Review sox globally an create light version 1788
-
A lot of whingeing on here.
Well boo hoo guys. Public companies, or rather their officers, owe a duty of care to the stockholders of whose money they are custodians - and they have profited very nicely from this over the years.
Most of the things you are complaining about here are NOT REQUIRED by SOX. The people running up the biggest costs on SOX are the ones that abdicate responsibility and think that they can discharge their responsibilty by hiring one of the Big 4 to the work for them.
Companies who truly address the requirements can improve control within their businesses and derive real tangible benefits. Believe it or not there were companies out there who were already well-controlled and had virtually no cost of SOX compliance - and I can think of one of the top 5 largest US Companies for who this was the case.
You can criticise the Big 4 for having been overcautious in the firsst years of SOX - who can blame them? They are a far tastier target for class-action lawsuits than the real culprits because the have deep pockets and PII.
-
But these companies with state of the art controls were a handful only.
SOX indeed brought in lots of required overhaul and the foreign corrupt practices Act of 1977,COSO and COBIT became must do for US Corporations.
-
SOX has indeed been the catalyst for a lot of things that companies should have been doing already.
- COSO has been around since Ronnie Reagan was in the White House.
- COBIT’s been around for more than a decade. But I think many IT managers/CIOs saw an opportunity to action a lot of things on their wish list - I certainly have seen plenty of unnecessary remediation.
- Auditor’s have been trying to get their clients to improve controls over business processes and IT for a long time. But I think they have used SOX to get itmes that have been on management letters for years actioned.
-
Who cares? Europe and foreign markets will continue to benefit from a poorly thought out knee-jerk reaction from the US. Those of us raking in the money in the audit firms and big businesses can count our blessings.
-
It’s only a matter of time before something very similar comes in Europe as well.%0AI have to agree 100% with what Denis is saying.%0AThe biggest cost for us were the auditors who had to have a few extra hours in the company going over the controls. The work itself didn’t cost much.
-
There is abosultely no way that an equivalent to section 404, the key element of SOX that is upsetting the business commuity as it drains resources and lines the pockets of accountants, will be introduced in Europe.
I thought Canada did the very same by passing something akin to SOX but without 404?
I also question whether there is the same commitment to/momentum for such a draconian Act as SOX in Europe when we read that the UK are deliberately taking action to prevent SOX hitting the London Stock Exchange should the NYSE buy them out.
-
Draconian, eh?
My dictionary says that draconian means ‘Exceedingly harsh; very severe’. Which provisions of SOx are actually draconian?
-
FYI
Canada and Japan have their own SOX version. Did anybody ask a question why did they go for such a law? Europe is not far away.
All the best.
-
Good question. Perhaps I am unfairly tarring the SOX Act with the exceedingly harsh interpretation of it by the External Auditors who have the terrible task of trying to maximise profit whilst minimising the risk of any adverse review of their SOX work. Either way I believe that the burdon of proof required for ‘coal face’ operations is exceedingly harsh, particularly when SOX was born in an environment of Board room deliberations/manipulations.
That being said I have seen two positives. SOX has focused the attention of both the IT and change management functions to ensure that their processes are more robust and better controlled.
-
You must be under some misaprehension here.
The SOx Act places a great many burdens on the CEO and CFO - ultimately exposing them to lengthy prison terms if they fail to comply. Onerous requirements are placed on boards as a whole and non-executive directors.
Some hefty requiremetns are also placed on those money grabbing auditors as well as taking major income streams away from them.
The Sox act creates no ‘coal-face’ requirements by itself - Boards of Directors do that to protect themselves.
-
Hello,
It’s true that severe measures can be taken when one’s not compliant with sox. However, it hasn’t been the case so far and I doubt if it will ever come to that. CEO/CFO can officially get 20 years but when it comes to that I beleive that the responsibility will be shared over the board of directors and the auditing firm.
I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
Besides the big 4 auditing for sox, it would be good if they could do an extra audit to decrease sox-cost by reducing unnecessary controls and measures taken.
-
Good debate,
I like what SOX says in theory, but in practice I do feel there is too much focus on the lower levels. Its top mgt that needs to be controlled, and their egos dampened.
However, while I agree with some of StopSox’s points I’ve got to admit to being pro-ethics and governance. Its about time that doing things right was actually at the forefront of people’s thinking. I can only see a continuing upward trend in the coming years for increased corp. responsibility and governance.
Which is why fundamentally Im in favour of SOX and what its trying to achieve. It just needs a bit tweeking.
HOWEVER,
The main concern is the costs involved with compliance. Does anybody know if the high costs of SOX has had a negative effect on companies’ abilities to carry out other socially responsible activities?
SOX may actually be more trouble than its worth.
-
I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
FYI, I’m not an auditor, and my company have had lots of benefits come out of the SOX process. Although we weren’t badly managed before, we’re even better now.
Personally, I would think all the reasons you list has to do with bad project management for the SOX projects, not the Act itself. Yes, we’ve had issues too, but nothing that we can’t overcome. All in all, as far as I know, we’ve spent way below what the industri average for a international company our size has.
-
I get the feeling that a lot of auditors here focus too much on the positive side of sox.
Adding more regulations and controls wasn’t welcome by most firms. As the SOX standards had to be written for self-regulation of a wide range of industries, it’s subject to interpretation and improper implementations.
Still after a few years now, most public companies have accepted it as a cost of doing business. There’s not a lot choice other than to see the glass as ‘half full’ and get the most out of the effort and expense. Whether, you see SOX as positive or negative, it’s better to plan and get the most of the required effort.
There are benefits, if companies use SOX as an opportunity for improvement in the financial and IT controls in an optimal manner. For example, they have much more accurate financial information, it can be helpful to management in planning new business ventures. As an IT person, I’ve even seen cases where automation and improved workflows have helped things.
The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
I agree that SOX requirements need more clarity, better examples, and perhaps other improvements. However, a half-hearted and poorly implemented effort may lead to these factors as well. Certainly, more has to be done in simplifying many areas subject to interpretation.
I’d also like to see costs reduced but that may not be realistic. In some ways, we’re like the whole class of students being punished for the acts of a few. Still companies can help themselves by planning and getting good up-front training before forging ahead too far.
Costs and implementation experiences also depend on the company’s IT, audit and financial control standards prior to implementing SOX. SOX has fit better into very well run companies using the best IT, audit, and financial practices.
-
I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
For the record I am not an auditor and work for a (very) large multinational. I have now worked on 5 SOx projects and have performed s404- like work for more than a decade.
My experience is that the companies who are having the most troubles are the ones that are seeing SOx compliance as just a box-ticking exercise. As I said before I see a far bigger issue in execution than I do in the Act itself.
These companies often make themselves over-reliant on consultants to achieve compliance for them without a clear idea of what it is they are trying to achieve - this creates a twin problem of lack of ownership and having setting up the consultants to fleece you becaues you don’t really know what you want. This is often compounded by not devoting the right internal resource to support the project/ongoing compliance. All of this also makes it harder for the auditors to get what they need to fullfill their obligation - thus pushing up costs.
I have met countless directors and senior management in many companies that can talk the talk on how important SOX is - but few of them ever really mean it.
-
To sum it up high SOX costs due to bad project management (not planning proper resources management), hiring incompetent consultants(suggesting extra controls and not challenging big 4 save face strategies) and not using internal synergies(by overrelying on incompetent consultants instead of cross functional control self assessments).
-
Chaava
spot on - we spent most of our first year pushing back against our Externals - now in year three and total ‘key’ controls is down from 265 to 67 for our BME division. (Mainly due to changes at senior levels in our external auditor).
The workload does reduce once controls are automated / part of the culture of the company - i.e. if people know they have to comply (and will be found out if they don’t) then they will comply making your life easier.
Yes SOX was painful to implement but the key points are too make sure management lead it and not the external auditors, plan it up front and treat it as a project, and ensure the board buy in - and makes sure the management team are targeted on acheiving compliance (i.e. hit their pay packet if you don’t.) works wonders
cheers
-
I agree that poor project management (or in our case bad advise/changing advise from our external auditor) contribute significantly to up front costs of complying with SOX.
What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.
Where the debate may be complicated is that the legislation is a broad brush approach across a variety of business. I am no business expert but I’d wager that there is a significantly greater burden for a financial services organisation seeking to comply with SOX than for a widget manufacturer.
-
You said Financial Services, well, you may have one more compliance viz. Basel II. Please confirm this.
-
What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.
Why the cost for new management structures?
SOX does not mandate that we change our management structure in order to comply? Just because you have a thin organization does not mean that you cannot have good internal controls.
Now, if you previously relied on your external auditor to assist with your tax calculations and SEC filings and to find errors before your financial statements were issues, then I can see the expense for additional management costs, but in that scenario, auditors are not really independent and the management team needs to be beefed up.