|
|
Save 45% when you buy the CEO Series. It covers the ten core business processes and comes with nine fully-editable manuals for:
|
How to Reduce Sarbanes-Oxley Compliance Costs
Small public companies like yours may finally have to begin providing the Securities and Exchange Commission (SEC) with certified assessments of their internal controls.  Smaller micro caps will be required to comply with SOX 404(b) reporting requirements beginning June 15, 2010; they’ll have to attest to the effectiveness of their internal controls in their annual reports released on or after June 15 of next year.  So, for those whose annual reports are just seven months away, the time to consider is over — it’s time to take action!
If you qualify as a non-accelerated filer (i.e., your company’s public float is under $75 million), you’ll have to start complying with Section 404(b) of SOX, which requires company management and independent auditors to sign off on, or attest to, the effectiveness of your risk control framework or accounting policies and procedures for internal control. Are your processes protecting you from the risk of material misstatements (RMM)?
Sarbanes Oxley Compliance Costs Too High?
When it was first enacted, the Sarbanes-Oxley Act (SOX) did not apply to non-accelerated filers because it was believed SOX compliance costs would be too high.  Several delays and extensions have been given to non-accelerated filers because the Office of Economic Analysis (OEA), which advises the SEC, needed to complete a study on SOX compliance costs. The study was completed in September, 2009, and was quickly followed by the announcement (on October 2) of the June 15th compliance deadline.
It didn’t surprise anyone when the OEA study showed that SOX compliance costs increase with company size; the study also confirmed that annual compliance costs decrease over time and that, overall, compliance costs have decreased since 2007. In other words, while larger companies achieving SOX compliance had higher costs overall, there are fixed SOX compliance costs that impact all organizations, regardless of size, and companies have gotten smarter on how to implement Sarbanes-Oxley.
How Do You Control Sarbanes-Oxley Compliance Costs?
There are three major factors that drive up the cost of complying with SOX: cost of scale; cost of review; and cost of improvement.  The more control you have over all three of these, the lower your costs to implement Sarbanes-Oxley compliance will be.
Sarbanes-Oxley Cost of Scale
Why do larger companies incur higher overall compliance costs?  Because of the sheer size — scale – of their operations!  More operating locations, more employees, and more processes means more time and people needed to review accounting policies, procedures, and internal controls. There is no easy answer to the question of scale: larger size translates into more risk management, internal controls, and accounting processes.
You can reduce the scope of SOX compliance by addressing the greatest risks first (note that PCAOB Auditing Standard #5 was developed for this purpose). Don’t try to address all risks at once — this is what drives up compliance costs.  But, which risks do you address first?  Determine a threshold, or cutoff, for risk materiality, then decide which risks are most material to your company.
Remember — this is an ongoing process of improving your SOX compliance, not a one-time SOX compliance event.  Next year, you can (and probably should) lower the threshold and address your “second-tier” risks, and continue to annually adjust your threshold until you are comfortable.  Management decides on the internal controls needed to cover the identified risks.
Also, if you decide wrong and set your risk threshold too low or too high, you’ve identified a material weakness in your risk control framework. Â You think you’ve exposed a flaw in your system, but consider that your system is also about continual improvement. Â The only flaw is failing to improve: work on improving your internal controls - adjust your risk threshold - and you can demonstrate that you have a SOX-compliant system.
Sarbanes-Oxley Cost of Review
The cost of review represents the Check and Act phases of the Plan-Do-Check-Act (PDCA) process approach. All companies needing to comply with SOX have to have some form of review process that tests accounting’s internal controls and gives management the confidence to attest to the validity of the company’s financial statements.
Internal audits, management reviews, management and auditor attestation, and board oversight are fixed costs of Sarbanes-Oxley compliance. Every company has to operationally demonstrate to top management that internal controls are in place and are working. Larger companies have to spend more, of course, but every company must spend a minimum amount for basic compliance.
As with the cost of scale, you can reduce the scope of SOX compliance by addressing the largest risks first in your audit plan. You don’t have to audit every accounting process every year. Start with the accounting processes that have the greatest impact — those that pose the greatest risk of material misstatement if they don’t work. Review past audit opinions, your compliance plan, and your definition of materiality and adjust your audit plan to deal with the greatest risks.
Management decides on the internal controls and testing needed to ensure that the identified risks are controlled. If you find that your audit plan hasn’t addressed the right risks, you adjust the plan.  Again, lessons learned — and implemented — show that your system is driving improvement and is, therefore, Sarbanes-Oxley-compliant.
Sarbanes-Oxley Cost of Improvement
The cost of improvement comes under the “Plan” and “Do” phases of the PDCA process. Sarbanes-Oxley compliance starts with a compliance plan, one that identifies the risks you need to control. Your compliance plan is the foundation of your risk control framework. With a sound compliance plan in place, management can make better decisions regarding internal controls, such as implementing accounting policies and procedures that reduce or eliminate the risk of material financial misstatement.
Developing accounting policies and procedures is the “Do” in “Plan-Do-Check-Act”. Your risk control framework identifies individual risks (e.g., the chance a receivable is not collected on time). Your accounting policies (e.g., collect accounts receivable within 30 days) and procedures (daily A/R aging reports, phone calls, collection letters, etc.) are forms of internal control that demonstrate your compliance with Section 404 of SOX.
Are your accounting policies and procedures for compliance, or control? Â Well, control comes before compliance, but many companies have confused the two and wasted a lot of time and money. Â You can reduce the scope of SOX compliance by controlling your greatest risks first with your accounting policies and procedures.
You don’t have to write a policy or procedure for every accounting process at once.  Once again, start with the accounting processes that, if they don’t work, pose the greatest risk of material financial misstatement. Review audit opinions, your compliance plan, and your definition of materiality, then develop and implement the accounting policies and procedures that address your greatest risks first.
Management makes the final determination of which accounting policies and procedures are needed. If you develop cash policies and procedures that do not (adequately) control the identified risks, you have a material weakness.  Improve your accounting procedures for internal control and you demonstrate Sarbanes-Oxley compliance.
Bizmanualz Accounting Policies and Procedures Reduce Sarbanes-Oxley Compliance Costs
Sample accounting policies and procedures serve as a model, or framework, for your own accounting policies and procedures. The CFO Accounting Policies and Procedures Manuals set contains 239 procedures you can use to address the ten accounting cycles.
SEC Chief Mary Schapiro recently stated that “there will be no further Commission extensions. It is important for all public companies - and their auditors - to act with deliberate speed to move toward full Section 404 compliance.” Although legislation has recently been introduced to permanently exempt non-accelerated filers from Sarbanes-Oxley Section 404(b) compliance, there’s no guarantee that Congress will act or that the public won’t demand better information and you won’t need to comply with 404.  Besides, having an effective system of internal controls makes good business sense.
Using prewritten procedures will save you hundreds — possibly thousands — of hours in researching, writing, and implementing accounting policies, procedures, and internal control for Section 404 compliance. Save even more time implementing additional internal controls for sales and marketing, security, disaster recovery, and ISO 9001 compliance using the CEO Company Policies and Procedures Manuals. Download free samples of our procedures and judge for yourself.
Related Articles:
- Understanding and Achieving SOX Compliance
- How Demanding Is Sarbanes-Oxley (SOX) Compliance?
- Is Sarbanes-Oxley Improving Corporate Governance?
- New Bizmanualz® Finance Policies and Procedures Manual Simplifies Sarbanes Oxley Compliance
- How Nov. 15, 2004 Deadline for Sarbanes Oxley 404 Compliance Affects You
 |
View free sample procedures from any (or all) of our policies & procedures manuals |
This work is licensed under a Creative Commons Attribution 3.0 United States License.
