By Ann Bednarz
Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored
up corporate accounting practices - but with lopsided costs compared
to benefits gained.
That's the general consensus of a wide range of business executives
and auditors who gathered Wednesday in Washington, D.C., for an
all-day roundtable hosted by the U.S. Securities and Exchange
Commission and the Public Company Accounting Oversight Board (PCAOB).
The SEC and PCAOB arranged the roundtable to solicit feedback about
Section 404 of the legislation, which requires companies to attest to
the effectiveness of internal controls put in place to protect
financial reporting systems and processes.
"The Sarbanes-Oxley Act was a critical step in addressing an
unprecedented string of corporate scandals that were rooted in very
serious governance, accounting and audit failures," said SEC Chairman
Christopher Cox in his opening remarks. Section 404 has the potential
to improve the accuracy and reliability of financial reporting - but
only if it's implemented properly, Cox said. "In practice it hasn't
always worked out that way," he acknowledged.
Likewise Bill Gradison, acting chairman of the PCAOB, said that
guidance the SEC issued last year and PCAOB's latest auditing standard
may not be enough to clarify the rules that govern the reporting and
auditing of internal controls. "Based on the information we already
have, it would seem that some further changes may be in order,"
Over the course of five panel discussions, participants shared their
experiences with the internal control reporting requirements. Philip
Ameen, vice president and comptroller at General Electric, detailed
the benefits of two years of Section 404 compliance:
"One, we're certainly more focused on controls, both in our underlying
operations and in operations that we're assessing for acquisition.
Two, we are more sophisticated in those assessments and we're more
targeted in analyzing and assessing the controls that are important to
our reporting processes. And thirdly, we have a common vocabulary for
talking about the controls," he said. "Overall, on balance, I think
the management team, the board of directors and people down in
trenches doing the testing are favorably impressed with progress that
has been made in the second year of 404."
That said, GE didn't experience much relief in terms of the scope and
cost of compliance in the second year. It tested 38,000 significant
controls in 2005, down slightly from 40,000 the year earlier. In 2004,
GE spent about $33 million on Section 404 compliance, and costs ran
about the same in 2005, Ameen said.
While GE's tally didn't decline, research suggests other companies are
seeing compliance costs drop in their second year. Colleen Cunningham,
president and CEO of Financial Executives International, said
companies with two years of compliance under their belts reported that
costs dropped an average of 16%. That said, 85% of respondents to
FEI's latest survey believe the costs of SOX compliance still outweigh
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.