacts European banks more than those in the US.
U.S. regulators plan to apply Basel II standards to a limited population of banks, in contrast to the current accord, which applies to all banks. The Fed has stated that it will only require 11 US banks to comply when the accord comes into force at the end of 2006, with another 10 or so likely to comply due to the international nature of their business. The other 8,000 or so banks will not need Basel II compliance.
The pressure of the SOX deadlines force most banks to focus on Sarbanes-Oxley. They almost ignore Basel II for the moment.
For non-US-based companies, which have an extra year before they have to comply with Sarbanes Oxley Act, there is an opportunity for an integrated Sarbanes-Oxley, Basel II and operational risk management approach.
Banks and financial institutions currently establishing processes to comply with Sarbanes-Oxley section 404 reporting requirements, can use the work done in their effort to comply with Basel II operational risk reporting requirements.
Some companies, like JP Morgan Chase, are combining Sarbanes-Oxley and Basel II under a single umbrella, with the assessments and data for both regulations kept in one place. They cut the reports in different ways for the different regulations. Other companies are isolating the compliance processes.
While Sarbanes-Oxley and Basel II may complement each other, that doesn’t mean procedures set up to comply with the former will apply seamlessly to the latter.
- The scope of the risk assessment is different.
Thanks a lot
You are very welcome.