How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Check our similar posts

FUJIFILM Cracks the Energy Code

FUJIFILM was in trouble at its Dayton, Tennessee plant in 2008 where it produced a variety of speciality chemicals for industrial use. Compressed-air breakdowns were having knock-on effects. The company decided it was time to measure what was happening and solve the problem. It hoped to improve reliability, cut down maintenance, and eliminate relying on nitrogen for back-up (unless the materials were flammable).

The company tentatively identified three root causes. These were (a) insufficient system knowledge within maintenance, (b) weak spare part supply chain, and (c) generic imbalances including overstated demand and underutilised supply. The maintenance manager asked the U.S. Department of Energy to assist with a comprehensive audit of the compressed air system.

The team began on the demand side by attaching flow meters to each of several compressors for five days. They noticed that – while the equipment was set to deliver 120 psi actual delivery was 75% of this or less. They found that demand was cyclical depending on the production phase. Most importantly, they determined that only one compressor would be necessary once they eliminated the leaks in the system and upgraded short-term storage capacity.

The project team formulated a three-stage plan. Their first step would be to increase storage capacity to accommodate peak demand; the second would be to fix the leaks, and the third to source a larger compressor and associated gear from a sister plant the parent company was phasing out. Viewed overall, this provided four specific goals.

  • Improve reliability with greater redundancy
  • Bring down system maintenance costs
  • Cut down plant energy consumption
  • Eliminate nitrogen as a fall-back resource

They reconfigured the equipment in terms of lowest practical maintenance cost, and moved the redundant compressors to stations where they could easily couple as back-ups. Then they implemented an online leak detection and repair program. Finally, they set the replacement compressor to 98 psi, after they determined this delivered the optimum balance between productivity and operating cost.

Since 2008, FUJIFILM has saved 1.2 million kilowatt hours of energy while virtually eliminating compressor system breakdowns. The single compressor is operating at relatively low pressure with attendant benefits to other equipment. It is worth noting that the key to the door was measuring compressed air flow at various points in the system.

ecoVaro specialises in analysing data like this on any energy type.?

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Could Kanban Be?Best for Knowledge Workers?

Knowledge Workers include academics, accountants, architects, doctors, engineers, lawyers, software engineers, scientists and anybody else whose job it is to think for a living. They are usually independent-minded people who do not appreciate project managers dishing out detailed orders. Kanban project management resolves this by letting them choose the next task themselves.

The word ?Kanban? comes from a Japanese word meaning ?billboard? or ?signboard?. Before going into more detail how this works let’s first examine how Japanese beliefs of collaboration, communication, courage, focus on value, respect for people and a holistic approach to change fit into the picture.

The Four Spokes Leading to the Kanban Hub

  1. Visualise the Workflow ?You cannot improve what you cannot see. The first step involves team members reducing a project to individual stages and posting these on a noticeboard.
  2. Create Batches ? These stages are further reduced to individual tasks or batches that are achievable within a working day or shift. More is achievable when we do not have to pick up where we left off the previous day.
  3. Choose a Leader the Team Respects – Without leadership, a group of people produces chaotic results. To replace this with significant value they need a leader, and especially a leader they can willingly follow.
  4. Learn and Improve Constantly ? Kaizen or continuous improvement underpins the Japanese business model, and respects that achievement is a step along the road, and not fulfilment.

The Kanban Method in Practice

Every Kanban project begins with an existing process the participants accept will benefit from continuous change. These adjustments should be incremental, not radical step-changes to avoid disrupting the stakeholders and the process. The focus is on where the greatest benefits are possible.

Anybody in the team is free to pull any batch from the queue and work on it in the spirit of collaboration and cooperation. That they do so, should not make any waves in a culture of respect for people and a holistic approach to working together. All it needs is the courage to step out of line and dream what is possible.

The Kanban Project Method ? Conclusions and Thoughts

Every engine needs some sort of fuel to make it go. The Kanban project management method needs collaboration, communication, courage, focus on value, respect for people and a holistic approach to work. This runs counter to traditional western hierarchies and probably limits its usefulness in the West.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Six Sigma

Six Sigma has received much attention worldwide as a management strategy that is said to have brought about huge improvements and financial gains for such big-name companies as Allied Signal, General Electric (GE) and Motorola.

If you want to give your business the chance to attain the same resounding success, Six Sigma could be the method that will steer you towards that direction.

What is Six Sigma?

So what really is it? Six Sigma is a business management tool that was developed using the most effective quality improvement techniques from the last six decades. Basing its approach on discipline, verifiable data, and statistical calculations, Six Sigma aims to identify the causes of defects and eliminate them, thereby resulting in near-perfect products that meet or exceed customer’s satisfaction.

The core concept behind the Six Sigma method is that if an organisation can quantify the number of “defects” there are in a particular process, improvement activities can be implemented to eliminate them, and get as close to a “zero defects” scenario as possible. Defect here is defined as any process output that fails to meet customer specifications.

Six Sigma is also unique from other programs in that it calls for the creation of a special infrastructure of people within the organisation (“Champions“, “Black Belts“, “Green Belts“) who are to be expert in the methods.

Six Sigma Methodologies

When implementing Six Sigma projects, two methodologies are often employed. Although each method uses five phases each, these two are distinguished from each other using 5-letter acronyms and their specific uses.

DMAIC ? is the project methodology used to improve processes and maximise productivity of current business practices. The 5 letters stand for:

  • D ? Define (the problem)
  • M ? Measure (the main factors of the existing process)
  • A ??Analyse?(the information gathered to deter mine the causes of defects)
  • I ? Improve (the current process based on the analysis)
  • C ? Control (all succeeding processes so as to minimise additional defects)

DMADV – is the method most suitable if your business is looking to create new products or designs. The acronym stands for:

  • D ? Define (product goals as the consumer market demands)
  • M ? Measure (and identify product capabilities and risks)
  • A ??Analyse?(to create the best possible design)
  • D ? Design (the product or process details)
  • V ? Verify (the design)

How does Six Sigma differ from other quality programs?

If you think that Six Sigma is just another one of those business strategies that produce more hype than actual results, think again. Six Sigma uses three key concepts that sets it apart from other business management methods.

  • It is strictly a data-driven approach, where assumptions and guesswork do not figure in the decision making.
  • It focuses on achieving quantifiable financial results ? the bottom line ($) ? as much as giving emphasis on customer satisfaction.
  • It requires strong management leadership, while at the same time creating a role for every individual in the organisation.

Is Six Sigma right for your business?

While many other organisations such as Sony, Nokia, American Express, Xerox, Boeing, Kodak, Sun Micro-systems and many other blue chip companies have followed suit in adopting Six Sigma, the truth is, any company — whether you have a large manufacturing corporation, or a small business specialising in customer service.

Certainly, there is a lot more to Six Sigma than what you can probably absorb in one sitting or reading.

With our wide range of business management consultancy services, we can help you understand the Six Sigma method in the context of your business. We can also help you establish your improvement goals, set up your program, and train your own team of “champions” who can lead in implementing your Six Sigma goals.

Find out more about our Quality Assurance services in the following pages:

Ready to work with Denizon?