Better processes drive falling SOX compliance costs

A new survey found that Sarbanes-Oxley compliance is getting cheaper. Technology is a big part of it, experts say.

The financial burden of SOX  compliance is slowly (but surely) starting to ease. The cost of compliance with Section 404 of the Sarbanes-Oxley Act (SOX) declined by 23% in fiscal 2006, according to a survey by Financial Executives International . The organisation found the average company spent $2.9 million on SOX compliance in 2006, versus $3.8 million in 2005 and $4.5 million in 2004.

As you gain more visibility into processes you can actually streamline them, compress them, make them more efficient.
Sanjay Anand
chairpersonSarbanes-Oxley Institute
"Technology has a lot to do with the cost reduction," said Sanjay Anand, chairperson of the Sarbanes-Oxley Institute. Public companies "are actually automating their controls. A good 20 to 30%, even as much 40%, of the cost reduction is actually coming from automated controls rather than manual controls."

These cost reductions have come despite the fact that auditors' fees have remained relatively steady, the research revealed. External auditor fees dropped by just 11% in 2006, from $1.35 million to $1.2 million.

"There has been a slight decrease in auditor's fees," said William Sinnett, director of research at FEI. "It did go down a little bit, but not as much as companies have found efficiencies in costs internally. Those internal costs have gone down at a greater rate than auditor attestation fees."

Congress passed the Sarbanes-Oxley Act of 2002 in the wake of the financial wrongdoing at Enron Corp. and other corporate crimes, as a way to protect investors and fix the accounting practices that allowed for such abuses. Many companies have complained that the cost of complying with the law is too expensive and hurts businesses.

Last week, the Securities and Exchange Commission unanimously approved new guidelines for Section 404 of the Sarbanes-Oxley Act that could help ease the costs of complying with the law, especially for smaller companies.

Time to streamline process

According to Sinnett, the number of hours companies have spent on implementing IT-based controls has dropped significantly.

"We asked them to quantify the number of hours they spent on IT controls, putting controls in place, documenting internal controls and testing those controls," Sinnett said.

The average company devoted 4,700 work hours to IT controls in 2006, versus 6,000 in 2005.

He said the investments CIOs have made in compliance technology will also begin to drive new business benefits.

"That's the next trend we're going to see over the coming three to five years," Anand said.

Anand said SOX compliance forced many companies to really understand and document their business processes.

More on Sarbanes-Oxley
Study: SOX-compliant firms see drop in costs in year 2

Reducing SOX testing could cut your costs
"As you gain more visibility into processes you can actually streamline them, compress them, make them more efficient," he said. "Once you start to make business processes more efficient from a controls standpoint, you eliminate errors and fraud. You're automatically making businesses run better."

Sinnett said companies that consolidated their IT systems tended to have lower compliance costs.

"We have anecdotal evidence on this," he said. "In talking to people, most people realised that the goal is to consolidate your systems. For every system you have in place there are a number of processes involved or attached to that system, and each process has to be documented and tested every year. So companies are looking to consolidate systems."

Sinnett said FEI's survey alluded to this trend. He said companies with centralised operations, presumably with consolidated IT systems, reported costs of $1.67 million in 2006. Decentralised companies with multiple systems reported compliance costs of $4.86 million.

"The point we would make, all other things being equal and if it works for the business, you might be better off with standardised systems that have been consolidated rather than multiple systems," Sinnett said. "Because every system has to be tested and documented, and the external auditor has to test and audit each one."

Anand said SOX compliance has demonstrated the value of IT to businesses.

"IT has always been treated as separate from the business, which is really unfortunate," Anand said. "With SOX, IT has found a place where it is integral to the business. It is respected for that and regarded for that. IT is in the board room now."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on IT legislation and regulation