Tallying the Cost of the Sarbanes-Oxley Act

By Jill M. D’Aquila

E-mail Story
Print Story
Although the Sarbanes-Oxley Act (SOA) was enacted two years ago, some of its provisions are still being implemented. One such provision is SOA section 404, which requires companies to file a management assertion and auditor attestation on the effectiveness of internal controls over financial reporting, starting with fiscal years ending on or after November 15, 2004. Section 404 is just one of several provisions of the Sarbanes-Oxley Act related to internal control.

The new provisions that emphasize the importance of internal control have obvious benefit. Internal control is defined by the Committee of Sponsoring Organizations (COSO) as a process designed to provide reasonable assurance regarding the reliability of financial reporting, among other things. A standard rule of thumb for internal control, however, is that the benefits should outweigh the costs. While it is too soon to determine with certainty the full costs associated with Sarbanes-Oxley compliance, they will certainly be considerable.
Audit fees are expected to increase approximately 38% during the first year of compliance with section 404, according to a survey of public companies by Financial Executives International (FEI) in January 2004.

The survey also reveals that total costs of first-year compliance with section 404 could exceed $4.6 million for each of the largest U.S. companies (companies with over $5 billion in revenues). Medium-sized and smaller companies will also incur significant additional costs to comply with section 404, the survey finding an average projected cost of almost $2 million. Interestingly, the projected costs are higher than originally anticipated based on an FEI survey conducted the previous year.

This projected increase is consistent with PricewaterhouseCoopers’ June 2003 survey of 136 U.S.-based multinational corporations, which revealed that the number of senior executives describing SOA compliance as costly had nearly doubled since its enactment, from 32%
to 60%.

In a speech to the National Press Club in July 2003, SEC Chairman William H. Donaldson said, “These are landmark rules; they will require hard work and significant expenditures in the short run by corporations,
but in the long term they will result in sounder processes and more reliable financial reporting.” On the other hand, almost half of the Pricewater-houseCoopers survey respondents believe SOA is a “well-meaning attempt, but will impose unnecessary costs on companies.” To consider the cost-benefit relationship, it is helpful to determine the areas where the costs of the compliance may be borne.

Direct Costs

Accounting and audit fees. Probably the most obvious costs are accounting and auditing fees. The projected $2 million first-year cost of compliance with section 404 reported by FEI in January 2004 is based on the following estimates (the lower and upper ranges represent annual revenues of less than $25 million and over $5 billion, respectively):

  • Approximately 12,000 hours of internal work, ranging from 1,150 to 35,000 hours;
  • 3,000 hours of external work, ranging from 846 to 6,197 hours;
  • Additional audit fees of $590,000, ranging from $52,000 to $1.5 million.

Barry S. Augenbraun, senior vice president and corporate secretary of Raymond James Financial, Inc., a worldwide financial services firm, stated:

In our own case, informal conversations with our outside auditors as we began preparations to comply with the requirements of Section 404 of [SOA] indicated that we could anticipate the costs for the “attest” report to add anywhere from 20% to 30% to our audit fees. The expansion of that engagement to a comprehensive audit will likely significantly increase that cost. Furthermore, it is likely that the costs that will be incurred by our internal staff will equal or exceed the payment to our outside auditors. Additional audit cost is not a “free good.” It adversely impacts the profitability—and therefore the competitiveness—of American companies, and can adversely affect the functioning of our business system at a time when American business is already under significant pressure.

A specific accounting-related function that is taking on new meaning is the internal audit, given the heightened focus on internal controls. A nationwide survey of 300 CFOs at publicly held companies, conducted by Protiviti Independent Risk Consulting in 2003, indicates that many companies are hiring additional personnel or either outsourcing or co-sourcing a number of important internal audit functions. Approximately 38% of CFOs surveyed indicate that they do not have an internal audit department. Even those who have an internal audit department indicate they are looking outside the company to perform some of the work.

The PricewaterhouseCoopers survey noted above indicated an approximate 3 to 1 ratio of internal to external new compliance costs. The following aspects of compliance were rated as at least somewhat costly:

  • Documentation (mentioned by 74% of respondents);
  • Legal requirements (72%);
  • Detailed policy development (65%);
  • Self-assessment (62%);
  • Attest requirements and certifications (59%);
  • Staff training (56%); and
  • Technology (41%).

Documentation—the most frequently cited aspect of compliance—has been a big focus for Christopher Baudouin, of Jupitermedia Corp.:

Documenting internal control is the major thing. Initially, there’s work being done writing manuals. Of course, we will have to continually update them and maintain them. We are careful how we allocate manpower within the department. We have increased the staff. We’ve also purchased software to assist us. The cost of the audit will increase since there will be more testing.

Boards of directors and audit committees. A 2004 PricewaterhouseCoopers survey of CFOs and managing directors indicated that boards and board audit committees had increased the time and effort spent on corporate governance over the past year. Directors are expected to have more input on company issues. Approximately half of audit committees are holding longer meetings and are meeting more frequently. Compensation paid to board members is rising, but only modestly. In fact, only 29% of boards that reported spending more time were rewarded with increased compensation. Only 10% of boards plan to increase compensation over the next year.

More important than the modest increase in compensation, other costs, such as liability insurance and outside consulting fees, are also rising. Liability insurance, which insures against personal liability for a wrongful act, will increase with the escalation of claims over the last few years. Boards are hiring outside lawyers and consultants for advice on their expanded role. In fact, new SEC requirements specifically give audit committees the authority to engage independent counsel and other advisors that they determine necessary to carry out their duties. The 2004 PricewaterhouseCoopers survey reported that 31% of audit committees have engaged outside advisors to assist in meeting new requirements. Similarly, KPMG Audit Committee Roundtable discussions with approximately 2,400 audit committee members and other executives in 2003 disclosed that 44% of audit committee members had or would retain external advice over the next year.

Indirect Costs

Going public. According to a study conducted last year by the law firm Foley & Lardner, senior management of public middle-market companies expect costs directly associated with going public to increase by almost 100% as a result of new compliance provisions. Not surprisingly, the number of companies going private in the one-year period after the enactment of SOA has increased. Although the absolute dollar costs are higher for large companies, the cost burden appears to fall disproportionately on smaller companies. If young, growing companies must seek alternative sources of financing to going public, their cost of capital will likely rise.

Decision-making and productivity. Will companies become more cautious and risk-adverse in the post-SOA environment? If it takes longer to review major decisions, will companies be less likely to make deals? Will the increased focus on compliance affect productivity? The answer to all of these questions: Probably. If employees are spending additional hours on things such as fine-tuning internal controls, evaluating and reevaluating financial reports, and compiling more information for their board of directors, other important activities are likely to suffer.

The “independent” director. A more indirect cost associated with directors may stem from the new emphasis on the role of the “independent director.” SOA section 301, which is also effective starting in 2004, stipulates that all audit committee members be independent, defined as “not receiving, other than for service on the board, any consulting, advisory, or other compensatory fee from the issuer, and as not being an affiliated person of the issuer, or any subsidiary thereof.” In addition, a majority of the board of directors must be independent. The benefit of independent board members is their objectivity in providing general oversight of the company. Independent directors are in a sense, however, part-timers; their knowledge of the company is more limited than that of the senior executives they oversee. They also lack direct access to financial information, which they must obtain from management. Some audit committees are hiring individuals who can help them more fully understand company dealings.

Small and mid-sized companies, which often lack internal audit departments or in-house counsel, will most likely feel the costs of SOA compliance more than large companies. For example, while the Protiviti survey indicates that 38% of CFOs polled report they do not have an internal audit department, only 9% of CFOs working for large companies (more than $500 million in annual revenues) do not have an internal audit department. Smaller companies will have to hire more staff or outsource such services. According to the Price-waterhouseCoopers 2003 survey, 58% of executives at smaller companies (annual revenues of under $1 billion) believe compliance is costly, versus 38% of executives at larger companies (annual revenues of over $1 billion).

Costs and Benefits

COSO’s Internal Control—Integrated Framework suggests that companies consider the relative costs and benefits when establishing internal controls. In the section on cost/benefit relationships, COSO states the following: “The challenge is to find the right balance. Excessive control is costly and counterproductive.” Much of the accounting profession believes that changes were needed. When asked if the benefits of Sarbanes-Oxley are worth the cost, Frank Brown, partner and leader of global assurance and business advisory services at PricewaterhouseCoopers, notes that “Five years from now, if there’s an improvement in confidence by the market, improvement of the veracity of financial info, etc., then any costs will be worth it.” Time will tell.

Jill M. D’Aquila, PhD, CPA, is an associate professor of accounting at Iona College, New Rochelle, N.Y




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices