Sarbanes-Oxley compliance can reduce audit costs and bring business benefits

The 2002 Sarbanes-Oxley Act, passed by US Congress to clean up corporate America's financial reporting, is casting a long shadow over UK IT directors.

The 2002 Sarbanes-Oxley Act, passed by US Congress to clean up corporate America's financial reporting, is casting a long shadow over UK IT directors.

Not only does it affect any UK company with a public listing in the US and UK firms that are subsidiaries of US public companies, it is increasingly likely that its provisions will be echoed in European law before too long.

Moreover, irrespective of legislative changes, UK companies are finding that their auditors are increasingly keen for them to voluntarily adopt the practices that Sarbanes-Oxley mandates. Those that do will find it a good way to contain, and even reduce, their audit costs, as well as gain other IT and business benefits further down the line.

This is just as well, for the experience of US companies rushing to meet Sarbanes-Oxley compliance is that the cost has been high. However, not only are UK companies in less of a rush - even US-listed UK companies have a year's grace before filing - they can take advantage of the US' learning curve.

An essential lesson from the US is that, although the role of IT in achieving compliance is critical, it is the underlying business processes and internal controls that are fundamental for Sarbanes-Oxley compliance.

"There is no such thing as Sarbanes-Oxley-compliant software," said Dennis Keeling, chairman of the British Software Developers Association (Basda).

Instead of reaching for a quick-fix IT implementation, the IT director will need to commit both to a major project for achieving compliance, and then, crucially, sustaining it thereafter.

"Sarbanes-Oxley compliance is not a one-off," said Keeling. "The IT director will need to seize the initiative and take control of the processes and architecture within the business. He will have a major ally in the financial director, because he has to justify the audit fee."

Uncontrolled end-user computing has resulted in many companies experiencing an explosion in the number of spreadsheets, which are used for everything, including pulling year-end accounts together. Complying with Sarbanes-Oxley will streamline these processes, leading to a likely lowering of audit fees as processes become automated.

End-user spreadsheets are classified by Sarbanes-Oxley as manual processes, and although at the moment Sarbanes-Oxley permits manual processes, it requires them to be tested regularly and substantively, increasing cost.

"For automated controls, there is typically no further audit cost after the first time they are audited, and for semi-automated controls there is typically less cost after the first time. But every manual process has to be audited every year," said Keeling.

"The purpose of Sarbanes-Oxley is to show that the final accounts are the same as the figures used in the business - often there can be no relation."

By relying on end-user spreadsheets, companies are open to both inadvertent error and, worse, deliberate fraud. "With spreadsheets, there is no audit trail, no means of verifying who did what to them and when," warned Keeling.

Companies that eradicate reliance on end-user spreadsheets in their accounting processes do more than reduce their audit costs, they also reduce their own internal costs.

"There is significant hidden cost in time and resource for set-up, maintenance, use and audit (of end-user spreadsheets) - on average more than nine times the cost of automated processes," said Keeling. "If you multiply that by the manual processes that a typical corporate runs, there is clearly huge scope for cost reduction."

The IT department will also benefit. Creeping IT devolution over the years has led to increasing loss of control over end-user computing by the IT department.  Wielding a Sarbanes-Oxley project mandate gives IT a powerful lever to re-centralise IT and thereby regain control over devolved systems.

This is not just a question of having a "shoot to kill" policy on end-user spreadsheets, but one of constructing a coherent and consistent corporate IT architecture.

According to a report by Basda and PriceWaterhouseCoopers, the US experience of achieving Sarbanes-Oxley compliance made most US companies realise that the systems underlying their controls and processes were fragmented and often inefficient.

However, if able to be implemented in a timely manner without rushing to meet regulatory deadlines, Sarbanes-Oxley compliance provides an opportunity to consolidate systems.

"As a consequence, there will be a move to enterprise resource planning systems with a single dataset and audit trail, eventually replacing standalone, best of breed systems with discrete datasets and audit trails," said the Basda report.

For the IT director, Sarbanes-Oxley compliance is also an opportunity to play a leading role in a major corporate undertaking, thus demonstrating their value to the company at a senior level.

IT directors will also be under pressure to get as much business benefit as possible from the money spent on becoming Sarbanes-Oxley-compliant, over and above cost reduction.

One potential way to achieve this is to exploit the improvement in systems, processes and controls to enable business managers to have a much more up-to-date view of what is going on in the business via an executive dashboard. Indeed, Sarbanes-Oxley itself seems to be aiming eventually for much faster disclosure, which would require real-time reporting.

Achieving and maintaining Sarbanes-Oxley compliance will, like all regulatory governance, impose a cost on companies. However, with planning and foresight, plus effective leadership from IT directors, companies can leverage the investment required by Sarbanes-Oxley to bring about other business benefits, which might otherwise have struggled to be justified.

Sarbanes-Oxley compliance could be more than just a ticket to ride, it could be a passport to greater profitability.

IT considerations of compliance

IT asset inventory - what systems do you have and who owns them?

  • Outsourced systems - these will need to be included for Sarbanes-Oxley compliance
  • Security - who has access to financial and operational systems and are their actions traceable?
  • IT governance - which framework do you use and is it similar to that of your industry peers?
  • Interoperability and data integrity - how do systems transfer data between each other?
  • Replacing disparate best-of-breed systems with a single corporate-wide ERP system using master data and a single data set
  • Eradicating end-user spreadsheets
  • Regular testing of processes and systems against Sarbanes-Oxley requirements to ensure compliance is sustained
  • Leveraging Sarbanes-Oxley investment to consolidate IT

Leveraging Sarbanes-Oxley investment to support business process management and real-time reporting.

Benefits of Sarbanes-Oxley

Business benefits

  • Achieves compliance ahead of likely European legislation
  • Clears a company for US listing
  • Clears a company for acquisition by a US company
  • Reduces the cost of annual audits
  • Presents an opportunity for real-time financial and business process management through the use of dashboards.

Implementing a Sarbanes-Oxley project provides an opportunity to:

  • Replace or upgrade systems
  • Refresh and consolidate IT architecture
  • Regain control of devolved IT, and centralise it
  • Forge closer links with financial director and senior management
  • Be seen to take the initiative on a major corporate programme
  • Exploit the greater financial transparency that Sarbanes-Oxley compliance affords to improve the financial management of the IT function itself.

Read more on IT governance