The Security Side of Sarbanes-Oxley

Many executives believed some extra regulation was needed, but few are enthusiastic about Sarbanes-Oxley; some have delisted their companies to get out from under. But what is it and how does it affect you?

What is SarbOx anyway?

The Sarbanes-Oxley Act of 2002 is a set of rules passed by Congress in order to force American public corporations to document every sale and financial exchange that could have a material effect on the business.

SarbOx also requires top executives to review and sign off on financial results so CEOs hauled up on charges related to creative bookkeeping cant claim to have been unaware of number-shuffling that may have misled investors and regulators.

The implementation of SarbOx, however, is more than just a change in some accounting and accountability rules. It amounts to an overhaul in the way America will do business in the future.

Compliance with SarbOx is a big deal to senior management, because a violation of the act—in this case, failure to comply—can bring them up to 20 years of jail time and fines up to $5 million. That sort of penalty tends to concentrate a CEOs focus beautifully.

The Cost of SarbOx

While many executives agree that some law was necessary, many have also become disillusioned with the drain on time and resources that it requires.

These requirements can fall disproportionately hard on smaller public companies, many of which have less formal financial-reporting processes than larger older companies, and fewer staffers to create or execute any newly required processes.

USA Today reported in October 2003 that one such publicly traded company—hardware wholesaler Moore-Handley, which had 2002 sales of $151 million—was going so far to avoid falling under SarbOx rules that it was delisting itself from the Nasdaq exchange.

Company executives estimated compliance would cost the company $250,000, but Moore-Handley had only made a net profit of $300,000 in the last fiscal year. So it made economic sense for Moore-Handley to react the way it did.

This kind of cost consequence may spread to other companies as well.

It may be that in the future only companies worth $100 million or more may be able to afford being publicly traded, and thus fall under SarbOx regulations.

A Foley & Lardner survey of 32 midsize public companies found that they predicted an average of 105 percent increase in accounting costs, a 90 percent increase in legal costs, an increase in costs due to lost productivity of 102 percent, and an increase of 266 percent in compliance personnel cost.

Overall, the companies surveyed expected an increase of 90 percent over their 2002 accounting costs just to comply with SarbOx.

While a cost increase is to be expected when first complying with any regulatory change, the total cost over time may not be as high as an initial cost outlay might indicate.

Once a coping mechanism is in place, the business only has to maintain a new process instead of developing and installing it.

Maintenance is usually cheaper than development, so it would be reasonable to expect compliance costs (aside from the direct labor costs necessary) to decrease over the long term.

So, there will undoubtedly be increased costs of doing business due to SarbOx, but they should settle down somewhat once an appropriate solution has been devised.

Section 404

One of the most critical sections of SarbOx carries the identifier of section 404.

It requires the management of a public company to assess the effectiveness of the companys internal control over financial reporting (as of the end of the companys most recent fiscal year).

Section 404(a) of the Act also requires management to include in the companys annual report to shareholders managements conclusion (made as a direct result of the assessment previously mentioned) about whether the companys internal control is effective.

SarbOx forces individual managers to legally commit to the veracity of the internal controls in use, something that had never before occurred in the United States.

Section 404 of the Act (as well as Section 103), directs the Public Company Accounting Oversight Board (PCAOB, which is the private-sector, nonprofit corporation set up by SarbOx to oversee implementation that answers to the Securities and Exchange Commission which, in turn, has the ultimate responsibility to see that SARBOX is carried out) to establish professional accounting standards governing the independent auditors attestation, as well as reporting on managements assessment of the effectiveness of internal control.

That means whatever internal control system is in place for the audit is graded on criteria set down by the PCAOB.

The PCAOB has considered the possible effects of the proposed standard on small and medium-sized companies, noting that internal control is not "one-size-fits-all."

So, the board has defined examples of what not to do.

It has identified circumstances that would be a very strong indicator that there exists a material weakness in the internal controls.

Next page: Control of multiple locations.