Foreign companies working to achieve Sarbanes-Oxley compliance might expect
to incur significant costs in year one. But according to research by
PricewaterhouseCoopers, many are in danger of incurring excessive costs in
subsequent periods as well.
PwC’s survey report, Looking forward: evaluating early experiences with
Sarbanes-Oxley, considers the experience of 36 Sarbox project leaders from large
foreign private issuers (FPIs) from the UK, continental Europe and Australia.
The Sarbox regulations apply to FPIs with year-ends on or after 15 July 2006.
They will, for example, be required to include an internal control report from
management in their annual report for year-ends after that date.
US companies struggled to embed compliance in year one (their deadline was 12
months earlier), and PwC fears that FPIs are now making the same mistake. Almost
half (44%) of respondents to the survey view their section 404-compliance
efforts as an entirely discrete piece of work, unconnected to other compliance
activities and processes happening within the business. Although creating
‘controls consciousness’ is considered to be a medium-to-high priority for 86%
of those surveyed, 31% said that this has not yet been gauged within the
company. Only 19% say that a formal mechanism exists for knowledge transfer from
their s404 project team to management.
“Many FPIs are treating this year’s compliance as a project they just have to
get through,” says Helen Nixseaman, risk assurance services partner at PwC.
“They have probably incurred a lot of cost internally and with external advisers
to get across the finishing post, but haven’t thought about developing
sustainable structures. They need to start thinking about that.” she says.
“Don’t leave it until the end of the year to start thinking about how you will
embed compliance in the business.”
Nixseaman is confident that business benefits can be achieved. For example,
preliminary work may have identified that business units have different
processes for purchasing, resulting in some inefficiencies. “FPIs might have
identified areas where there is inefficiency and where processes and systems
could be standardised or simplified,” she says.
PwC’s report highlights the importance of pushing controls testing, where
possible, down to the business unit level. This is a key way to keep
Sarbox-related costs down. The report gives an example of an organisation with
850 controls to be tested. Members of the s404 project team might take an
average of five hours to perform each test – a total testing time of 4,250
hours. However, completing those same tests could take front-line staff with
appropriate training just 1,700 hours. As the report says: “The difference of
2,550 hours over the course of a year amounts to approximately one full-time
employee’s annual work.”
There’s still time
Even if companies have only focused on year one compliance, it is not too
late to rescue the situation. “Most FPIs have until December to comply for the
first time,” says Nixseaman. So there is still time to start looking at how to
embed compliance to minimise future costs.
Efficiencies can be achieved, for example, by automating the s404 compliance
process. “Some companies have used electronic filing s404 documents, but
increasingly we will see some more sophisticated providers being used, possibly
carrying out some of the testing themselves,” says Nixseaman
Toby Grey, a director of RVR Systems, a supplier of IT solutions for
corporate governance, internal controls and regulatory compliance, warns that UK
FPIs have been slow to take advantage of the automated tools available. “There’s
been greater take-up among European and predominantly French corporations of
automated systems to handle compliance with regulations,” he says. “They are
also now getting the benefits.” Grey refers to Lafarge SA, the building materi
als company with operations in 75 countries. Lafarge has to comply, not only
with Sarbox, but also with France’s own corporate governance legislation. “It
[Lafarge] has used this opportunity as a chance to harmonise group controls
throughout all group companies worldwide,” says Grey. “It has confidence that
the management information that comes up through the reporting channels is
accurate. That’s what every CFO hopes for.”