This week marks the five-year anniversary of the Sarbanes-Oxley Act of 2002. The legislation has proven to be a boon to many accountants and auditing firms, but a bane to many public companies.
Much of the focus has been on Section 404, which mandates that the internal controls at public companies be audited to help safeguard against fraud. The legislation is intended to avoid the kinds of accounting debacles that occurred at companies such as Enron, WorldCom and Tyco, and led to the downfall of Arthur Andersen.
But as SOX heads into its sixth year, pressure has been mounting to soften the rules and make them less onerous and expensive for companies to follow. Companies large and small have been complaining about the high costs of SOX compliance. The Securities and Exchange Commission has repeatedly delayed implementation of the 404 audit rules for small companies. While SEC Chairman Christopher Cox has been warning that small companies need to start getting ready, the SEC may have to grant a deferral yet again, at least on the auditing certification requirements.
Last week, the SEC approved Auditing Standard No. 5, or AS5, which is intended to make the audit process more efficient by taking a "top-down, risk-based approach and focus on the most important matters." While AS5 is still intended to keep audit quality high, some of the other efforts underway to relax SOX requirements have observers worried, particularly investors. The Center for Audit Quality released a survey this week that showed two-thirds of investors said they would be concerned by any easing of audit rules.
While the cost of compliance may be high, it's worth it in terms of allaying investor fears. KPMG's 404 Institute has released its own survey this week, which found that some companies have managed to implement SOX compliance programs that meet regulatory standards and the needs of the business while outpacing the market in lowering costs.
The key, according to KPMG, is to centralize controls that are preventive, rather than detective, in nature. Firms and companies also need to improve their use of automation to achieve lower costs and better efficiency. Compliance efforts need to be embedded in the business and made a part of day-to-day operations for employees.
The debate over SOX isn't likely to go away anytime soon, and many companies and their lobbyists are sure to keep pushing for looser standards. But if they want investors to have confidence in their financials, setting up a smart compliance program is the way to go, especially if they want to stay out of trouble with the SEC.
