Happy birthday, SOX

July 30 marks the four-year anniversary of the signing of the Sarbanes-Oxley Act.

Since its passage, SOX has raised the ire of public companies forced to comply with its provisions. In particular, detractors have railed against Section 404 of the legislation, which requires companies to validate the effectiveness of internal controls put in place to protect financial reporting processes.

The biggest complaint has been the cost of compliance. Analysts estimate companies accumulate $1 million in SOX expenses for every $1 billion in revenue.

But lately things are looking up, industry watchers say.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

July 30 marks the four-year anniversary of the signing of the Sarbanes-Oxley Act.

Since its passage, SOX has raised the ire of public companies forced to comply with its provisions. In particular, detractors have railed against Section 404 of the legislation, which requires companies to validate the effectiveness of internal controls put in place to protect financial reporting processes.

The biggest complaint has been the cost of compliance. Analysts estimate companies accumulate $1 million in SOX expenses for every $1 billion in revenue.

But lately things are looking up, industry watchers say.

Companies today are in a better position to comply with SOX, says John Hagerty, a vice president at AMR Research. The Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) have begun to issue more clear implementation guidance. As part of that effort, the SEC and PCAOB are advocating a risk-based approach to compliance that encourages companies to focus on areas that present the greatest risk to financial reporting accuracy.

"This has caused organizations to go back and rethink what they had done in previous years, especially the early compliers," Hagerty says. "2006 has been a year of streamlining for a lot of companies. The number of things that they look at is getting smaller and smaller; they're getting more focused; and they're putting more attention on the areas that are really at most risk."

Recent research from Ernst & Young (PDF) confirms that as public companies accumulate SOX experience, the time and resources companies devote to the compliance effort is dropping in many cases.

Among 255 companies surveyed, 81% said they spent less time on Section 404-related activities in their second year of compliance. Nearly half (46%) trimmed internal hours by 10% to 25%; another 30% decreased hours by 25% to 50%; and 5% slashed the time spent by more than 50%.

Many respondents also were able to refine their testing approach and narrow the scope of controls identified for testing in the second year of compliance. Roughly 47% decreased the number of controls tested by 10% to 25%; another 11% cut controls tested by 25% to 50%; and 4% cut more than 50% of controls tested in year two.

Ongoing challenges

Kathleen Barret sees the benefit of compliance experience -- though she's not expecting overnight relief.

Barret is a consulting manager at BMO Financial Group in Toronto, where she heads up the financial institution's requirements management/business analysis center of competency. BMO has been compliant with Section 404 since early 2006. Now the challenge is maintaining compliance. While there are fewer staff focused solely on SOX compliance, there are more employees who need to think about how their business decisions might impact BMO's compliance status, Barret says.

"People need to get used to thinking that way," she says. "Over the next few years it's going to be a little bit tricky. Then after a while it will become business as usual."