Friday, December 02, 2005

Sarbanes-Oxley – a short introduction

The US Public Company Accounting Reform and Investor Protection Act, commonly known as the Sarbanes-Oxley Act after its sponsors, Senator Paul Sarbanes and Representative Michael G. Oxley – SOX, Sarbox or SOA for short – became law in 2002 following a series of corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom. The Act aims to protect investors by imposing greater auditor independence, corporate responsibility and by improving the accuracy and reliability of corporate financial disclosures. It set up the Public Company Accounting Oversight Board (PCAOB) and specified new criminal penalties.

Applying to all companies issuing securities (shares) in the United States, the Act is organised under the eleven ‘Titles’, the major provisions of which include:

  • Companies must publish independent annual audit reports on their internal controls relating to financial reporting.
  • Certification of financial reports by CEOs and CFOs.
  • Companies must now have an externally certified internal audit function.
  • Longer gaol sentences and larger fines for corporate executives who ‘knowingly and willfully’ misstate financial statements.
  • Prohibition on audit firms providing extra "value-added" services to their clients including actuarial services, legal and extra services (such as consulting).

Section 404 and IT

Section 404 – the reporting of internal financial controls and reports - is a key area for compliance. It is also the area where greatest investment, including in IT systems, is needed. For IT firms Sarbox is a jackpot, with a worldwide market for information management systems for compliance estimated to grow to $20 billion in 2009. The vital elements of 404 compliance are:

  • Effective and efficient processes for monitoring and reporting on controls
  • Integrated financial and internal control processes
  • Technology to enable compliance
  • Clearly articulated roles and responsibilities and assigned accountability
  • Education and training to reinforce the “control environment”
  • Adaptability and flexibility to respond to organizational and regulatory change.

Cost of compliance

The estimated total cost of Sarbox compliance for US companies in 2005 is $5.8 billion (28% on IT, 42% internal resources, 29% outsourced). For smaller companies the costs are proportionally higher than for large corporations. One US investor has suggested that these costs may encourage start-ups to list on the London Stock Exchange’s AIM market rather than the NASDAQ.

Dissident voices

Although the Act was passed with near unanimity, some politicians and business commentators now say it may have gone too far. UK Prime Minister Tony Blair has suggested that it is too broad in scope, compliance too expensive and that it ‘has provided a bonanza for accountants and auditors, the very professions thought to be at fault in the original scandals.’

What does this mean for the rest of the world?

Companies not issuing securities in the US may receive requests from US trading partners for more information about contractural relationships, but UK and Europe have no plans to follow the US lead. However there are parallels with the new UK requirement for firms to include an Operating and Financial Review (OFR) in their annual reports. Although intended as a ‘light touch’ instrument this too requires the CEO to sign it off as covering all ‘material’ matters likely to affect the company’s performance.