Sarbanes-Oxley compliance is no longer the all-consuming chore it once was for many companies, particularly in the financial services industry.
When the Sarbanes-Oxley Act (SOX) was enacted in 2002 in the wake of accounting scandals at Enron, WorldCom and others, it sent public companies scrambling. Compliance with the new regulation and its mandates for financial reporting was a time-consuming, laborious process.
Particularly onerous was Section 404 of SOX, which requires companies to assess the effectiveness of their internal controls and use an outside auditor to attest to their assessment. It involves extensive documentation, testing and remediation of processes that can affect financial reporting.
Now, however, SOX compliance has become part of the regular operational routine of most businesses, said Constantine Photopoulos, a partner at The SOX Group, a New York-based consulting firm.
"Most have put in place internal staffs to do it. It's just become another function and doesn't have that urgency that came about because it was brand new," he said. "Most firms know what to expect from their auditors and for most auditors, doing the audits has become routine."
This is especially true for financial services firms.
"Financial services firms, more so than other industries, have been able to make SOX auditing more of a repeatable process," said Dan Blum, senior vice president and principal analyst at the Midvale, Utah-based Burton Group.
For companies in the financial sector, SOX is just one of many regulations they face, he explained. "They have a harder job and they have to make it [SOX auditing] repeatable. They have to be efficient… Other companies, SOX may be [the only regulation] they have. They don't have quite the same sense of urgency of trying to create a larger framework for the security program and all the audits."
Scope still can be a challenge, however, Blum added. "What falls under the scope of a SOX audit and what doesn't -- it's somewhat subjective."
Back on track
A survey released by Protiviti, a Menlo Park, Calif.-based provider of internal audit and risk consulting services, showed that, for the first time since SOX took effect, a growing number of internal audit departments are returning to business as usual.
After being consumed with SOX compliance for the past four years, 24% of the 311 companies surveyed said their audit departments have rebalanced compliance activities with their traditional responsibilities. Financial services made up the largest group of respondents at 16%.
Large financial services firms in their fourth year of compliance have had a greater chance to rebalance, and were likely further ahead in implementing internal controls and audit functions than other industries because they already regulated, said Bob Hirth, managing director of Protiviti and head of the company's global internal audit practice.
"The financial services industry, because of its previous regulation more often than not tended to be a group of companies that got through SOX perhaps in a little better fashion than companies that were in the Wild West with no oversight," he said.
Also, the financial services sector is information intensive and since it's highly regulated, tends to have sophisticated information systems, he said. Those systems may facilitate automated controls, which can reduce the amount of testing required for SOX.
A security manager at a large financial services firm who spoke on the condition of anonymity agreed that SOX compliance is smoother today. At first, companies weren't sure what to do and there was a lot of work involving controls and testing procedures.
"It's gotten significantly easier. Companies have had the opportunity to refine the control set they're using," she said.
Another financial services executive, however, indicated that SOX compliance still requires a lot of time and effort as auditors dig deeper for issues loosely related to Section 404. Other executives in the financial sector declined to comment.
Hirth said the initial guidelines for SOX compliance weren't clear and placed equal importance on every control. Last year, the auditing guidance was revised to clarify some of the ambiguity and refine the focus to high-risk areas.
However, while companies are able to rebalance SOX auditing with other activities, they shouldn't get complacent, Hirth advised. There will continue to be changes to SOX that may either decrease or increase its scope, so it's important for businesses to stay on top of those changes and evaluate how they affect their efforts, he said.
And while SOX compliance may be more routine, its documentation and other requirements can still be taxing. "You have to keep testing it and recertifying it every year. It is sort of burdensome but everyone is used to it," says The SOX Group's Photopoulous. "I don't think much more efficiency is going to be driven out of it."