Despite the fact that the internal control provisions of Sarbanes-Oxley become effective in less than four months, public companies are still struggling to meet the deadline and make the necessary improvements to comply.
In addition, most companies are not even tracking the money being spent on Sarbanes-Oxley related improvements to systems and procedures, making it difficult to understand the costs and value associated with the process.
Behind The Strategic 8-Ball
According to a recently study conducted by analytics firm ACL Services and the Center for Continuous Auditing, half of large U.S. companies polled are less than 60 percent complete in meeting the SOX Section 404 deadline.
And that's despite the extension of the deadline from June 15 to November 15.
The survey, which polled 248 senior audit professionals at corporations with more than $1 billion in revenue, may demonstrate a lack of strategic planning when it comes to SOX issues.
style="margin-top:6px">
clear="all">Will
"Most companies have no annual budget for ongoing compliance," notes ACL Services president and CEO Harald Will.
That's because most companies are focused on the initial attestation requirements. "Companies are busy 'doing' and not really worrying or planning about certain long-term issues," says Will.
For most companies, long-term strategic planning is difficult at a time when short-term remediation efforts have become a priority. According to Will, companies still "maintain a short-term mindset when addressing the ongoing requirements set forth in Sarbanes-Oxley."
In addition, the internal control provisions have been more challenging than most companies anticipated.
According to another survey last week by PricewaterhouseCoopers, 91 percent of companies surveyed noted that they had experienced at least some difficulty in preparing for the management assertion that SOX 404 requires.
style="margin-top:6px;margin-left:6px">
clear="all">DiFilippo
According to Dan DiFilippo, PwC's U.S. leader for governance risk and compliance, those challenges to compliance are partly to blame for the lack of strategic thinking when it comes to sustainable compliance. "I think it's partly because they're focused on just 'getting this done,' which is typcially the reaction to new regulations."
In addition, the challenge to tracking and budgeting compliance costs is increased by the 'soft' dollars affixed to remediation. "The cost is not specifically identified because it's not contained to the cost of compliance people," notes DiFilippo. "It includes some portion of other people, systems, support costs, etc. It's not a number you can easily get to," he says.
Financial Process Improvements
According to the PwC survey, the areas of greatest difficulty were related to the level of documentation and testing needed. Dealing with multiple locations also ranked high on the list of 404 challenges.
To those ends, 79 percent of the executives surveyed say their company must make improvements to comply with the internal control provisions of Sarbanes-Oxley.
According to the PwC survey, the most frequently cited area requiring remediation efforts was financial process improvements. Those areas, cited by 55 percent of the 152 senior executives at U.S.-based multinationals who responded to the survey, include financial and non-financial disclosures.
Perhaps not coincidentally, the category of financial process improvements is the one most cited in Compliance Week's list of internal control weakness disclosures by U.S. public companies.
According to the last analysis in June (available from box above, right), 45 percent of the disclosures were related to weaknesses in financial systems and procedures.
Interestingly, the second most frequently cited weakness disclosures tracked by Compliance Week, "personnel" issues, did not show up on PwC's survey.
"That's actually not surprising," notes DiFillipo, because it's among the most difficult issues to track. "Making sure that people are properly trained, that they're ethical, that they know what do—that's the hardest part, and it gets shortchanged."
According to DiFillipo, its also a harder business case to make in terms of investment.
DiFillipo also notes that financial process improvements are increasingly becoming integrated with risk assessment. "We're seeing a lot of initiative around risk, from identification to mitigation," he notes. "I think we're going to see a lot more integration of governance, risk and compliance.
The results of the studies from ACL Services and PwC are available from the box above, right.
No comments yet