Sarbanes-Oxley - Is it working?
The Basics: SOX, enacted in 2002, is one of the most controversial pieces of corporate legislation introduced in recent times. It was established to better organizational transparency and governance, and improve managerial accountability to shareholders in a post-Enron world. The Act includes provisions for quarterly certification of financial results (Section 302) and management's annual assertion that internal controls over financial reporting are effective (Section 404). Section 404, which has received most attention from publicly traded firms, requires formation of an accounting oversight board, the maintenance and evaluation of adequate internal control structures and processes as they pertain to financial reporting, an attestation examination by independent auditors and the consequent disclosure of material weaknesses.
What's the price? The methods and implications of SOX have led many firms to believe that the costs of compliance far outweigh the benefits. For example, 48% of the respondents to a survey conducted by CFO magazine (September 2003) responded that they will spend at least $500,000 on SOX compliance. An allied result was argued by Deloitte - large firms have, on average, spent nearly 70,000 additional man-hours complying with the act (The Economist, May 2005). The perceived benefits of the statute, however, are less immediate and tangible - fewer incidents of accounting fraud, better internal controls and supporting infrastructure, and quality business processes.
SOX and BPO: The complexity and ambiguity underlying quantification of compliance costs and benefits turn more pronounced at the intersection of SOX and BPO. In the case of outsourced business processes that are deemed pertinent to the user firm’s financial reporting, the user firm will either (i) need to conduct an evaluation of the service provider’s controls or (ii) obtain a SAS No. 70 service auditor's report from the service provider to gain an understanding of its controls. It is perceived that compliance may increase the short-term costs of BPO (including learning and audit costs) but will decrease over a long-term period. The user firm saves on service audit costs, and analogous to quality certifications such as CMM, the demonstration of adequate controls will help the service provider build trust with its clients and reduce the costs of multiple audits.
What's the price? The methods and implications of SOX have led many firms to believe that the costs of compliance far outweigh the benefits. For example, 48% of the respondents to a survey conducted by CFO magazine (September 2003) responded that they will spend at least $500,000 on SOX compliance. An allied result was argued by Deloitte - large firms have, on average, spent nearly 70,000 additional man-hours complying with the act (The Economist, May 2005). The perceived benefits of the statute, however, are less immediate and tangible - fewer incidents of accounting fraud, better internal controls and supporting infrastructure, and quality business processes.
SOX and BPO: The complexity and ambiguity underlying quantification of compliance costs and benefits turn more pronounced at the intersection of SOX and BPO. In the case of outsourced business processes that are deemed pertinent to the user firm’s financial reporting, the user firm will either (i) need to conduct an evaluation of the service provider’s controls or (ii) obtain a SAS No. 70 service auditor's report from the service provider to gain an understanding of its controls. It is perceived that compliance may increase the short-term costs of BPO (including learning and audit costs) but will decrease over a long-term period. The user firm saves on service audit costs, and analogous to quality certifications such as CMM, the demonstration of adequate controls will help the service provider build trust with its clients and reduce the costs of multiple audits.