SOX: Five years of headaches

Five years after the controversial Sarbanes-Oxley Act was enacted to prevent Enron-like scandals, the law’s financial control requirements are having myriad impacts: large companies have cleaned up their accounting, but at great cost; foreign businesses are dropping out of U.S. stock exchanges to avoid SOX requirements; and many small public companies are scrambling to meet a crucial compliance deadline in December.

Signed into law by President Bush on July 30, 2002, SOX forces public companies to prepare reliable financial statements and bring material weaknesses into public view, with mandated testing for integrity and ethical behavior, IT controls related to financial reporting, whistleblower programs, antifraud provisions and other requirements.

Compliance has become “pretty much routine” for large companies, who have faced SOX requirements since 2004, says Bob Benoit of Lord & Benoit, which performs SOX research and helps companies comply.

It hasn’t been cheap: spending on SOX compliance was $5.5 billion in 2004 and is now more than $6 billion annually, according to AMR Research.

1,035 large public companies have at some point failed to comply with SOX, out of a total of 4,862 that have reported under the law’s Section 404, Benoit says, citing figures from Audit Analytics.

Yet many individual enterprises spent far more on SOX compliance than they had to because the federal government initially failed to issue clear instructions.

“It was millions of dollars extra that was spent. This was due to people overcomplying, doing far more testing than was necessary,” says Michael Kamens, who was global network and security manager at Thermo Electron when the $2 billion company in Waltham, Mass., had to comply with SOX.

For about a year, companies thought they had to document and put controls in for every business process they have, since almost anything can impact financial statements, says John Hagerty, an analyst for AMR Research. Later it became clear that SOX only required such oversight for matters directly related to financial processes, Hagerty says.

“The biggest pain companies reported was they felt like they were getting conflicted advice,” he says. “People didn’t want to get caught in a situation where they didn’t do enough, so they ended up doing too much.”

Advice from the Public Company Accounting Oversight Board, created by SOX and the Big Four auditing firms was excessive at best, says Kamens, who now works for auditing firm Accume Partners. Whereas today companies focus on 31 so-called key controls, in the days after SOX, public firms were testing for as many as 200 controls, he says.