Businesses spent less on Sarbanes-Oxley Act (SOX) compliance in 2006, but the 2002 corporate reform legislation continued to extract its pound of flesh from public companies. A study from Foley & Lardner LLP shows that while the total cost of SOX compliance dipped in 2006, spending on so-called out-of-pocket costs rose by double-digit percentages.
External audit fees claimed the biggest chunk of money, accounting for more than 47% of the out-of-pocket spending on compliance by the smaller public companies. At companies with more than $1 billion in revenue, a whopping 60% of the money goes to external audit fees.
"Some experts predicted that external audit fees would decrease after the initial implementation of Section 404 audits, as external auditors became more familiar with their clients' accounting controls and, therefore, more efficient in conducting their audits," said Thomas E. Hartman, a partner at Foley & Lardner and director of the report. "Our study results do not support this prediction. Indeed, external audit fees have been the only cost our study has shown to increase every year since the Sarbanes-Oxley Act was passed."
SOX was enacted in response to the financial fraud committed by Enron and other corporations that looted shareholders of billions of dollars and shook confidence in the public markets. The law came under attack almost immediately, with some shareholder activists charging the reforms did not go far enough and companies complaining bitterly about the expense of complying with the law. Business interest groups said the cost of SOX compliance grossly exceeded the government's original estimates and undercut the ability of American corporations to compete in the world markets.
Meanwhile, all the manpower and money that companies have invested internally on SOX compliance is beginning to pay off. According to the Foley study, most of that dip in total SOX spending in 2006 was due to efficiency improvements in internal financial reporting -- and thus a gain in productivity.
IT departments shouldered a big part of the internal work done in preparation for SOX -- cleaning up and documenting processes. Can CIOs give themselves a pat on the back?
"CIOs will be able to pat themselves on the back when they sit down and help the rest of the business automate the internal controls as much as they can, and help get down the external audit fees, which are out of control," said analyst French Caldwell, who covers compliance at consultancy Gartner Inc. in Stamford, Conn. "It's not over yet. Don't even stop to catch your breath."
Caldwell said the Foley findings are consistent with other research. During the last three years, companies have seen about a 35% reduction in overall SOX compliance costs, almost all of which have come from savings on internal labor and on fees paid to consultants.
But a reduction in internal labor costs or one-time consultants doesn't equate with "any great efficiencies," he said, precisely because the external auditing fees have hardly budged -- indeed they're "out of control."
"That indicates to me that there is just as much to audit. That indicates to me that many companies haven't really rationalized the controls. They haven't automated a lot of the controls," Caldwell said. Nor have companies yet heeded the advice this spring from the Securities and Exchange Commission (SEC) to take a more risk-based approach to SOX compliance.
Part of the backlash from business on SOX was that the SEC and the Public Company Accounting Oversight Board failed to provide clear guidance on Section 404, the portion of the law that requires companies to prove their financial controls are accurate. Minus the guidance, companies had no choice but to give their external auditors carte blanche.
Last month the SEC approved Auditing Standard No. 5 (AS 5), which is aimed at increasing the accuracy of financial reports while reducing unnecessary costs, especially for smaller public companies.
The improved guidelines can help rebalance the power between management and their external auditors, who were "being paid to be afraid," Caldwell said. If CIOs want to help their companies solve the "tough nut" of external audit fees, they should read the appendix to AS 5 that talks about benchmarking automated control, he said. They should figure out what applications and assets can be taken out of the scope of the external audit.
"Don't wait until you get the bill next year. You need to be talking to your external auditor and, really, you need to be pressing them now for a reduction in scope of that external audit, "Caldwell said. "I would be looking at a 30% to 40% reduction in audit fee costs over the next two or three years -- at least."
Let us know what you think about the story; email: Linda Tucci, Senior News Writer