How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Check our similar posts

New Focus on Monitoring Soil

There is nothing new about monitoring soil in arid conditions. South Africa and Israel have been doing it for decades. However climate change has increased its urgency as the world comes to terms with pressure on the food chain. Denizon decided to explore trends at the macro first world level and the micro third world one.

In America, the Coordinated National Soil Moisture Network is going ahead with plans to create a database of federal and state monitoring networks and numerical modelling techniques, with an eye on soil-moisture database integration. This is a component of the National Drought Resilience Partnership that slots into Barrack Obama?s Climate Action Plan.

This far-reaching program reaches into every corner of American life to address the twin scourges of droughts and inundation, and the agency director has called it ?probably ?… one of the most innovative inter-agency tools on the planet?. The pilot project involving remote moisture sensing and satellite observation targets Oklahoma, North Texas and surrounding areas.

Africa has similar needs but lacks America?s financial muscle. Princeton University ecohydrologist Kelly Caylor is bridging the gap in Kenya and Zambia by using cell phone technology to transmit ecodata collected by low-cost ?pulsepods?.

He deploys the pods about the size of smoke alarms to measure plants and their environment.?Aspects include soil moisture to estimate how much water they are using, and sunlight to approximate the rate of photosynthesis. Each pod holds seven to eight sensors, can operate on or above the ground, and transmits the data via sms.

While the system is working well at academic level, there is more to do before the information is useful to subsistence rural farmers living from hand to mouth. The raw data stream requires interpretation and the analysis must come through trusted channels most likely to be the government and tribal chiefs. Kelly Caylor cites the example of a sick child. The temperature reading has no use until a trusted source interprets it.

He has a vision of climate-smart agriculture where tradition gives way to global warming. He involves local farmers in his research by enrolling them when he places pods, and asking them to sms weekly weather reports to him that he correlates with the sensor data. As trust builds, he hopes to help them choose more climate-friendly crops and learn how to reallocate labour as seasons change.

Field Service Organisations should use Digital Forms

For many Organisations, making use of paper based forms, is a common practice and method for collecting data and recording transactions. Whether it be for producing Quotations, Invoices or even getting sign off on completed jobs.

Paper based forms and documents have been the main stay of office communication and productivity for over 200 years. Paper-based forms are used to create anything from Invoices, Receipts, Purchase Orders, Contracts to the humble internal memo!

Paper-based forms radically improved productivity, efficiency and compliance by enabling people to create paper based instructions and enabling others to add additional information as required.

Over the past 3 decades or so, modern business environments have gradually been evolving towards the concept of the Paperless Office, resulting in the humble Paper based document migrating to a Digital Counterpart. The ease of availability of various Word Processing and Spreadsheet software products and cheap and easy data storage capacity have resulted in the Proliferation of thousands if not millions of files and documents being stored somewhere on the Company’s IT infrastructure.

People often create Digital Templates of forms that may be printed off and supplied to staff to complete using Pen and Paper or electronically. The data collation and reporting is often process

Often when conducting Operational Reviews, it is commonly found that the processing and analysing paper based forms is the least productive, efficient and profitable areas of business, although it is often vitally important.

Benefits of using digital forms for data collection

The ability to collect and analyse data effectively is increasingly important to businesses. Companies gather, examine, process and build reports on large volumes of data. Traditionally, they have deployed mail surveys, telephone interviews, door-to-door interviews as methods to collect information. With the ongoing digitisation, these procedures have become old fashioned.The digital transformation is changing many business operations at a high speed and a great deal of processes that were executed manually are now accomplished using digital methods.

Technology has had a major impact on how to approach data research and has provided researchers new tools that have transformed and improved data collection and analysis. The pace of change requires companies to be able to react quickly and adapt themselves to changing demands from customers and market conditions.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
4 Reasons Why You Might be Missing Out on Energy Savings…

?well your company actually, although for many small-to-medium businesses it boils down to the same thing. Governments usually lag behind in terms of innovation but are beating us hands-down when it comes to going green. I have heard that private sector energy savings average less than 1% per year and I for one would not be surprised if that were true. So what is causing this rot, when we started out so enthusiastically? Here are four possibilities for you to mull over.

  1. Your Team is Unevenly Yoked ? A pair of mismatched horses cannot pull a wagon in a straight line any more successfully than a business team can achieve its goals, if there is no agreement on priorities. While your sales team may be all for scoring green points against your competition, your accountant has a budget to balance and your operations department just wants to get on with the job.
  1. Energy?s not in Focus ? The above may in part be due to production goals you set your department heads. Energy is not nearly as greedy as raw materials and human capital. If you tell them to cut 5%, where do you think they are going to look first? You need to put energy savings up there, and agree specific targets as you do with other primary goals.
  1. Your Equipment Could be Over-Spec ? It is a very human thing to put more food on our plates and buy faster cars than we need. Only a few generations ago our ancestors lived through feast and famine, and the shadow of this still influences our thinking. Next time you buy equipment sit around the table and agree the decision criteria together. Then stick to them and repel all attempts at up-selling.
  1. You Are Delegating Too Much ? Delegation is part of company culture, or if you prefer the collective way of doing things. If you delegate something completely it is akin to saying I do not care much about this, make it happen. Energy saving is a financial and moral imperative. The fact the oil price is down does not mean there is no place for sustainability on your desk (and the price is likely to be up again soon).

Governments succeed in saving energy (whereas businesses often do not) because governments have a crowd of stakeholders beating down the door and demanding progress. As business owners we are more likely to do the same when the pressure is upon us, and that pressure surely has to come from us.

Ready to work with Denizon?

Contact Us Today