SOX Compliance in Doubt for Many
Recently, auditing powerhouse PricewaterhouseCoopers announced that, based on information from 700 of the accounting firm's clients, 20% will probably met the deadline, 70% are behind, and 10% are at serious risk of failing to meet the SOX deadline; with that number possibly growing to as much as 20%.
John Hagerty, a vice president at AMR Research, reports that overall between 15- to 30-percent of companies will probably miss the SOX deadline.
Most notably, companies report being broadsided by the enormity of the task.
At a recent user symposium SOX compliance software vendor OpenPages President and CEO Michael Duffy said that many attendees were surprised at the effort involved in getting documentation for the internal control framework section of SOX. According to Duffy, 40% of the company's customer base, currently at 109, attended the symposium; a good indication of the frustration and confusion associated with the legislation.
The lion's share of the thousands of companies scrambling to meet SOX compliance, are relying on Word documents, Excel spreadsheets and a file server, according to industry observers. Only a small percentage of companies have purchased a software solution to help automate the compliance framework, making the first go-round with SOX more like scrambling for a fire drill.
Colleen Cunningham, president and CEO of Financial Executives International (FEI), reported that a January survey of the organizations 15,000 membership found that only 20- to 25-percent had purchased SOX risk and compliance software or had plans to purchase software.
"Some of these companies reported using software provided by their auditors," she said.
Hand-in-hand with complaints about SOX project scope was an equally vociferous complaint about what's been dubbed as "scope creep", or rules changing on the fly. According to Hagerty, the Public Company Accounting Oversight Board (PCAOB), which polices the auditors, was late in getting its guidelines to the auditors.
"As a result, the auditors kept shifting the advice they gave to their customers," he said.
This complaint is echoed by FEI's Cunningham, who noted that auditor guidance, or a consistent framework for evaluating deficiencies, only became available at the end of October.
"It would have been better if this framework was available six months ago and the auditors could have been trained six months ago," she said.
The time squeeze weighs heavily on companies who have to insure that they've provided enough time to test internal controls, remediate if necessary, review and obtain approvals.
Two additional issues inflating the pressure to meet SOX deadlines are the availability of external and financial resources.
Not only are auditors playing catch up to shifting guidelines but auditing staffs at accounting firms are spread thin. In addition to the major firms who advise the mid-market and above, numerous regional accounting firms are capitalizing on the SOX business opportunity as well.
That said, FEI's Cunningham noted reports from smaller companies of having to wait for auditors to test their compliance readiness because these auditors are focused on bigger clients.
Finally, the financial cost of SOX 404 implementation has been huge. A recent survey of the FEI members found that the average member company spent $3 million. This latest figure is 62% higher than figures reported in January. "We expect that even the $3 million is understated," said Cunningham.
The survey also noted that company employees would be spending an average of 6,700 hours evaluating and enhancing internal controls this year and that they expected additional spending averaging $480,000 for evaluation software, outside consulting and employee training.
According to AMR's Hagerty, 50% of the dollars spent on compliance was internal company time. "These are people who were pulled off of other projects," he said, adding that companies weren't able to anticipate how long it would take to do the work.
Truth or Consequences
While there is no precedent for not meeting the SOX deadlines, industry observers expect some leniency by the courts, except in cases of clear wrongdoing or fraud. "There's a lot of pressure to make this legislation successful and the law was designed to have teeth," said Michael Rasmussen, principal analyst at Forrester Research.
The SOX deadline for companies under $75 million is April 15, 2005. For these small to mid-sized companies, time is on their side. "They can watch and learn from everyone else's mistakes," said Hagerty.