November 30, 2005
What exactly is SOX compliance? As we read the law, it specifies a requirement for transparency of disclosure and an acceptance of responsibility for same by management. The attestation requirement in a nutshell is (1) once a year tell the SEC about your internal controls system, (2) once a year disclose where your systems are weak, and (3) once a quarter, report any material changes you have made to your internal controls.
SOX does not specify a minimum level of implementation for "internal controls" per se. Only that the framework for evaluation should follow one established by a body or group that has followed due-process. Our analysis of potential legal liability indicates that criminal infractions and even the risk of shareholder litigation are probably elevated by a failure to disclose the true condition of internal controls.
Regulators, managers and investors all want the same thing: to know what’s going on. Thus we see a push from the audit community for "minimum implementation levels." But this seems to be driven more by some sort of chicken and egg trap that perplexes more than it solves.
Audit firms need to certify an "accepted framework" with the Public Companies Accounting Oversight Board (PCAOB) in order to receive certification as a public company auditor. This seems to have resulted in due-process that has created a one size fits all solution, a solution that fits like a straight jacket.
According to anecdotal reports, the institutionalization of SARBOX procedures makes internal controls more opaque than ever before. They seem far more attuned to protecting auditors and consultants from their own risks of litigation than improving the ability of an SEC registrant to produce new mountains of paper and add non-operations staff to repeatedly fill out lengthy questionnaires.
Many companies report that they actually knew more about what was going in inside their companies before all these frameworks were adopted. Some boards of directors we have heard from report that they have added a new line item to their G/L’s called "Compliance." They now track two sub-ledger categories. Specific costs incurred to execute compliance tasks and incremental costs added to existing functions because of compliance. These Activity Based Costs are not pleasantly received by corporate America.
Consider that the 2004/2005 generation of compliance procedures were constructed in an environment of high paranoia, something to be expected following any new and far reaching law. Consider further that these early procedures were aimed at exploring tools for use by accelerated filers with essentially unlimited budgets. America’s top-tier companies are known to be rather extreme in their quests to "do what it takes” to hyper-insulate the CEO from danger. The fact that the outcome of this ad hoc R&D process is both onerous and inefficient comes as no great surprise.
The biggest SOX implementation consultancies charge using a billing rate model measured in $100K per $1 billion of revenue increments, a mere 1/100th of a percent. Small change they say in the grand scheme if things. But these implementation costs do not scale down, making smaller companies bear a grossly disproportionate burden in terms of carrying the consultants.
If the SOX cost numbers scaled down, compliance for a company with annual revenues less than $1 billion would average about $1,300.00 vs. $4.4 million for the 20% of all filers above $1 billion in revenue. This is clearly not the case. Public company filers with less than $1 billion in revenue have to contend with "generally used practices" for attestation compliance that price as high as $100K per $1M of revenue once direct and incremental costs are factored in.
No wonder that smaller companies in the non-accelerated filer community sees only pain, heartache and bankruptcy in SOX. The affordability question for non-accelerated filers therefore boils down to a simple question. How much is enough to get the attestation job done without bankrupting the SEC registrant in the process?
Law firms, when asked, do point out that legal compliance is based on accurate disclosure but most companies have to date relied on implementation guidance from their accounting firms and SOX process consultants who seem to have largely missed this nuance. A key issue we see for 2006 is to refine what the appropriate interplay is between the legal and audit sides of the coin in this process.
There remain forces in play that push SOX in the direction of the onerous and unaffordable. There is fear mongering within certain branches of the research and investment community that threaten CEO’s with stock price collapses if they comply and accurately disclose the status of their internal controls. These fear mongers hope only to take advantage of the arbitrage and indeed stand to make more money if things stay opaque. We see waves of investment in non-attestation costs driven by this fear – a waste or resources under already difficult economic circumstances for many companies -- a sad state of affairs.
So what can the SEC do? The Commission can encourage reporting the status of internal controls by registrants and discourage overspending on cleaning up the scorecards. The PCAOB can help as well by encouraging the audit community to adopt procedures that focus more on verifying the state of their client’s internal controls rather than holding their clients hostage to checklists of "one size" systems implementations.
Developing an affordable reporting environment without forcing public companies into the proverbial straight jacket should be the regulatory community’s objective. If the preponderance of the market complies with the law and discloses the condition of internal controls along the same general lines of reporting, there would be no net arbitrage for fear mongers to feed on. Transparency would be increased. And the public good, national interest objective of SOX will be achieved after all.