Review sox globally an create light version 1788
-
Denis, you are right in the simplicity of 404. But the key is in your point b that the auditors must express an opinion. Bottom line is that means they are making the rules about how to interpret SOX and what it takes to ‘pass’. ANd, of course, the more complex the rules and the more difficult and time-consuming they are to implement, the bigger their fees.
Now, as an independent consultant who has spent the last two years documenting and testing internal controls for compliance with SOX, I am certainly not complaining. Like many independents, it has been a windfall for me. But, the truth is that it really is more complicated and costly than it needs to be.
-
StopSOX
We understand your frustrations.
But, your company maynot be following the cost saving strategy on SOX Compliance.
I have heard about the SAP tool manager. My co-brother who is working as a SAP system administrator is pretty happy. Please note that he is not into SOX compliance. Basically his efforts are mainly operational by virtue of being SAP professional. This tool has other benefits such through history of changes he can identify to pinpoint the cause of the current bug. It pays to be organized and getting organized through technology is the best option. A stitch in time saves nine.
Regarding your team issue, SOX does not rigidly require that you send a corporate team to audit all over the world. You can implement a CSA (control self assessment) methodology whereby you make the resident employee perform control testing based on samples and test scripts provided by the centralized location. This model is being followed by IBM. The system can be monitored through automated SOX solutions such as Certus, which are expensive upfront but a good sustenance tool for years to come.
I can go on and on.
It is agreed that richies bitchies were behind the frauds for Enron, Adelphia and Worldcom. Don’t you think that SOX has stopped the recurrence because of a deterring section 906 penalty of 20 years. This has also made external auditors move back to risk and control based audits that they abandoned in the 1990’s.
So SOX was a welcome change. Ofcourse, it turned out to be a milking cow initially, but the cost is far fetched.
-
What has caused companies to spend so much money on this is related to their failure to take responsibility and ownership of their business controls in the past. %0AGreat discussions
%0AI particularly thought Kymike’s point is key. What often happens is a failure to plan, research requirements, and get good up-front training for SOX requirements. Both planning and education make a vital difference . Also, if the overall SOX coordinator or external auditors aren’t on the ‘right page’ with the true requirements, inefficiencies can be further excerebated :(%0AI’ve personally seen both good and bad IT implementations related to SOX 404 and other standards. A bad implementation of SOX will add that extra burden of 30% or more. %0AExecutives should continually question the efficiency of SOX, just like any other business workflow. They should evaluate SOX workflows, documentation requirements, sample testing, and other aspects to ensure the team is doing the right things and not accept all rules or requirements at face value.%0AI agree with our original poster that SOX is going to add work and costs to an organization. But if it ain’t done right, the company has made things much worse for themselves. %0ABelow is a recent related thread:%0Ahttp://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1768
-
That was a great heated discussion.%0A4 years gone and the lawmakers themselves are not certain what they want out of the ACT.
%0AI fully agree with Stopsox. I am pretty sure, everybody looks at the acknowledgement/ credits section of any Global standard/ Guideline document( like Cobit). 99% of the credit goes only to guys from BIG Four.%0AMoral of the story. BIG FOUR WANTS their business to grow, and they generate their own business by Designing standards which they alone can follow.%0ALike stopsox puts it, more than the money, it is the effort required from the end users, that kills the spirit.%0AWonder, why SEC does not explicitly brings out a statment on relying on Specific quality standards( like ISO, BS etc) and waive few sections of SOX compliance in lieu of them.%0AWhoaaaaaaaa that would take away some business from big four.%0ALets continue to suffer from SOX…%0ACheers
-
A lot of whingeing on here.
Well boo hoo guys. Public companies, or rather their officers, owe a duty of care to the stockholders of whose money they are custodians - and they have profited very nicely from this over the years.
Most of the things you are complaining about here are NOT REQUIRED by SOX. The people running up the biggest costs on SOX are the ones that abdicate responsibility and think that they can discharge their responsibilty by hiring one of the Big 4 to the work for them.
Companies who truly address the requirements can improve control within their businesses and derive real tangible benefits. Believe it or not there were companies out there who were already well-controlled and had virtually no cost of SOX compliance - and I can think of one of the top 5 largest US Companies for who this was the case.
You can criticise the Big 4 for having been overcautious in the firsst years of SOX - who can blame them? They are a far tastier target for class-action lawsuits than the real culprits because the have deep pockets and PII.
-
But these companies with state of the art controls were a handful only.
SOX indeed brought in lots of required overhaul and the foreign corrupt practices Act of 1977,COSO and COBIT became must do for US Corporations.
-
SOX has indeed been the catalyst for a lot of things that companies should have been doing already.
- COSO has been around since Ronnie Reagan was in the White House.
- COBIT’s been around for more than a decade. But I think many IT managers/CIOs saw an opportunity to action a lot of things on their wish list - I certainly have seen plenty of unnecessary remediation.
- Auditor’s have been trying to get their clients to improve controls over business processes and IT for a long time. But I think they have used SOX to get itmes that have been on management letters for years actioned.
-
Who cares? Europe and foreign markets will continue to benefit from a poorly thought out knee-jerk reaction from the US. Those of us raking in the money in the audit firms and big businesses can count our blessings.
-
It’s only a matter of time before something very similar comes in Europe as well.%0AI have to agree 100% with what Denis is saying.%0AThe biggest cost for us were the auditors who had to have a few extra hours in the company going over the controls. The work itself didn’t cost much.
-
There is abosultely no way that an equivalent to section 404, the key element of SOX that is upsetting the business commuity as it drains resources and lines the pockets of accountants, will be introduced in Europe.
I thought Canada did the very same by passing something akin to SOX but without 404?
I also question whether there is the same commitment to/momentum for such a draconian Act as SOX in Europe when we read that the UK are deliberately taking action to prevent SOX hitting the London Stock Exchange should the NYSE buy them out.
-
Draconian, eh?
My dictionary says that draconian means ‘Exceedingly harsh; very severe’. Which provisions of SOx are actually draconian?
-
FYI
Canada and Japan have their own SOX version. Did anybody ask a question why did they go for such a law? Europe is not far away.
All the best.
-
Good question. Perhaps I am unfairly tarring the SOX Act with the exceedingly harsh interpretation of it by the External Auditors who have the terrible task of trying to maximise profit whilst minimising the risk of any adverse review of their SOX work. Either way I believe that the burdon of proof required for ‘coal face’ operations is exceedingly harsh, particularly when SOX was born in an environment of Board room deliberations/manipulations.
That being said I have seen two positives. SOX has focused the attention of both the IT and change management functions to ensure that their processes are more robust and better controlled.
-
You must be under some misaprehension here.
The SOx Act places a great many burdens on the CEO and CFO - ultimately exposing them to lengthy prison terms if they fail to comply. Onerous requirements are placed on boards as a whole and non-executive directors.
Some hefty requiremetns are also placed on those money grabbing auditors as well as taking major income streams away from them.
The Sox act creates no ‘coal-face’ requirements by itself - Boards of Directors do that to protect themselves.
-
Hello,
It’s true that severe measures can be taken when one’s not compliant with sox. However, it hasn’t been the case so far and I doubt if it will ever come to that. CEO/CFO can officially get 20 years but when it comes to that I beleive that the responsibility will be shared over the board of directors and the auditing firm.
I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
Besides the big 4 auditing for sox, it would be good if they could do an extra audit to decrease sox-cost by reducing unnecessary controls and measures taken.
-
Good debate,
I like what SOX says in theory, but in practice I do feel there is too much focus on the lower levels. Its top mgt that needs to be controlled, and their egos dampened.
However, while I agree with some of StopSox’s points I’ve got to admit to being pro-ethics and governance. Its about time that doing things right was actually at the forefront of people’s thinking. I can only see a continuing upward trend in the coming years for increased corp. responsibility and governance.
Which is why fundamentally Im in favour of SOX and what its trying to achieve. It just needs a bit tweeking.
HOWEVER,
The main concern is the costs involved with compliance. Does anybody know if the high costs of SOX has had a negative effect on companies’ abilities to carry out other socially responsible activities?
SOX may actually be more trouble than its worth.
-
I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
FYI, I’m not an auditor, and my company have had lots of benefits come out of the SOX process. Although we weren’t badly managed before, we’re even better now.
Personally, I would think all the reasons you list has to do with bad project management for the SOX projects, not the Act itself. Yes, we’ve had issues too, but nothing that we can’t overcome. All in all, as far as I know, we’ve spent way below what the industri average for a international company our size has.
-
I get the feeling that a lot of auditors here focus too much on the positive side of sox.
Adding more regulations and controls wasn’t welcome by most firms. As the SOX standards had to be written for self-regulation of a wide range of industries, it’s subject to interpretation and improper implementations.
Still after a few years now, most public companies have accepted it as a cost of doing business. There’s not a lot choice other than to see the glass as ‘half full’ and get the most out of the effort and expense. Whether, you see SOX as positive or negative, it’s better to plan and get the most of the required effort.
There are benefits, if companies use SOX as an opportunity for improvement in the financial and IT controls in an optimal manner. For example, they have much more accurate financial information, it can be helpful to management in planning new business ventures. As an IT person, I’ve even seen cases where automation and improved workflows have helped things.
The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
I agree that SOX requirements need more clarity, better examples, and perhaps other improvements. However, a half-hearted and poorly implemented effort may lead to these factors as well. Certainly, more has to be done in simplifying many areas subject to interpretation.
I’d also like to see costs reduced but that may not be realistic. In some ways, we’re like the whole class of students being punished for the acts of a few. Still companies can help themselves by planning and getting good up-front training before forging ahead too far.
Costs and implementation experiences also depend on the company’s IT, audit and financial control standards prior to implementing SOX. SOX has fit better into very well run companies using the best IT, audit, and financial practices.
-
I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
For the record I am not an auditor and work for a (very) large multinational. I have now worked on 5 SOx projects and have performed s404- like work for more than a decade.
My experience is that the companies who are having the most troubles are the ones that are seeing SOx compliance as just a box-ticking exercise. As I said before I see a far bigger issue in execution than I do in the Act itself.
These companies often make themselves over-reliant on consultants to achieve compliance for them without a clear idea of what it is they are trying to achieve - this creates a twin problem of lack of ownership and having setting up the consultants to fleece you becaues you don’t really know what you want. This is often compounded by not devoting the right internal resource to support the project/ongoing compliance. All of this also makes it harder for the auditors to get what they need to fullfill their obligation - thus pushing up costs.
I have met countless directors and senior management in many companies that can talk the talk on how important SOX is - but few of them ever really mean it.
-
To sum it up high SOX costs due to bad project management (not planning proper resources management), hiring incompetent consultants(suggesting extra controls and not challenging big 4 save face strategies) and not using internal synergies(by overrelying on incompetent consultants instead of cross functional control self assessments).