Sarbanes-Oxley: not winning any popularity contests

OR&C INTELLIGENCE

There is no doubt about it – Sarbanes-Oxley is not a very popular piece of legislation among financial services executives. In this month's OR&C Intelligence survey, sponsored by risk solution company Ci3, 64% of the respondents said it is a, "law whose benefits are achieved at an excessively high cost".

Sarbanes-Oxley, enacted in 2002 by the US Congress in response to corporate scandals such as Enron and Worldcom, was designed to improve accountability both within organisations and between companies and shareholders. The problem, its critics say, is that it was drafted in a great deal of haste as a 'knee jerk' reaction to these scandals and so it is unwieldy, expensive and hinders the efficient functioning of business.

As a result, many financial services firms have been working to try and find a way of bringing compliance with SOX – as it is affectionately known – into a firm's overall approach to enterprise-wide risk management, which usually includes the firm's operational risk strategy. Advocates of this approach to SOX point out that real business benefits can be achieved, but many firms have yet to take steps forward to making this integration a reality.

Twenty-three percent of those who responded to the survey say that their firm does not integrate SOX compliance into their wider enterprise-wide risk management strategy. And only just about half of those who responded – some 53% – say that SOX compliance is coordinated with other compliance efforts, such as Basel II, Solvency II or corporate governance. Another 29% admitted that their firm intends to, but hasn't got around to it yet. 13% confessed their firm doesn't do it at all.

Even then, there is cynicism about these survey results from industry observers. "I'm surprised that the number of people who say they are coordinating SOX with other initiatives is so high," says one New York-based operational risk executive. "My experience, talking with colleagues, is that there are a lot of people out there who wish this is what they were doing. Sometimes they try to coordinate within their firms, but just how much coordination could they actually do? Most firms have spent the past 18 months just trying to comply with SOX itself. It's a big project. Coordination with other compliance projects, frankly, I think has been secondary."

Executives are so negative about SOX because that compliance hasn't come cheaply. Some 24% of respondents say they have spent more than $11 million implementing SOX at their firms to date, and 7% have spent between $6 million and $10 million. While just 2% have spent between $4 million and $5 million, another 17% have spent between $2 million and $3 million.

Firms are hoping that these costs will decrease in 2006 – some 23% of respondents expect SOX expenditure to decline by more than 25% this year, while 16% say it will drop between 10% and 24%. Another 16% say it will edge down between 1% and 9%, while 27% are expecting no change in spending levels.

This money has been spent, primarily, on consulting services (26%). Another 18%, on average, has been spent on audit support, while 13% of costs have gone to increasing the number or cost of staff. Just 12% of these funds has been spent on technology solutions to SOX – a figure many agree with. Says one SOX project manager based on the west coast of the US: "Most firms are guilty of a fire-fighting mentality when it comes to Sarbanes-Oxley. Everyone – including us – just wanted to make sure we complied. No one wants to go to jail and I think it was the jail sentence that non-compliance with Sarbanes-Oxley could bring that focused senior executive minds. People thought, just get it done, never mind putting in a process that can be replicated year after year. Money was spent, hand over fist, on consultants."

This mentality can be clearly seen in the lack of tangible benefits from SOX to firms, according to the survey. Overall scores for 'benefits achieved' were very low. The most substantial benefits – judged by the number of respondents who selected them for a score of '1' – were tighter financial and audit controls and improved overall business operations and efficiencies.

But very few of the respondents said the legislation had resulted in better corporate governance disclosure and reporting, greater board of director involvement in the company or greater transparency within the organisation. None of the respondents to the survey selected 'restoration of investor confidence' as a first choice benefit. Several respondents said that they had achieved 'no benefits' from their implementation of SOX.

From the results of this survey, it is clear that financial services executives feel they have received little value for the large sums of money that they have had to spend on Sarbanes-Oxley compliance. Now, many are struggling with the challenge of how to integrate the pieces of SOX framework that they have already put in place with the Basel II operational risk programme their firm has developed, usually entirely separately.

Many software companies are seeking to capitalise on this problem by offering a combined technology platform for the two approaches – there are at least four of these in the marketplace today. But just how much demand for these systems there is remains to be seen. A full 32% of respondents either do not have a SOX system and do not intend to purchase one, or already have two different systems and have no intent of changing to an integrated single system. Another 16% have purchased a SOX system and intend to use that for op risk, while 14% have bought an op risk system and will use that for SOX.

Only 16% say they have purchased either an op risk or a SOX system but plan to buy an integrated system in the future. Just nine per cent say that they've not bought either a SOX or an op risk system, but will 'endeavour to buy one system for both'. Says the SOX project manager from the west coast of the US: "An integrated approach makes sense. But at the end of the day, if it's a compliance exercise, justifying budget can be problematic. The challenge for all of us lays in getting management to buy into the idea that this is really about improving business practices." OR&C

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: