For a detailed discussion on the impact of SOX on IT audit and controls, see Information technology controls.
The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:
• Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.
• Control Environment. An environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns, and feel that their time and efforts contribute to the success of the organization. This is the foundation on which the IT organization will thrive. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.
• Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information. Further, written policies should define the specifications, business requirements and other documentation expected for each project.
• Monitoring. Auditing processes and schedules should be developed to address the high risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.
• Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an under-standing of what needs to be done to comply with Sarbanes-Oxley and how to get there.
Cost of implementation
Some people in the business community have acknowledged that, as John Thain, CEO of the New York Stock Exchange states, "There is no question that, broadly speaking, Sarbanes-Oxley was necessary". However, the cost of implementing the new requirements has led some to widespread questioning of how effective or necessary the specific provisions of the law truly are.
For companies, a key concern is cost of updating information systems to comply with the control and reporting requirements. Systems which provide document management, access to financial data, or long-term storage of information must now provide auditing capabilities. In most cases this requires significant changes, or even complete replacement, of existing systems which were designed without the needed level of auditing details.
Costs associated with SOX 404 compliance have proven to be significant. According to the Financial Executives International (FEI), in a survey of 217 companies with average revenue above $5 billion, the cost of compliance was an average of $4.36 million. The high cost of compliance throughout the first year can be attributed to the sharp increase in hours charged per audit engagement.
As more companies and auditors gain experience with SOX 404, audit costs have been falling. Audit firm revenues are still higher than they were prior to the Act, although audit fees were rising prior to the Act, partly as a result of the accounting scandals that prompted the Act.
The future of SOX 404 compliance
In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to shift to a long-term strategy. The following areas are described as impediments to the process:
• "Project mindset: ... many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point."
• "Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed."
• "Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward"
• "Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year."
• "Underestimation of technology impacts and implications: ...IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls... IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting - a critical requirement at most large and complex enterprises."
• "Ignored risks: Effective internal control is predicated on risk... the controls themselves - exist expressly for the purpose of minimizing the risk of financial reporting errors... In year one, risk assessment was treated as an afterthought - if addressed at all."
The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":
• Effective and efficient processes for evaluating testing, remediation, monitoring, and reporting on controls
• Integrated financial and internal control processes
• Technology to enable compliance
• Clearly articulated roles and responsibilities and assigned accountability
• Education and training to reinforce the "control environment"
• Adaptability and flexibility to respond to organizational and regulatory change.
• Deloitte and the other auditing industry firms will generate significant revenue from these elaborate exercises.
• Both the authors of the bill Paul Sarbanes and Michael Oxley have announced that they will retire after the end of the 2006 term.
• Some companies, mostly smaller ones (less than $30 MM in market capitalization), that used to be publicly traded have de-listed and become privately held in part because of the requirements of SOX compliance and the associated costs. Many other companies have become publicly traded since SOX went into effect. Fewer than 20% of the CFOs of companies large enough to go public that have declined to do so cite SOX as a reason that their companies remained private.
• Some companies have initiated very time consuming and costly internal standards that are beyond what is actually required for SOX compliance.
• On 22 October 2006, the nationally syndicated newspaper comic The 5th Wave by Rich Tennant featured a punch line which mentioned SOX.