Unless you’re an auditor, a top executive or board director at a public company, Sarbanes-Oxley Act’s Section 404 probably isn’t on your radar screen.
Yet the provision is costing public companies, even smaller ones, millions of dollars in increased auditing expenses.
Part of the federal financial reporting reform law of 2002, passed by Congress in reaction to the raft of corporate scandals such as Enron Inc. and WorldCom Inc., SOX 404 calls for companies to document and test all of a company’s internal financial processes. In addition, the regulation requires firms document the controls in place to identify and correct mistakes that may arise, and demonstrate their effectiveness during testing by internal auditors and outside audits.
The scope of the project is causing fits for companies’ internal auditing teams and their outside accounting firms — which have to sign off on the reports, ensuring all have been done correctly and legally.
“Most companies underestimated how much time and effort it was going to take to document all of these internal controls,” said Drew Sutter, audit partner at Deloitte & Touche’s San Diego office.
“It’s turned into a situation when everybody seems to be scrambling the last couple of months to get everything done by the end of the year.”
The cost for preparing the necessary documents and testing the internal controls ranges from hundreds of thousands of dollars for small companies to multimillions for the largest corporations, said local accountants and executives.
A survey done by Financial Executives International, a professional association of CFOs, treasurers and controllers based in New Jersey, found the average cost per company for complying with SOX 404 was nearly $2 million, or 12,000 internal staff hours, plus 3,000 external work hours.
“This is a very, very elaborate and time consuming undertaking,” said Angelika Caicedo, the managing director for the auditing firm of McGladrey & Pullen, LLP in San Diego. “For those companies that don’t have a lot of internal resources to do the write-ups, all the risk assessment, and the testing, and didn’t have good documentation on those internal processes, we have seen that spending $1 million will not be unusual.”
At Kintera Inc., a San Diego-based company that makes software that helps nonprofit organizations better manage fund raising, the cost to comply with SOX 404 ran about $800,000 last year, a sum considered relatively light in some circles, said Kintera Chief Financial Officer Jim Rotherham.
The cost was about four times the amount Kintera usually spends on auditing fees for a normal year, Rotherham said.
Kintera incurred about $532,000 in auditing costs in 2003, but the majority of that was caused from one-time expenses associated with the firm’s initial public offering.
To comply with the mounds of paperwork and testing associated with the regulation, Kintera, like most smaller companies, had to hire outside consultants.
“It’s become a full employment act for our students because it’s become a round-the-clock job for so many companies,” said Martha Doran, a San Diego State University accounting professor.
The San Diego office of Deloitte & Touche hired an additional 15 people just to handle all the work involving SOX 404, but it could have hired more, said Sutter.
“That doesn’t tell the whole story. We couldn’t find as many people as we wanted. We would have hired a lot more people if we could have found them,” he said.
Because of deadlines to file the reports in the first part of this year, Deloitte focused on completing this work so the reports could be filed along with the company’s annual financial reports, Sutter said.
The Securities and Exchange Commission issued an extension in November that provided “accelerated filers,” or companies with sales and a market cap of more than $75 million, with an additional 45 days to get the reports done. That would bring the deadline to early May, but Deloitte advised its clients to get the reports done at the same time that the 10K or annual financial results are due.
Companies with revenues and market capitalization of less than $75 million must deliver the reports to the SEC by the first quarter of 2006.
For all but the very largest companies, SOX compliance has meant hiring outside consultants such as Resource Connections, which is based in Costa Mesa and has an office in San Diego.
Joni Noel, the managing director for the local office, said the firm splits its time about equally between work auditing the information technology used in many internal financial processes, and on the documentation and testing functions required of SOX 404.
She said the work has been much more involved and complex than most companies ever imagined.
“Some companies had to start from scratch,” Noel said. “While they had some internal controls in place, the policies and procedures were not formalized and documented.”
Noel wouldn’t divulge actual numbers, but said the local office tripled its staff in the past year, primarily due to SOX compliance work.
Companies’ own financial and auditing personnel just couldn’t handle the extra workload, she said.
“Most accounting and IT departments are streamlined and don’t have a lot of people,” she said.
Perhaps more daunting for some small firms is the fact that few had current, documented internal controls in place, Sutter said.
“In my experience, most small public companies did not put resources into creating and documenting internal controls because they didn’t have to,” he said.
Smaller startups were far more focused on building their business operations than on spending money such as keeping policies and procedures up to date, he said.
That SOX 404 was costing much more than most executives guessed was a given, as was their questions about whether it would prevent the type of fraud that sank Enron or Carmel Valley-based Peregrine Systems Inc.
Many said despite all the additional controls and regulation, those who are intent on practicing fraud will likely find a way to circumvent the system.
But having an established and checked system in place makes it tougher for fraud to occur, some said.
“The more controls and monitoring you have, the harder it is for you to do it,” said Kintera’s Rotherham.