Following the Enron and WorldCom scandals in 2002, the government introduced the Sarbanes-Oxley Act and other governance laws concerning financial and reporting practices, data protection and privacy for large and small publicly held companies. However, SOX can also affect privately held companies that are planning to go public, grow in revenue or become acquired. SMBs that do business and partner with public firms governed by SOX are often required by their larger business partners to demonstrate SOX compliance.
A 2005 study by Foley & Lardner LLP on the impact of SOX on private companies showed that SOX had already affected 87% of firms queried. And 78% had voluntarily imposed reforms on themselves, mainly because their boards of directors, auditors, customers, lenders or insurance providers insisted they do so.
SOX compliance requirements range from tighter audit controls outlined in Section 404 to mandatory certification of relevant financial reports by the CEO and CFO. Section 404 was created to ensure accurate financial reporting and fraud protection. It requires companies to report on the state of their internal controls. But Section 404's inherent ambiguity made it the most complex and expensive part of SOX, as companies resorted to manual methods to achieve compliance.
Many SMBs complained about excessive costs incurred specifically by Section 404. Foley & Lardner's study showed the cost of being public increased 33% for SMBs in 2004, with Section 404 audit fees as the leading the cost increase. The cost of Section 404 compliance is one of the main reasons the SEC recently extended the date for SMBs to comply with Section 404 to July 15, 2007.
The cost of compliance with SOX for SMBs is significant. A portion of the cost may be associated with an investment in the IT infrastructure and services, among other costs. But whether it's a public SMB complying for legal reasons or a private SMB complying with SOX to continue to do business with its publicly held partners and customers, the investment benefits also affect business operations and the bottom line.
Here are some of the business benefits to investing in SOX compliance:
Your company's financial and operational data will be available in real time to you, other decision makers and your auditors.
- Financial processes will be streamlined, reducing the chance of error in your company's financial information. This makes your business more attractive to potential customers, especially to larger companies with which you would like to do business -- and be partners with.
- You'll create a better audit trail and reduce auditing costs because data can be more easily tracked. Despite the extra effort required to create SOX-compliant processes initially, this will significantly increase the finance staff's productivity going forward.
- Your business will be far more resilient to disasters, natural and otherwise, because of improved records retention and data recovery mechanisms.
- Your company will enjoy lower fraud risks and hopefully reduced insurance premiums because security issues have been dealt with, and unauthorized data access has been made more difficult.
- Your business processes will become more efficient and your controls will work better as you standardize reports, automate manual activities, and consolidate or eliminate redundant workflows.
- Your business will be able to respond more quickly to market opportunities and challenges because of the more accurate information at your fingertips.
- You'll avoid legal and competitive liabilities associated with violating the privacy rights of customers and employees.
In the end, there are still pending changes to definitions and requirements for SMBs when it comes to SOX compliance, but as deadlines are delayed and classifications are evaluated, SMBs should look for the operational and business benefits they will realize by complying with SOX.
David Luft is senior vice president for product development for Computer Associates International Inc.'s SMB Program Office.