| Sarbanes-Oxley
Act Improves Investor Confidence, But at a Cost
OCTOBER
2005 - A survey by Financial Executives International (FEI)
found that public companies have incurred greater than expected
costs to comply with section 404 of the Sarbanes-Oxley Act
(SOA). The
average total cost for the first year of SOA section 404
compliance was $4.36 million, up 39% from the $3.14 million
companies had expected to pay, based upon a July 2004 FEI
cost survey. The increase stems largely from a 66% leap
in external costs for consulting, software, and other vendors,
and a 58% increase in the fees charged by external auditors.
The
survey asked 217 public companies with average annual revenues
of $5 billion to gauge their SOA section 404 compliance
costs. Their total costs of compliance averaged $1.34 million
for internal costs, $1.72 million for external costs, and
$1.30 million for auditor fees. (See the Exhibit
for a comparison of actual costs to previously estimated
costs, and www.fei.org for more details.)
Companies
Say Costs Exceed Benefits
Just
over half (55%) of the companies surveyed believe section
404 gives investors and other external users more confidence
in a company’s financial reports, and 83% of large
companies (over $25 billion in annual revenues) agree. Significantly,
however, nearly all respondents (94%) said the costs of
compliance exceed the benefits.
In
general, companies applaud the added focus on internal controls,
but many respondents believe that the level of detail required
is impractical and bureaucratic. “The spirit was right
on,” wrote one respondent. “However,
the execution to the level of detail that was required was
much more than necessary.”
“Now
that we’ve gone through the first run of this mammoth
compliance effort, it’s time to review what we have
learned and identify ways to improve the annual assessment
process going forward,” said FEI President and CFO
Colleen Cunningham. “Essentially, section 404 is well
intentioned, but the implementation effort is guilty of
overkill. Going forward, we recommend that regulators allow
auditors to rely on the cumulative knowledge gained from
earlier 404 work, and not simply start from scratch when
it is time to re-assess companies. Furthermore, we suggest
a true risk-based audit approach that defines key controls,
allowing for auditors to obtain a reasonable assurance of
the integrity of a company’s systems.”
Back
to the Future
When
asked about year 2 costs, 85% of respondents said they expect
nonauditor expenditures to decrease (by an average of 39%),
and 68% said they believe the costs of their primary auditor
will also decrease (by an average of 25%).
In
order to improve the effectiveness and efficiency of the
section 404 process, companies reported whether they agreed
with the following top recommendations:
-
Allow for a more risk-based audit approach (71% agreed
with this recommendation)
-
Reduce the degree of documentation (66% agreed)
-
Provide flexibility for remediating control problems (60%
agreed)
-
Increase the judgment allowed in aggregating deficiencies
(55% agreed)
-
Permit roll-forward procedures (54% agreed).
About
Section 404
SOA
section 404 requires each company’s annual report
to contain 1) a statement of management’s responsibility
for establishing and maintaining an adequate internal-control
structure and procedures for financial reporting; and 2)
management’s assessment, as of the end of the company’s
most recent fiscal year, of the effectiveness of the company’s
internal-control structure and procedures for financial
reporting. Section 404 also requires the company’s
auditor to attest to and report on management’s assessment
of the effectiveness of the company’s internal controls
and procedures for financial reporting.
|