One year into the implementation of Section 404 of the Sarbanes-Oxley Act, a statement issued this month by the Securities and Exchange Commission acknowledges what companies have been complaining about for months: The cost of compliance is exorbitant, the interpretation of the rule is far too broad and the prime beneficiaries are accounting firms, the very industry whose slipshod practices were in part responsible for the legislation.
"I think the SEC said what we all knew. The rule, as it is being interpreted by the accounting industry, is far too complicated and far too expensive," said Dave Ellard, senior vice president of corporate development for GlassHouse Technologies, a storage consulting and services firm based in Framingham, Mass.
Section 404, whose intent is to prevent fraud, requires that public companies assess their internal controls to ensure their financial reporting is accurate and reliable. In response to the rising tide of complaints, the SEC and the Public Company Accounting Oversight Board (PCAOB) last month convened a roundtable of domestic and foreign business leaders.
The SEC determined that some of 404 costs "may have been unnecessary, due to excessive, duplicative or misfocused efforts." Essentially, the SEC said a cookie-cutter approach to rule 404 was wasting dollars and that public accounting agencies were partly to blame.
In a statement issued May 16, the SEC warned that public accounting firms should "recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404."
What it means to CIOs
Whether the SEC statement gives companies the ammunition or assurance necessary to rein in costs -- or makes the CIO's job any easier -- is another matter. Although a company's CEO and CFO vouch for internal controls, the burden of meeting compliance falls on the CIO. "The reality is that in most modern corporations the controls are built into the computers. Most of the work ends up being in the CIO's organization, and CIOs need to be aware of this," Ellard said.
The problem is that the CIO doesn't know if the information is all correct, Ellard argued. "All they can do is say that the computer didn't change the data; they don't know what is going in and out. CIOs now are asking for help from people like us to understand what they have and don't have," he said.
Going forward, the SEC hopes that the internal control audit will be better integrated with the audit of financial statements.
"A one-size-first-all, bottom-up, check-the-box approach that treats all controls equal is less likely to improve internal controls and financial reporting than a reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance," the SEC said.
The largest accounting firms have generally voiced support for the guidance. In a statement to the Wall Street Journal, a spokesman from Ernst & Young said, "We share with the SEC and the PCAOB that the expectation that the process will become more effective and efficient going forward and that the benefits to investors will continue to be realized. First-year implementation was a major challenge for all market participants, including the auditing firms."
Bruce Barnes, founder of Bold Vision LLC, a Dublin, Ohio, consulting firm that provides peer-to-peer advice for CIOs, sees the SEC statement as welcome news.
"Overall, I think the SEC is dead on target. The one-size-fits-all [approach] for Sarbanes-Oxley is insane," Barnes said.
He suggested that CIOs pick up the phone and call their peers. "Guess what that costs? Nothing. You don't need people all dressed in dark suits carrying a ton of paper around with them claiming they have all the answers. They don't, " Barnes said. "They haven't been in your world."