Sarbanes-Oxley: The Cost of Compliance

Alexis Adelaide is less than one month away from being able to fully retire with her current place of employment. Alexis has worked at her current job for nearly thirty-five years and has accrued a substantial amount of money from her retirement plan over the years.

During her thirty-five year tenure, Alexis had managed to set aside 5% of her income to her company’s 401(k) plan. The 401(k) is a matched contribution of 100% of all funds paid into the plan up to 5% of the employee’s total base pay. Alexis’ employer matched her contributions with company stocks that now makes up 90% of her total retirement package.

Alexis had received the majority of the matched stocks when they were about five dollars per share. Now, each share is worth approximately ninety dollars a share and she stands to retire with well over a few million dollars. About a month ago Alexis sold her home in Tulsa, Oklahoma in preparation of moving to her dream home near Merritt Island, Florida.

Alexis is planning to move to Merritt Island with her husband and three grand children that she is currently taking care of. Everything is in place and all she can stand to do is day dream about her soon to come new life. As Alexis opens the morning addition of the Tulsa World she sees that her company has made the front page.

The headlines read, “XYZ Corp Investigated for Accounting Fraud.” Later that week, after a full collapse of the company, Alexis found out her once ninety dollar stocks are now worth .23 cents a share and her once dream of retirement is now all but disappeared.


Late 2001, the gas pipeline tycoon Enron had this very instance happened to them.
Enron’s stock had nearly tripled in two years, to $90 in August 2000, and booking sales of more than $100 billion the previous year, seventh on the FORTUNE 500. Enron’s 401(k) plan was available to 21,000 employees and loaded with the company’s stock, those shareholders were devastated. [Failure] With the financial collapse of Enron, Shareholders were the ones left to carry the financial burden.

With Enron, World Com, and Tyco all leaving their shareholders with empty pockets, the public was starting to shy away from the stock markets. The need to strengthen the public trust began with new legislation in what is now commonly known as the Sarbanes–Oxley Act of 2002 or SOX. Sarbanes–Oxley was named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects. (SOX Law)

Sarbanes–Oxley is separated into eleven different titles. According to the important sections in regards to compliance are sections 302, 401, 404, 409, 802, and 906. The requirements of this act changed compliance risk management in many ways. One way that SOX changed compliance risk management was by raising the total costs for compliance that companies had to endure.

Citing the cost of compliance among other things, various groups and individuals have called for the repeal of Sarbanes, challenging the law in the courts. (Accounting Web, 2008) The two largest contributors to cost for the Sarbanes-Oxley Act are sections 302 and 404. Section 302, also known as SOX 302, is listed under Title III and pertains to, ‘Corporate Responsibility for Financial Reports’. SOX 302 demand that the Periodic Statutory Financial Reports are to include a number of certifications.

Certifying that the signing officers have reviewed the report, verify that the reports do not contain untrue statements or omissions, and that the signing officers are responsible for internal controls. (SOX Law) Internal control is defined by the Committee of Sponsoring Organizations (COSO) as a process designed to provide reasonable assurance regarding the reliability of financial reporting, among other things.

Documentation of Internal Controls is going to be a large task to take on. Christopher Baudouin, of Jupitermedia Corp. has stated:

“Documenting internal control is the major thing. Initially, there’s work being done writing manuals. Of course, we will have to continually update them and maintain them. We are careful how we allocate manpower within the department. We have increased the staff. We’ve also purchased software to assist us. The cost of the audit will increase since there will be more testing.” (D'Aquila)

Sarbanes-Oxley requires companies to adopt and declare a framework used to define and assess internal controls. Two control frameworks have emerged as foundational to the compliance efforts and have been adopted by a majority of companies: COSO, primarily for financial processes, is an integrated framework providing specific guidance on implementing and maintaining internal controls. Endorsed by the SEC, COSO is the most widely adopted company-wide control framework. COBIT, or “Control Objectives for Information and related Technologies,” is an IT framework that maps to COSO (COSO offers little detail for IT controls). (BPO Systems)

Section 404, also known as SOX 404, is listed under Title IV and pertains to, ‘Management Assessment of Internal Controls’. SOX 404 have two main components 404(a)(1) and 404(a)(2). SOX 404(a)(1) says: state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and SOX404(a)(2) says: contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (Karln, 2002)

With SOX 404 in place IT Departments will have to invest in new ways to become compliant. Investments can include new employee to help analyze, implement, and monitor the new internal controls. Some companies, relying on archaic ERP system, may have to spend revenue on a new ERP package.

The passing of the Sarbanes-Oxley Act of 2002 was by no means an easy road to drive down for publicly traded companies to comply with. With years of abuse by public companies, shareholders were demanding something to be done to protect their interests.

With the enactment of Sarbanes-Oxley Act of 2002, I believe we are well on our way to providing more transparency for financial reporting and helping to bring back trust between public companies and their shareholders. However, that trust came to the shareholders with a hefty price tag.

The 2008 Annual Survey Report from the Financial Executives International (FEI) stated that forty-three percent of the companies surveyed said their total IT spending increased over the past three years. Forty-six percent of respondents expect higher levels of IT spending, while only about 14 percent of respondents expect IT spending levels to decrease. (Information Integrity) Sarbanes-Oxley has changed compliance risk management by adding new costs to businesses trying to keep compliant.

The Sarbanes-Oxley Act has forever changed the way business is conducted. Compliance and Risk Management has merged and a new bread of professionals versed in the language of compliance and ethics will lead the way.

By: Joseph Dustin