Review sox globally an create light version 1788



  • Hello,
    It’s true that severe measures can be taken when one’s not compliant with sox. However, it hasn’t been the case so far and I doubt if it will ever come to that. CEO/CFO can officially get 20 years but when it comes to that I beleive that the responsibility will be shared over the board of directors and the auditing firm.
    I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    Besides the big 4 auditing for sox, it would be good if they could do an extra audit to decrease sox-cost by reducing unnecessary controls and measures taken.



  • Good debate,
    I like what SOX says in theory, but in practice I do feel there is too much focus on the lower levels. Its top mgt that needs to be controlled, and their egos dampened.
    However, while I agree with some of StopSox’s points I’ve got to admit to being pro-ethics and governance. Its about time that doing things right was actually at the forefront of people’s thinking. I can only see a continuing upward trend in the coming years for increased corp. responsibility and governance.
    Which is why fundamentally Im in favour of SOX and what its trying to achieve. It just needs a bit tweeking.
    HOWEVER,
    The main concern is the costs involved with compliance. Does anybody know if the high costs of SOX has had a negative effect on companies’ abilities to carry out other socially responsible activities?
    SOX may actually be more trouble than its worth.



  • I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    FYI, I’m not an auditor, and my company have had lots of benefits come out of the SOX process. Although we weren’t badly managed before, we’re even better now.
    Personally, I would think all the reasons you list has to do with bad project management for the SOX projects, not the Act itself. Yes, we’ve had issues too, but nothing that we can’t overcome. All in all, as far as I know, we’ve spent way below what the industri average for a international company our size has.



  • I get the feeling that a lot of auditors here focus too much on the positive side of sox.
    Adding more regulations and controls wasn’t welcome by most firms. As the SOX standards had to be written for self-regulation of a wide range of industries, it’s subject to interpretation and improper implementations.
    Still after a few years now, most public companies have accepted it as a cost of doing business. There’s not a lot choice other than to see the glass as ‘half full’ and get the most out of the effort and expense. Whether, you see SOX as positive or negative, it’s better to plan and get the most of the required effort.
    There are benefits, if companies use SOX as an opportunity for improvement in the financial and IT controls in an optimal manner. For example, they have much more accurate financial information, it can be helpful to management in planning new business ventures. As an IT person, I’ve even seen cases where automation and improved workflows have helped things.
    The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    I agree that SOX requirements need more clarity, better examples, and perhaps other improvements. However, a half-hearted and poorly implemented effort may lead to these factors as well. Certainly, more has to be done in simplifying many areas subject to interpretation.
    I’d also like to see costs reduced but that may not be realistic. In some ways, we’re like the whole class of students being punished for the acts of a few. Still companies can help themselves by planning and getting good up-front training before forging ahead too far.
    Costs and implementation experiences also depend on the company’s IT, audit and financial control standards prior to implementing SOX. SOX has fit better into very well run companies using the best IT, audit, and financial practices.



  • I get the feeling that a lot of auditors here focus too much on the positive side of sox. The feedback I’m getting from collegues around the world (in major multinationals) is somewhat different. Rising costs, lack of vision, extra workload, overkill on processes.
    For the record I am not an auditor and work for a (very) large multinational. I have now worked on 5 SOx projects and have performed s404- like work for more than a decade.
    My experience is that the companies who are having the most troubles are the ones that are seeing SOx compliance as just a box-ticking exercise. As I said before I see a far bigger issue in execution than I do in the Act itself.
    These companies often make themselves over-reliant on consultants to achieve compliance for them without a clear idea of what it is they are trying to achieve - this creates a twin problem of lack of ownership and having setting up the consultants to fleece you becaues you don’t really know what you want. This is often compounded by not devoting the right internal resource to support the project/ongoing compliance. All of this also makes it harder for the auditors to get what they need to fullfill their obligation - thus pushing up costs.
    I have met countless directors and senior management in many companies that can talk the talk on how important SOX is - but few of them ever really mean it.



  • To sum it up high SOX costs due to bad project management (not planning proper resources management), hiring incompetent consultants(suggesting extra controls and not challenging big 4 save face strategies) and not using internal synergies(by overrelying on incompetent consultants instead of cross functional control self assessments).



  • Chaava
    spot on - we spent most of our first year pushing back against our Externals - now in year three and total ‘key’ controls is down from 265 to 67 for our BME division. (Mainly due to changes at senior levels in our external auditor).
    The workload does reduce once controls are automated / part of the culture of the company - i.e. if people know they have to comply (and will be found out if they don’t) then they will comply making your life easier.
    Yes SOX was painful to implement but the key points are too make sure management lead it and not the external auditors, plan it up front and treat it as a project, and ensure the board buy in - and makes sure the management team are targeted on acheiving compliance (i.e. hit their pay packet if you don’t.) works wonders
    cheers



  • I agree that poor project management (or in our case bad advise/changing advise from our external auditor) contribute significantly to up front costs of complying with SOX.
    What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.
    Where the debate may be complicated is that the legislation is a broad brush approach across a variety of business. I am no business expert but I’d wager that there is a significantly greater burden for a financial services organisation seeking to comply with SOX than for a widget manufacturer.



  • You said Financial Services, well, you may have one more compliance viz. Basel II. Please confirm this.



  • What it does not excuse is the ongoing direct costs in the region of a few GBPmillion for additional management structures and more importantly external audit fees purely for SOX.

    Why the cost for new management structures?
    SOX does not mandate that we change our management structure in order to comply? Just because you have a thin organization does not mean that you cannot have good internal controls.
    Now, if you previously relied on your external auditor to assist with your tax calculations and SEC filings and to find errors before your financial statements were issues, then I can see the expense for additional management costs, but in that scenario, auditors are not really independent and the management team needs to be beefed up.



  • Oooh the arrogance to assume we have thin management structures. In a highly regulated industry with products that are heavily scrutinised by goverment, policy-holders, other FS bodies and third parties, I would say we already have more than enough staff focused on risk, compliance, fraud, etc. But for all these staff, for all these controls, these are not good enough for the auditors interpretation of SOX because they want to look at it from a different angle and not rely/cannot rely on these controls.
    No matter how much everyone rambles on about risk based auditing, likelihood of material mis-statement, etc, I would suggest that the auditors are primarily still concerned with maximising profit whilst minimising the risk of any litigation. As a result they remain focused on controls that gives them comfort (after all they still build the goal posts between which we have to score) irrespective of our own views.
    Tax calculations and SEC filings are easy. They’re self contained within the environs of the Finance Departments and are easily controlled. The complexity comes from the need to go into every aspect of the business, because everything is financial, and test the variety of financial products sitting on a number of different systems. This takes up most of our own and our auditors time yet is very low risk given the high volume, low value transations that are then scrutinised by all the parties referred to earlier.
    Why additional management costs? Because all this information has to be gathered up and presented back to the auditors so that they can understand it. We considered self certification, minimal staff time but insufficient for auditor relaince. With one member of staff dedicated to SOX complaince/testing and costing be 50,000 per annum can save me more than that in reduced audit fees. We have considered removing the SOX team but the cost benefit analysis shows that the external audit fees will increase such that it would be more expensive to satisfy SOX requirements without them.
    Chhaava - Basel II will have an impact although my knowledge is somewhat limited here. I am hoping our SOX work will help (so that is a bonus.) although does this only really impact Banks? I have not looked into this yet as we have a separate team and I am dedicated to resolving SOX issues. What confuses me is that this standard keeps getting postponed and I am never quite sure what we are going to need to do - perhaps the sponsoring organisations have forseen the possible compliance costs and questioned whether cost outweighs the value.



  • The SOX work should complement BASEL II. Other requirements for BASEL II are deemed operational for SOX. Self Assessment is the best solution and Big 4 are researching whether they can rely on Self Assessments performed by client. They should atleast for remote locations.



  • Oooh the arrogance to assume we have thin management structures. In a highly regulated industry with products that are heavily scrutinised by goverment, policy-holders, other FS bodies and third parties, I would say we already have more than enough staff focused on risk, compliance, fraud, etc. But for all these staff, for all these controls, these are not good enough for the auditors interpretation of SOX because they want to look at it from a different angle and not rely/cannot rely on these controls.

    Do you mind stating who your auditor is? It sounds to me like it is time for a new auditor.



  • I thought it might but I still thought it only related to banks and not the insurance and assurance businesses? I also wondered how it compared to the Integrated Prudential Source Book that the FSA require us to use in the UK that also looks at capital risk, credit risk and liquidity risk, etc. which already abide by (although in truth don’t add anything that our SOX work can rely on). Also has a date been set for compliance, I note updated versions continue to be issued?
    kymike - auditors are KPMG. New auditors - probably not. Believe it or not they have been very good and what has been done and agreed has been quite innovative. I think their interpretation of SOX is not unreasonable eg reliance on our testing, required documentation, etc and falls in line with PCAOB requirements. I would still maintain that it is the generalisations that SOX was based on that throws up these issues.



  • Yes. Basel II is not applicable to you.



  • We have KPMG as well. My feeling is that they are pretty easy on us in our UK business. We have one incremental headcount for our global business dedicated to SOX. The remainder of the work has been spread out amongst the control owners with our internal audit team performing some quality review work.
    I have noticed, however, that the work performed by the external auditors will vary from partner to partner. You may have just drawn an extremely conservative partner who feels that he needs to have more work done on your business than another would choose to do.



  • Exactly, it boils down partner to partner and sometimes staff level also. Because of demand there is dearth of talented auditors, making this Big 4 approach recent grads(sent to audit within two days of joining without requisite orientation which we had to take even after three years articleship/internship when joining them from smaller firms (non Big 8 in those days)



  • Just a few comments in response.%0AI agree there is a degree of inconsistency between partners and firms. I even noted it within a firm on the same account that had locations around the world.%0AAs I said before, taking our auditors perspective, given what they are testing I think most of their demands are reasonable. In fact our working relationship is very constructive. %0AGoing back to the start of this dialogue I was complaining about the unecessary level of work needed to comply with SOX. If I look at income I have millions of low value receipts. Looking at our various life products we find that many schemes are FRAG’d, audited or similar on a regular basis. We also report regularly to external monitoring bodies who also access our data and audit us. Together these would give me very strong comfort that we are not mistating our income (particularly with out bank reconciliations in tow). %0ABut income is a line entry on our P-and-L, we cannot rely on 3rd parties for evidence, therefore we must show that at least 70% of our line item cannot be wrong which means going into the business and transalting the controls into financial reporting ones and then undertake testing. This has to be done through a combination of self certification, internal testing and external audit, and because we have so many products and systems this becomes a significant pice of work.%0AI appreciate that this is unusual and most businesses are not in the same position as us. But this is why I contend that 1) SOX has had a significant negative impact both in cost and time and 2) the risk that SOX should be addressing is how management manipulate the data rather than the accuracy of the data itself.%0AWe do have a permanent SOX team of around 6 staff at present. This has reduced the risk that operations have bought into SOX and over time we should see a positive move, it has lead to a better use of resources by minimising audit fees and als because of the major restructuring that is impacting the Financial Services business in Europe with highly publicised redundancies and relocation of work to India etc we need to make sure we stay on top of that.%0AInterestingly our Internal Audit have refused to get involved with SOX claiming it impacts their ‘independence’. This is a senior management decision so I have had to improvise.%0AChaava - Basel will impact because we do have a banking business but it is only one aspect of our company. I think I will put it on hold until 2007 - I can only hold so many hoses at any given time.


Log in to reply