Whether they believe in the merits of Sarbanes-Oxley or not, executives at public companies may be interested in the findings of two new reports related to the Act, both of which predict reductions in the Year Two costs associated with complying with Section 404, the much-maligned provision of the law that deals with internal control over financial reporting.
The reports—one by the NASDAQ Issuer Affairs Committee and the American Electronics Association, and the other by audit firm Deloitte & Touche—are the latest in ongoing efforts by various segments of the business community to put a price tag on what the onerous provision has cost—and what it will cost—public companies.
The studies are particularly important, because a survey by PricewaterhouseCoopers released earlier this year noted that many companies don’t even track the cost of compliance. A July “Management Barometer” by PricewaterhouseCoopers, based on interviews with 152 CFOs and managing directors of U.S. companies, found that—despite complaints by some about the increased costs and regulatory burden imposed by Sarbanes-Oxley—56 percent said their company does not track and report internally on the costs of SOX and other compliance programs.
According to the latest survey by the NASDAQ and the AeA, Year Two SOX costs are only expected to decrease an average of 7.4 percent overall. That study, based on a survey of executives from 298 companies, found that large cap companies expect a 13.9 percent decrease in total year-two SOX costs, small cap companies estimate a 9.6 percent decrease, while micro cap companies estimate an increase of 0.7 percent in SOX costs from the prior year.
The report noted that expectations regarding Year Two SOX costs vary based on market value. Three-quarters of large cap companies and 65 percent of small cap companies believe SOX costs will decrease in Year Two, while micro cap companies’ expectations are split, 45 percent anticipating a decrease and 41 percent anticipating an increase in SOX costs.
Executives from NASDAQ could not be reached for comment on the findings.
Wagner
While the Deloitte & Touche report did not specify how much companies expect costs to decrease, Stephen Wagner, managing partner for Deloitte’s U.S. Center for Corporate Governance, told Compliance Week, “Using last year as a benchmark, as the biggest year of costs associated with 404 for companies that have been required to comply, I suspect we’d see overall declines approaching 30 percent or more, and possibly higher, over time.”
Wagner was “somewhat surprised” at the NASDAQ reported estimate of 7.4 percent. “While 7.4 percent is a meaningful decline, I would’ve expected it to be higher because the documentation effort isn’t anywhere near as severe as it was in Year One,” said Wagner. “I would’ve thought the number would’ve been higher than that.”
Still, Deloitte’s Wagner noted that the cost reductions aren’t an automatic, and that they won’t happen overnight.
“It’s incumbent upon companies to execute strategies that will result in reductions in cost. Those reductions won’t just happen,” said Wagner. “Many companies are not yet employing top-down approach to their overall compliance program; we’re seeing many companies repeating what they did last year.”
Six Factors
The Deloitte & Touche report, also released this month, is based in part on a survey of representatives of 70 companies who participated in a series of roundtable discussions on the implications of the law held in May, and in part on observations by leaders from Deloitte based on the firm’s Sarbanes-Oxley engagements.
When asked the approximate amount included in their budget for 404 compliance (excluding fees associated with the independent auditor’s internal control attestation), among companies with less than $500 million in annual revenue, 54 percent budgeted less than $500,000 for Year Two of 404 compliance. Thirty-eight percent of those companies said they budgeted between $500,000 and $2 million, while 8 percent said they budgeted $2 million to $5 million for Year Two compliance.
Among companies with annual revenues of $500 million to $2 billion that responded, the majority (61 percent) budgeted $500,000 to $2 million for Year Two; slightly more than a quarter (26 percent) of that group budgeted less than $500,000, and 13 percent budgeted between $2 million and $5 million for Section 404 compliance.
Among the largest companies (those with annual revenue of more than $2 billion), nearly a third (32 percent) budgeted between $500,000 and $2 million, while almost as many (29 percent) budgeted $2 million to $5 million. Fifteen percent of the largest companies said they budgeted $5 million to $10 million for Year Two, while the same number said the budgeted less than $500,000. Another 6 percent plan to spend $10 million to $20 million, and 3 percent have budgeted more than $20 million.
The report notes that, since the majority of first-year Section 404 compliance costs were internal in nature and/or start-up costs, most of the decrease is expected to be in those areas. Deloitte & Touche cited six factors it expects to contribute to the decline in costs:
Completion of first-year documentation activities. “The first year documentation effort was fairly substantial for most companies,” said Wagner. “Most companies deployed internal resources and external resources to document their control activities in Year One. That was a relatively costly effort that doesn’t have to be repeated in Year Two.”
Repetition of assessment activities. The learning curve is always steepest in the first year. As control assessment activities are repeated in subsequent periods, companies should be able to execute them more efficiently, noted Wagner.
Decreased remediation costs. Many companies had to remediate control deficiencies in the first year of compliance. Unless other deficiencies arise, remediation costs should be lower in the second year.
Streamlined testing by issuers. Companies may be able to eliminate duplicative controls and/or eliminate the testing of controls because of materiality or relevance considerations. While specifics will vary based on a company’s circumstances, many companies can expect to reduce testing activities.
Additional regulatory guidance. New guidelines for auditors and issuers from the Securities and Exchange Commission and the Public Company Accounting Oversight Board released in May provided clarification and examples regarding risk assessment, a top-down approach to planning the engagement, and benchmarking tests. Although the specific implications will vary based on an issuer’s circumstances, the guidance should enhance the efficiency of the work performed by management and the auditor in many instances, according to Deloitte.
Enhanced communication between issuers and independent auditors. According to the Deloitte report, SEC and PCAOB have clarified that management can discuss internal control and accounting issues with the auditor without jeopardizing independence if reasonable protocols are followed. "The SEC and the PCAOB encouraged early and consistent communication between issuers and auditors, which should enhance efficiency in year two," notes Deloitte.
“The guidance from the PCAOB didn’t arrive until almost half the year was done, which made it difficult for companies who had already begun their effectiveness testing and may have done broader testing than they needed to,” noted Wagner. “If they apply the top-down and risk-based approach recommended by the SEC and PCAOB, it results in companies fine-tuning their approach.”
“It’s like taking a rifle shot as opposed to a shot gun blast,” said Wagner. “You have a cleaner line of sight—the result is a more streamlined efficient process.”
Lastly, Deloitte said enhanced communication between issuers and independent auditors based on that May guidance, which clarified that management can discuss internal control and accounting issues with the auditor without jeopardizing independence if reasonable protocols are followed, would also help lower costs.
“A combination of all of those things, much of which will happen in year two, three, four and five, should result in fairly significant declines in the overall cost of compliance,” said Wagner. “That’s what we heard in the roundtables, and it’s what we’re seeing in our auditor work we’re undertaking now—I think the potential for reductions in cost is significant, but the effort to get there is also significant.”
Meanwhile, the NASDAQ/AeA survey found that while 88 percent of respondents are aware of the additional guidance from the PCAOB, only 72 percent have discussed it with their external auditor.
For those who had discussed the new guidance with their auditor, 28 percent expected no change in approach by their external auditor in year two, and only 9 percent expect major changes to integrate cost reduction recommendations. Among those who do expect changes, integrating the Section 404 audit with financial statement audits is being most widely implemented, NASDAQ reported.
According to the NASDAQ/AeA findings, nearly a third of companies (30 percent) haven’t discussed year-two fee expectations with their auditor.
Both reports are available in the box above, right.
No comments yet