SOX - The Minimum to Comply

"Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance."
Mary L. Schapiro, SEC Chairman, October 2, 2009

The final round of public companies now have to comply fully with the Sarbanes-Oxley Act  after their first fiscal year end after June 15th 2010. For most companies that will be December 31 2010.

Many have hoped or thought the legislation would be cancelled or postponed again because of the cost issues associated with complying. Those companies are now looking for “a quick fix" and many vendors are touting such quick fixes.

In reality, there is no quick fix. One can purchase process documentation, a list of standard risks and controls for common processes and hire a consultant to assist. However, these companies must adopt these processes, since the auditors will be confirming that these procedures are actually occurring within businesses. This should be treated as a business process reengineering project and ensure this documentation is accurate to actual processes. Focusing on the quick fix or "minimum to comply, often results in many companies failing since they will be merely attempting to purchase generic documentation to satisfy the legislation.

The cynic may regard this legislation as an attempt to “legislate morality” or that corporate management should have been following the guidelines as “common sense management” anyway. Regardless, it is now law and corporate managers are faced with the challenge of implementing controls, revising corporate governance rules and keeping their business profitable or face potential legal consequences.

One of the interesting implications of the legislation is the focus on requiring additional “independent directors.” In the past these people were often referred to as “outside directors;” meaning that they were not directly employed by the company. It was acceptable to sit on the audit committee and work for the auditing firm, leading to conflict of interest concerns. The current rules impose additional requirements on the composition of the board, leading to an increased demand for additional independent directors. Couple this with the increased demands on board members and a greater liability and workload inherent in these regulations and the result is fewer people willing to serve on board seats.

This increased liability for board members, executive management and audit committee members is now reflected in greater premiums for Directors and Officers (D&O) insurance coverage. Not surprisingly, some outside board members seek additional insurance coverage above and beyond that provided by the company before they will agree to serve. Insurance companies have been driven to investigate new methods to determine risk levels for their corporate clients and of course, premiums will continue to increase substantially. Although premiums have risen 200% to 400% over the past few years, the underwriters of D&O insurance struggle with the costs associated with the huge claims they are facing.

In order to understand the true intention of the Sarbanes-Oxley act and all of its ramifications, it is important to understand what drove its passage. The writers of the Sarbanes-Oxley Act indicate that the act is meant to protect investors. More importantly, the acts ultimate goal is to build trust and confidence in the investor community that they have the correct information that will allow them to once again enter the stock market and help companies invest in the future. This is a fundamental building block, which will allow the economy to begin to expand.

Mere compliance with the statutory provisions of the Act doesn’t satisfy the intent of the Act. To be effective, more than superficial compliance efforts are required.  Corporations must look beyond the individual provisions of the Act to see what might be triggered downstream and allow investors the confidence needed to invest in the corporation.

The Sarbanes-Oxley Act is subtitled “An Act - To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” 

If this statement is interpreted literally, the objective of the Act is not to create criminal penalties, nor to over-regulate corporations, nor to implement new accounting guidelines per se.  The objective of the Act is simply “To protect investors.”  But - “protecting investors” requires consideration of many matters not limited to accounting and disclosure processes.  The mix of obligations, penalties and consequences detailed in the Sarbanes-Oxley Act was Congress’s immediate “process” to start “fixing” a number of significant problems.  The Act was intended to cause a number of long term operational and philosophical changes that Congress could not overtly legislate.  The Sarbanes Act is merely a stepping stone toward achieving significant changes in the corporate governance process.

Congress can not legislate high quality leadership any more than it can legislate solid ethics and values or excellent people management skills. That is, Congress can’t legislate the causes or drivers of corporate performance or malfeasance.  Congress can only legislate the consequences for specific acts and behaviors.  By making it illegal or more difficult to do certain things (such as falsifying revenue figures or selling stock when others can’t), Congress expects to effect operational and morality shifts in corporations.  Sarbanes-Oxley is a launching pad for changes, not the final solution unto itself.

Doing the minimum to comply may get you past your initial audit, but the audits will become more difficult each and every year in the attempt to protect the investors. Doing it right the first time will reduce the overall costs of compliance. Purchasing the quick fix.... will only delay the inevitable.

 

About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

 
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2009 Visage Solutions, LLC.