SOX case study

SOX Case Study Executive Summary The Sarbanes-Oxley Act (SOX) has created quite a tumultuous time for businesses in its brief existence. While the cost of compliance to SOX was initially rather expensive, the continued cost of compliance threatens to put many publically traded companies out of business (Sneller & Langendijk, 2007, p. 102). The biggest argument lies squarely in the realm of cost-benefits. Many in the European Commission believe SOX’s broad sweeping and international implications are, at best, not enough benefit and, at worst, an arrogant stance by the U.S. Government. While it is true that SOX can reach internationally to companies wishing to trade on the New York Stock Exchange (NYSE) (Sneller & Langendijk, 2007, p. 102), it is also true that they could choose not to trade on the NYSE and thus avoid SOX requirements. However, that would severely limit their ability to do business internationally with any sort of success. Much of the issues discussed in the case study by Sneller and Langendijk point to the physical costs and man-hour costs of auditing and complying with SOX. But, there are quite a few issues to consider beyond man-hours. Introduction Since its creation, the Sarbanes-Oxley Act (SOX) has been at the center of corporate scrutiny, especially the hotly contested section 404. Regardless of its contestation, SOX has been enacted into law, so the role of the businesses should be to do their best to comply with the law as it applies to their business. Sneller and Langendijk speak mostly of the costs associated with SOX compliance in their 2007 case study. However, there are more factors and issues they admittedly did not consider. Here in lies a few more issues and key factors to contemplate when discussing SOX compliance. Issues While the biggest issue discussed was price of head count, there are a few other factors to consider regarding costs. Simply looking at salary costs gives a moderate glance at the total cost of SOX, but it is just getting into the neighborhood of the true cost. When studying total cost, one has to look for the “fully-loaded” cost. That is the cost of all the various pieces, components, tools, and other non-labor costs adding together to give the total “fully-loaded cost.” Unfortunately, that cost is not a fixed cost, nor is it anywhere near acceptable for many companies. Smaller players in the market have also protested at being forced to pay disproportionately high compliance costs because of past scandals involving the big boys. Some public companies even took the bold decision to voluntarily delist from the NYSE because the cost of SOX compliance was deemed too expensive. (Rodgers) One approach many companies use to show achievement is listing their company on the New York Stock Exchange (NYSE). However, the cost of SOX to directly impact all companies that list on the NYSE is what causes many to either go public on the London Stock Exchange or not list at all (Sneller & Langendijk, 2007, p. 102). This is a major issue in and of itself; however, if one takes into consideration the impact on a company’s momentum and morale, there is a more realistic view of the widespread and far reaching costs associated with SOX compliance. Another major concern is the potential conflict of interest involved in how costs are estimated. The Securities and Exchange Commission (SEC) is the primary focus of the investigation done by Sneller and Langendijk. According to page 102 of their 2007 case study, the SEC is responsible to make the estimates. However, what is not clear is whether the estimates they made were with a clear understanding of how much actual cost was at the time, or if they were estimating using what their “best guess” told them. The potential for conflict of interest comes when one considers that the SEC is not only the primary consumer of this information, but also the primary driving force and enforcer of this law. What is concerning is the seeming lack of understanding of what it would actually cost to fully comply with SOX, especially section 404. The final major issue with SOX compliance is that the SEC does not factor into their estimates the additional costs associated with compliance to other required standards. For example, Payment Card Industry Data Security Standards (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA) also take a major toll in the cost of doing business. If a publicly traded company were also to accept the burden of one of these other required compliance frameworks, the costs will skyrocket. Addressing these multiple compliance initiatives strains IT resources and creates redundancies in business processes within an organization. Furthermore, the high degree of specialization among security and compliance vendors exacerbates the challenge of finding a solution that works across multiple mandates. (Shulman, 2006) Most solutions listed required significantly more time and more money in the long run. The main reason for the additional money investment is simple: companies most often do not consider the compliance requirements prior to going public. How to Make Compliance Work The easiest way to make compliance work is one of two things: either loosen the burden of compliance requirements, especially related to SOX and HIPAA, or to do more up-front planning prior to going to the public trade arena. There are complications with either solution. For example, up-front planning only really helps those that are not already publicly traded. Additionally, with the aftermath of Enron, Worldcom, and some of the major banks having issues, there is no foreseeable future where the government would loosen the requirements of SOX. So where does that leave the world of businesses? For larger businesses, that leaves a bad taste in the mouth of their boards and leaves a dent in the year over year revenue stream. For smaller businesses, there is a very significant chance they will fail; either from not being able to go “public” or from noncompliance penalties. In either case, large, small or somewhere in between, businesses need to use the democratic process and lobby to find a solution that does not require such stringent and costly requirements. The best possible solution would also restore broken trust between large, publicly traded companies and the U.S. Government, whose responsibility is to protect and represent the private citizen. In addition, larger companies should set an example of proper compliance and provide tips to smaller companies that may not know where to begin. While there are some serious issues with compliance, especially in the realm of SOX, the only company that is a victim is the one who does nothing. References Rodgers, J. (n.d.). Counting the Cost of Compliance [White paper]. Retrieved October 27, 2012, from Business Management website: http://www.busmanagement.com/article/Counting-the-cost-of-compliance/ Shulman, A. (2006, December 18). PCI, HIPAA, SOX: Is Compliance the Tail Wagging the Dog? Retrieved October 27, 2012, from E-Commerce Times: Business means business website: http://www.ecommercetimes.com/story/54759.html Sneller, L., & Langendijk, H. (2007). Sarbanes Oxley Section 404 Costs of Compliance: a case study. Corporate Governance: An International Review, 15(2), 101-111. doi:10.1111/j.1467-8683.2007.00547.x onl

Compliance Criteria for RetireYourWay hypothetical Case study

RetireYourWay Compliance Executive Summary There are many compliance related issues that must be considered by any company planning on doing business. While the punitive measures are different for noncompliance, as are the drivers of the business, each framework requires a fair amount of work. Whether it is PCI, HIPAA, SOX, or OPPA, the main issue to consider is information management. One has to review all the rules and consider risks of noncompliance. It may cost quite a bit to stay in compliance with PCI; for example, the loss of ability to accept payment cards. Introduction When organizations begin to operate, there are a number of issues the company’s leadership needs to consider with respect to compliance. Depending on the type of business, numerous hurdles may be faced on the road to success. The business, location, and clientele are all important factors, which need to be considered in compliance frameworks. When RetireYourWay decided to enter business, their goals may have been simple; however, there are a number of compliance-related changes to how RetireYourWay does business in order to maintain their high level of success. Payment Card Industry Whenever payments are accepted via debit or credit cards, Payment Card Industry (PCI) must be addressed. PCI was originally created in 2006 (ControlScan). PCI relates to any company that accepts, transmits, and stores cardholder information from American Express, VISA, MasterCard, Discover, and JCB. This framework has everything to do with financial drivers for RetireYourWay. They use a special credit card rounding the amount to the nearest $0.50 and provide a 1% award. Then the cards are used to withdraw money and give rewards again for withdrawing. Whether RetireYourWay is processing the cards themselves, or they choose to use a third party vendor, there are stiff consequences for noncompliance. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. (ControlScan) One way to avoid this potential repercussion is to have their system scanned by an approved vendor and then makes any adjustments accordingly. For example, if they have web transactions, using a vendor like WhiteHat to scan the web site will enable expert advice on what needs to be accounted for to remain in compliance. Sarbanes-Oxley Act By the sheer fact that RetireYourWay is a publicly traded company, they also fall under the compliance framework of Sarbanes-Oxley Act (SOX). Of all the frameworks, this is by far the most challenging to set correctly, if not started towards the beginning. SOX is a regulatory process whose goal is simply to provide transparency within leadership of the organization. SOX primarily uses audits to leverage the awareness it demands. A traditional IT audit typically focuses on component, subsystem and sometimes on the system level auditable issues of the environment being audited with a strong bias towards security matters. Sarbanes IT audits add an entire layer of governance, financial, and controls matters to the audit process. The literature documents that a Sarbanes IT audit would rarely delve deeper than the system level since the primary objective of the Sarbanes audit is to assure the CEO, CFO, and Audit Committee that the financial information that is in the IT systems and being reported to the SEC is accurate and reliable. (Seider, 2004) When a company does not foster a sense of transparency by nature, or lack understanding the need for it, it causes quite a bit more potential hassle. According to Seider (2004), the point is to ensure the Securities and Exchange Commission (SEC) receives all the correct data, but in the event that does not happen, the aforementioned executives are squarely in the bulls-eye. All fines and punitive measures would fall directly on them. Health Insurance Portability and Accountability Act Because RetireYourWay has its own onsite health and fitness facilities, they also fall under The Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires specific procedures and notifications for medical files. Even if they are only internal employee health files, RetireYourWay is still required to fall under this framework. One point to consider is whether or not they transmit employee health data electronically. If so, they are definitely required to comply with HIPAA. The Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. (HHS.gov) If RetireYourWay does not provide their employees access to their records online, then they need not comply with HIPAA regulations (HHS.gov). However, there is a strong possibility, with the size of the organization that they will offer online access to their staff for self-service of medical and fitness records. California Online Privacy Protection Act One other major framework to comply with is the California Online Privacy Protection Act of 2003. This act is a regulatory act requiring companies who either operate in, or have consumers in California to post privacy notices on the website. OPPA's reach extends beyond California's borders to require any person or company in the United States (and conceivably the world) that operates a Web site that collects personally identifiable information from California consumers to post a conspicuous privacy policy on its Web site stating what information is collected and with whom it is shared, and to comply with such policy. (Cooley, 2004) What this means is the company must publish the privacy policy on their website and must, among other things, notify their California resident employees in the event of data breach. An amazing aspect about this framework is it deals with a geographic region and particular demographic of people. Because this rule applies to California residents rather than the individual organization, it enables this law to be much more powerful than other regulatory compliance laws. References ControlScan. (n.d.). PCI FAQs and Myths. Retrieved October 19, 2012, from PCI Compliance Guide: Guide to Data Secuirty Standards website: http://www.pcicomplianceguide.org/pcifaqs.php#8 Cooley LLP. (2004, June 29). California Online Privacy Protection Act of 2003. Retrieved October 20, 2012, from Cooley LLP website: http://www.cooley.com/57676 Department of Health and Human Services. (n.d.). Understanding Health Information Privacy. Retrieved October 20, 2012, from Department of Health and Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html Seider, D. (2004). Sarbanes-Oxley Information Technology Compliance Audit [PDF]. Retrieved from http://www.sans.org/reading_room/whitepapers/auditing/ sarbanes-oxley-information-technology-compliance-audit_1624