By Vivian Yeo
26 July 2006
Like it or not, the clock is ticking for non-US companies that need to be
compliant to one of the most talked-about elements of the Sarbanes-Oxley
(SOX) Act established in 2002.
With the passing of the critical 15 July milestone for foreign companies
listed in the US to be compliant to Section 404 under SOX, they now have
anything from a few weeks to nearly a year to meet the regulations or face
the consequences. Under Section 404, publicly traded companies must have
internal policies and controls in place to protect, document and process
information for financial reporting.
The law requires affected businesses to comply by the end of their
respective financial year after 15 July, 2006. The date is an extension of
the original deadline of 15 July, 2005, set by the US Securities and
Exchange Commission (SEC). Public US companies were required to be
compliant in November 2004.
For most non-US companies, the journey would have started in 2004, noted
Philip Chong, director at Deloitte & Touche Enterprise Risk Services.
Businesses would also have started "thinking about assessing and
implementing internal controls" about 12 months ago, he said.
For software giant SAP, the process of becoming compliant stretched over a
few years. Dirk Metzger, head of risk management at SAP Asia-Pacific, told
silicon.com sister site ZDNet Asia in an email that the company began its
SOX journey way back in 2002.
Besides involving process owners, SAP also appointed SOX champions, who
handle SOX 404 related tasks such as effectiveness testing, said Metzger.
Some 30 business units and 30 process groups were involved in the
different project phases, each of which stretched "from 300 to 6,000
man-days", he added.
The software giant, he noted, also worked towards embedding SOX-required
internal controls elements into SAP's risk management function, which is
based on the COSO Enterprise Risk Management Framework.
Metzger said: "SAP grew the SOX 404 risk evaluation process over internal
controls of financial reporting into a holistic Enterprise Risk Management
function, and is currently developing a consolidated compliance and
governance framework for the entire corporation. A direct reporting line
to the executive board was established and an issue evaluation committee
was set up, dealing with findings from SOX 404 testing and audits, thus
giving the SOX topic top management exposure and attention."
According to Metzger, SAP is now undergoing half-year SOX 404 audits by
its external auditor KPMG, and expects to obtain the first certification
of compliance early next year.
At Nasdaq-listed Pacific Internet (PacNet), preparations for
SOX-compliance commenced in mid-2004. Its CEO and president Phey Teck Moh
noted that the company, whose current financial year will end on 31
December, 2006, will meet the requirements at the end of this year.
The Singapore-based ISP put together a leadership team to manage the
process, and placed country managing directors and financial controllers
in charge of their respective areas. Dedicated work teams were set up in
some country offices to work on achieving compliance. PacNet estimates
that more than 30 per cent of its employees - dedicated resources or
otherwise - have been involved in the compliance work so far.
The project has been intensive "in terms of resources and commitment"
but it has also benefited the company, Phey added. "The compliance process
has given us the opportunity to further enhance our financial controls,
which has strengthened and improved our business processes," said Phey.
Jeffrey Hoo, services and management systems field director at Symantec's
regional product marketing division, noted that companies which are
affected by the SOX Act already have processes in place and are working
toward their compliance deadlines.
Hoo said companies in the banking and finance industry are more
experienced, as "compliance is an everyday affair", unlike businesses in
other industries where there is more work to be done. "A lot of time is
spent defining the policies and processes, before going into the use of
technology and getting people to understand and co-operate to comply," he
Deloitte & Touche's Chong pointed out that there are those, however, who
choose to wait till the last minute to get their compliance act together.
With an "immovable deadline", those that start late need to "put in more
commitment from management" as well as pump in more human resources, he
Symantec's Hoo agreed, saying top management needs to offer "full support
for compliance" and view it "as a 'must have' and not [just] 'good to
Hoo added that for late movers, a good place to start is to read up on the
ISO 27001 and ISO 17799 standards, "which provide very comprehensive
guidelines". Companies should also find out what tools are available in
the market that "can automate repeatable IT related tasks to keep the
compliance cost manageable", he said.
At the end of the day, there is simply no room to fall short of the
requirements. Failure to comply "is not an option", said Deloitte &
Touche's Chong. The [US] SEC "takes a serious view" of non-compliance, and
such a situation would also "cause investors to lose faith" in the
company, he added.
Vivian Yeo writes for ZDNet Asia
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.