A technology-based process for reducing the range or "scope" of Sarbanes-Oxley controls could help businesses cut the cost of compliance, which is expected to total $6 billion this year according to AMR Research Inc.
This approach would offer some relief to smaller public companies that were disappointed by last week's Securities and Exchange Commission (SEC) decision to reject a proposal to exempt them from complying with the audit rules of the Sarbanes-Oxley Act (SOX) of 2002.
John Hagerty, vice president of Boston-based AMR Research, said many companies initially took the costly approach of testing and documenting internal controls for everything to protect themselves from violating Sarbanes-Oxley.
"About a year ago the Public Company Accounting Oversight Board said corporations should take a risk-based approach," Hagerty said. "They said you should look at where you have exposure and where you have materiality, and use that as a litmus test to see if you need to dive deeper. You had companies that might have had 100 [internal controls tested]. Now they've cut down to 70 or 80. But we've seen a lot of companies don't have any rationale for determining why something is in or out of scope."
Hagerty cited a company's petty cash account as an example of something that would be outside the scope of Sox compliance. A company may still want to have internal controls on the money it keeps in a petty cash account, but it may want to avoid the amount of rigid and costly testing and documentation for the account that a SOX compliance program would require.
Hagerty said for most companies, the process of determining whether internal financial controls should be tested for SOX compliance is usually a costly intellectual exercise. However, he said, some financial software vendors are beginning to offer technology that can streamline the scoping process.
One such company, San Jose, Calif.-based Movaris Inc., offers OneClose, a platform for financial reporting, financial closing and Sarbanes-Oxley compliance. The product includes a new "scoping manager" feature that allows companies to assess the financial impact that individual accounts might have on the balance sheet. If the users of the technology decide that an account, such as free cash, is outside the scope of SOX, they can then use Scope Manager to document that decision for auditors to review later.
"The SEC has consistently stated for over a year now that companies need to make sure all controls are tied to financial reporting," said Frank Mara, vice president of marketing at Movaris. "All the SEC cares about is that filings are an accurate account of the financial health of a company. You have to do scoping to know whether or not in a given period, looking at individual financial accounts if there is an error in that account, would it have an impact on the accuracy of the company's financial report. If the answer is no, you shouldn't be spending time on it."
Marra said he has heard of companies testing their controls for the office coffee budget while trying to comply with Sarbanes-Oxley.
"There really are companies testing controls that they shouldn't be testing and spending an enormous amount to do that," Marra said. "The more clarity that we can provide around the control fabric, the more confidence people will have that their controls are necessary."
Scope Manager creates more visibility and transparency and allows a company to have a discussion about scope without having to "track down a bunch of spreadsheets," Marra said.
Hagerty said Scope Manager isn't infallible. CIOs should warn their finance departments that they still have to get buy-in from external auditors.
"They've got to basically enter a negotiation process with the auditors and make sure they come to an agreement [about scope]," Hagerty said. "The worst thing they can do is to make a decision [with Scope Manager] and say that's final. And if the auditor disagrees, you suddenly have a gap in control. Technology can only go so far. Technology helps automate and document the process and then you have to have a discussion with the auditor."
Let us know what you think about the story; e-mail: Shamus McGillicuddy, News Writer