Up, Up And Away: Cos. Try To Rein In Compliance Costs

Almost from the moment of passage, The Sarbanes-Oxley Act of 2002 has added to the costs of compliance for public companies. And according to a number of studies covered by Compliance Week over the past three years—including one last month by A.R.C. Morgan—

companies are spending "significantly" more than anticipated on SOX compliance (see related coverage and studies in box at right).

Marberger

This comes as no surprise to executives like David Marberger, senior vice president and CFO of Tasty Baking Company, a $159 million food processing company based in Philadelphia. Marberger initially thought his company could handle compliance on its own by relying primarily on internal resources. However, Marberger says, “As the year went on, I began to understand the specifics of Section 404 compliance and the documentation and testing it requires” and it became clear that the company would have to draw on external consultants, making compliance more costly than expected.

Overall, the company saw compliance costs, including those for external audit and consulting support, more than double from 2003 to 2004 because of the demands of complying with SOX Section 404. “There was more involved than we anticipated—for example, the process for identifying exceptions and determining if something is a material weakness or a deficiency took more time than we thought,” says Marberger. “The devil is in the details.”

Marberger is not alone. Conversations with finance, internal audit, and compliance executives reveal that many other executives have been facing escalating compliance costs that far exceeded their initial estimates.

Nevertheless, these executives are not without the hope—and even the expectation—that the worst is almost behind them, and that the costs of ongoing compliance will begin to decline.

Scaling The Learning Curve

According to many of the executives that spoke with Compliance Week—both on- and off-the-record—for this story, the higher compliance costs were to a significant degree impacted by the steep learning curve for everyone involved.

No one had ever complied with Section 404 before, and there was little to no guidance available on how to do it. Though financial services firms already had fairly rigorous internal control requirements in place before Sarbanes-Oxley, the 404 process was new to most public companies and their auditors, specifically as it pertains to the auditing requirements newly articulated by the Public Company Accounting Oversight Board.

Arnold

“We had some false starts in this process," acknowledges Tom Arnold, vice president and corporate controller of Storage Technology Corporation [known as StorageTek], a $2.2 billion technology company based in Louisville, Colo. "We spent time on areas that turned out to be not important, and didn’t spend time in areas that turned out to be important.”

Altemus

This uncertainty, echoed by many executives, caused public companies to take a more conservative approach to compliance. “When we first started our compliance effort, it was hard to know the precise level of documentation required, so it has been a learning process,” says Linda Altemus, vice president and chief compliance officer of $542 million West Pharmaceutical Services in Lionville, Pa. “This year, we will improve on what we learned.”

Loyd

Like West Pharma, many companies erred on the side of doing too much when it came to Section 404 compliance, rather than risk doing too little. “We probably did more testing of controls than we needed to during the first year,” says Peggy Loyd, vice president of corporate compliance and internal audit for Westar Energy, the $1.46 billion Topeka-based utility. “Now, we are looking back on that experience to see what we can learn from it and where we can streamline the process.

For many companies, that means eliminating unnecessary documentation and testing. “When you are in the middle of the first year of compliance, it is hard to get a feel for which controls are the key controls,” says Marberger at Tasty Baking Co. “Once you have been through documentation and testing, you can decide whether something is really a key control.”

COST EXAMPLES

Craig Robinson

Vice president of internal audit

Argosy Gaming Company

Alton, Ill.

Costs were 50 percent more than expected.

Half of the company’s additional compliance costs went to higher external audit fees and half went to outside consultants for testing and administration. Argosy Gaming Company operates in a heavily regulated industry, so the company was already conducing about 65 percent of the testing required by SOX. About 20 percent of the rest was handled by the internal audit staff and 15 percent was handled by external consultants. This year, one critical challenge is assigning updating and maintenance of controls and documentation to the people in the business responsible for those controls. Once the company pushes that down into the business, the cost of compliance will be less significant because it will be handled in the normal course of business.

David Mathieson

Vice president and CFO

Brady Corporation

Milwaukee, Wis.

Costs are 25 percent to 30 percent higher than expected.

The company has developed documentation that can be easily maintained and Mathieson hopes that compliance costs will decline by about 50 percent once the company has gone through two years of compliance. At that point, Mathieson expects SOX compliance to become a way of doing business—rather than simply a "project"—and that this shift will naturally lead to significant cost savings.

Jean Bua

VP, controller, and chief accounting officer

Iron Mountain Inc.

Boston, Mass.

Compliance costs were about $100,000 more than expected.

Iron Mountain’s challenge was not necessarily to keep costs down, but to develop an approach that prevented the company from stretching internal resources too much. The company is working to embed compliance within the business itself so that process owners can do their own documentation and any necessary updating with financial personnel on hand to support those efforts. The best way to sustain the program is to make sure internal controls do not belong to the accountants but the people in the business. Those individuals need to understand those control points and manage their own programs themselves. Bua predicts that it will take the first three quarters of 2005 until the business people feel completely comfortable that they understand their compliance role and responsibilities.

Ben Perks

Executive vice president and CFO

Navigant Consulting

Chicago, Ill.

Navigant’s costs have been relatively low, largely because the company has only one accounting and financial reporting system, and is not dealing with a number of disparate systems. Overall, the company spent 5,000 hours internally in the first year of compliance on documenting and getting ready for its Section 404 certification. It also spent $200,000 on external consultants, although Perks originally thought that amount would be $125,000. Even so, Perks thinks the company’s costs are exceptionally low, having spoken to peers in other relatively small companies who have spent $1.5 million to $2.5 million. This year, 2005, Perks expects to spend less than half as much on external resources and less than half of the internal hours on compliance.

Tom Arnold

Vice president and corporate controller

Storage Technology Corporation

Louisville, Colo.

Compliance costs were three times more than expected.

Arnold calls compliance costs “pretty mind boggling,” and is not convinced costs will decline as quickly as people expect. The company’s costs are higher than the $3.5 million reported by most companies of similar size. The two largest cost areas are external audit fees and contract service fees.

David Marberger

Senior vice president and CFO

Tasty Baking Company

Philadelphia, Pa.

Total compliance costs almost tripled from 2003 to 2004.

Marberger says that SOX compliance costs greatly exceeded his expectations. Rather than relying internal resources, he had to bring in outside resources and consultants. The fact that the company also implemented an enterprise resource planning system that went live in the fourth quarter of 2004 also negatively impacted its ability to use internal resources for compliance.

Linda Altemus

Vice president and chief compliance officer

West Pharmaceutical Services, Inc.

Lionville, Pa.

Costs 30 percent higher than expected.

The company’s additional compliance spending was generally in two areas—IT and external audit fees. IT required more outside help and expertise than expected to meet the company’s system requirements and the company’s external audit fees went up more than expected. Altemus thinks costs will come down in the future as much as 30 percent.

Peggy Loyd

VP corporate compliance and internal audit

Westar Energy, Inc.

Topeka, Kan.

First year compliance costs were about $1 million.

Loyd admits that she didn’t know what to expect in terms of compliance costs, but still found SOX compliance to be more expensive than she ever dreamed it would be. The company’s audit fees more than doubled and it spent about $750,000 for external consultants. The company saved a lot of money, however, by relying on internal IT professionals to develop a system to support compliance. They completed the system within a month and at a fraction of the cost of what the company would have paid for a similar system developed outside the company.

Don Barger

Senior vice president and CFO

Yellow Roadway Corporation

Overland Park, Kan.

External spending of $8 million for 2004 and 2005, much higher than expected.

Yellow Roadway took a conservative approach to compliance because of uncertainty in the guidelines. More precisely, the company used smaller dollar amounts and a more in-depth approach to compliance, examining 1,400 controls, 120 processes, 13,000 program steps, and 40,000 samples. There have been benefits, but they have been very expensive benefits. As the company has driven compliance down into the organization, it has been able to tighten up the entire internal control process and significantly narrowed the definitions for control, process, and weakness. In general, the company has been able to more precisely define the elements of the business and the controls around them.

But that decision-making process frequently became the cause of delays and cost overruns, especially when auditors got involved. That's because companies

found that the uncertainty surrounding Section 404 compliance—combined with heightened certification risk and shareholder scrutiny—made executives reluctant to take stands on certain issues.

Robinson

Craig Robinson, vice president of internal audit for Argosy Gaming Company, a $1 billion casino company based in Alton, Ill., was one of the many executives to noticed that dynamic.

“We ended up being conservative and testing controls in the fourth quarter that we had not anticipated testing,” he says. He recalls petty arguments with external auditors about the number of characters that should be in e-mail passwords and other issues. “In these cases, we found it was cheaper to give in than to be at risk,” he says. Calling 2004 the training ground for ongoing compliance, Robinson believes that the process will be less costly and stressful going forward because these differences of opinion have been settled and more guidance is forthcoming.

One major stumbling block for companies has been how to evaluate deficiencies, because the guidance on that issue was not released until late in the game. “It would have been helpful to know the deficiency process works early on,” says Arnold at StorageTek. Without that guidance, companies had difficulty evaluating the significance of a deficiency and identifying the best way to remediate it.

Lower Costs … When?

There have been three primary types of costs associated with the first round of SOX 404 compliance: internal labor and management attention; outside advisors to support compliance; and external accounting firms that audit the compliance effort. Though some companies told Compliance Week that there were additional costs they incurred—including technology acquisition and opportunity costs pinned to "internal distractions"—those types of costs were either difficult to estimate, or were one-time expenditures of less value than the three primary SOX costs categories.

According to experts, the three main SOX "line items" each have potential for cost savings now that companies are completing initial compliance.

For example, Brian Kinman, a partner with PricewaterhouseCoopers in Florham Park, N.J., predicts the level of internal effort necessary to sustain compliance will be 25 percent to 35 percent of what it was during the initial compliance effort. He also predicts that companies are unlikely to rely as heavily on consultants during subsequent years, thereby reducing those costs significantly, and that audit cost will come down as that aspect of the process becomes more streamlined.

Dan Langer, solutions director of internal audit and controls for Jefferson Wells International in Milwaukee, Wis., agrees with Kinman. “While a certain percentage [of costs] will go to ongoing testing and changing documentation as the business changes, there should be some incremental savings from last year,” he says. In a perfect world, Langer estimates that some companies—especially those that have been effective at identifying controls from the beginning—might see savings of 20 percent to 30 percent after the first year.

That being said, Langer also warns that companies will face different kinds of compliance costs in the future, especially as they begin concentrating on making compliance sustainable. “Companies will still face the costs of integrating a control mentality throughout the organization by educating people about their roles and responsibilities,” he says.

Mathieson

David Mathieson, vice president and CFO of Brady Corporation, a $671 million manufacturer of indentification and materials solutions based in Milwaukee, is looking for a 50 percent reduction in SOX compliance costs—but not until after the second full year of compliance. “Part of the cost savings will come from compliance evolving from being a major exercise to becoming part of the way we do business,” he says. “You need to build it into DNA of company” and that takes time.

Moreover, most businesses change continually, so keeping documentation updated and controls tested will continue to be a major undertaking. And many of the companies that centralized the handling of Section 404 compliance during the first year and will be working to decentralize it in subsequent years, which will require time and resources. For example, training will be key. “You need to train people to recognize a good internal control and a weak internal control,” says Mathieson. Brady Corp. has developed training for its finance professionals, as well as those in legal, operations, procurement, and other areas of the company. “We need to make sure people know what SOX is all about,” he says. The goal is to have finance and compliance staff shift to a less time-consuming guidance and oversight role, while process owners maintain required documentation.

Barger

Don Barger, senior vice president and CFO of $5.9 billion Yellow Roadway Corporation, a transportation services company in Overland Park, Kan., compares SOX compliance to the work his company does to comply with ISO 9001 issued by the International Organization for Standardization. “Both are about documenting and following procedures and having a standard way of doing things,” he says. The company’s past ISO 9001 compliance efforts have helped it to develop internal expertise in areas like continuous improvement, process mapping, and process management. “It all comes down to same thing: Having a disciplined approach to understanding processes and handling those processes in the same way every day,” says Barger.

Embedding Compliance

Efforts to embed Section 404 compliance within operations are critical to companies’ efforts to reduce long-term maintenance costs. “It is less costly to decentralize compliance because we are taking the big bucket of hours necessary for documenting and updating controls and have that work done at the property level within the normal course of business,” says Robinson at Argosy Gaming.

Many consider that decentralization process critical to control effectiveness, not simply cost-savings. “Having the documentation of controls in the hands of process owners not only will be incredibly important from a cost perspective, but it will also help to ensure that controls are functioning, efficient and effective," adds Robinson. "When you have the same sets of eyes looking at everything, there is no way to have a comprehensive view of everything.” Indeed, Robinson expects this approach to free up finance and internal audit as they focus primarily on conducting high level review to make sure controls and procedures are effective.

Bua

Jean Bua, vice president, worldwide controller, and chief accounting officer for $1.5 billion records-management firm Iron Mountain, believes that embedding Section 404 compliance throughout the business is the only way to build a sustainable compliance effort. “Internal controls don’t belong to accountants, but to the people who handle order processing, taxes, and other areas,” says Bua. She estimates that it will take the first three quarters of 2005 for process owners to become comfortable with their compliance duties.

Westar Energy is ahead in this area because it began embedding compliance among process owners from the very beginning of the compliance effort. As a result, “we feel like we have this well in hand,” says vice president Loyd. This year, the company is focusing compliance efforts on cleaning up documentation and ensuring that everyone maintains documentation as changes occur in the company’s systems and practices.

How long it will take to embed compliance with process owners and to get them ready to maintain control documentation is likely to vary by company and process owner. Tasty Baking CFO David Marberger believes it will take two or three years for process owners in his company to get up to speed and comfortable maintaining control documentation. “Some people in the business adapt well to change, while others will not,” he says.

Employee adaptation is clearly a universal theme. Like many executives involved in SOX 404, Altemus at West Pharma has experienced some resistance from process owners who resent the additional work internal controls documentation represents. She hopes training and automating compliance will help erode that resistance over time. “Compliance has to be part of what we do every day,” she says. One of her challenges this year is to shift to a more proactive approach to internal controls documentation and testing. “As the business process changes, we need to be proactive and immediately look at whether new controls are necessary and what existing controls must change,” she says.

Building Processes

Perhaps the most important weapon executives have to battle rising compliance costs is their own willingness to learn and find more efficient ways to operate. “If you don’t have expertise and have to hire a consultant to do that work, train yourself to be able to take that over,” says Loyd.

Marberger is taking steps to help reduce future external audit costs associated with SOX compliance by making sure the company is prepared for the audit of Section 404 compliance. After all, the better prepared the company is, the less time and money it will have to spend on external auditors. “If auditors have to push things back, they will end up in a tight bind and less efficient because deadlines have slipped,” he says. “Just like in the regular audit, the company has to be ready, but it will take a couple of years to develop those routines for SOX compliance.”