When last we looked at the Overtime Guarantee Act known as Sarbanes-Oxley (see “Sarboxing,” February 2004), finance managers were busy tapping out distress signals from Documentation Hill. At the time, the compliance deadline for Section 404 of the act was fast approaching. While Section 302 had garnered most of the media’s attention, 404 was proving to be the real compliance bear. Among other things, it requires companies to identify key business processes, the controls overriding the processes, and any vulnerabilities in the controls overriding the processes. Summarizing the 404 project at Public Service Co. of New Mexico, Carl Seider, analysis programming lead at the Albuquerque-based utility, says: “It was like, ‘OK, stop the world while we take care of this.’ ”
Instead, officials at the Securities and Exchange Commission stopped the clock, repeatedly pushing back the drop-dead date for implementing Section 404. That gave most accelerated filers a reprieve in 2004, but the deadline is once again looming for most companies (March 15 for dozens of large companies; April 15 for scores of smaller ones). And many finance managers say they will not willingly spend another year in compliance purgatory.
That’s understandable. Preparations for 404 have exacted a heavy price. Software maker Micros Systems Inc., for one, has spent roughly $4 million in the past two years on its compliance program for Section 404. And the Columbia, Maryland-based company, with revenues of $487 million, hardly qualifies as a corporate giant. “We’ve spent an enormous amount of money,” says controller Cynthia Russo. “More than we had planned.”
Micros is hardly alone. AMR Research vice president John Hagerty estimates that total corporate outlays for overall Sarbox compliance this year will exceed $6 billion. All indications are that Section 404 will account for the vast majority of that. According to Financial Executives International, U.S. companies with revenues of $5 billion or more could spend more than $4.6 million this year getting in compliance with 404. And in a recent study of large companies conducted by law firm Foley & Lardner LLP, the majority of respondents cited 404 compliance as their single biggest expense stemming from governance reform (see chart, page 57). Despite assurances from officials at the Public Company Accounting Oversight Board (PCAOB) that Sarbox-related costs will diminish over time, anecdotal evidence suggests that costs will rise before they fall.
Enter the Software Vendors
To date, the bulk of business expenditures on controls assessment has gone toward additional manpower, what Theodore Frank, president of enterprise compliance software company Axentis Inc., calls the “muscling of 404.” One corporate IT manager notes that his department has already logged 10,000 man-hours readying his employer’s systems for 404 compliance. Not surprisingly, that’s led scores of managers in search of a means to automate at least some of the blocking and tackling involved.
Until recently, however, their calls for technological help went largely unanswered. By all accounts, first generation Sarbox applications, often rushed out the door by sales-happy vendors, were usually little more than collections of compliance best-practices. “A few of the vendors we saw didn’t know what COSO was,” recalls Greg Buccarelli, director of Sarbanes-Oxley compliance at drugmaker Novartis, referring to the risk-management principles formulated by the Treadway audit-industry commission in the mid-1980s. “Some weren’t even familiar with the sections of Sarbanes-Oxley.”