SOX case study

SOX Case Study Executive Summary The Sarbanes-Oxley Act (SOX) has created quite a tumultuous time for businesses in its brief existence. While the cost of compliance to SOX was initially rather expensive, the continued cost of compliance threatens to put many publically traded companies out of business (Sneller & Langendijk, 2007, p. 102). The biggest argument lies squarely in the realm of cost-benefits. Many in the European Commission believe SOX’s broad sweeping and international implications are, at best, not enough benefit and, at worst, an arrogant stance by the U.S. Government. While it is true that SOX can reach internationally to companies wishing to trade on the New York Stock Exchange (NYSE) (Sneller & Langendijk, 2007, p. 102), it is also true that they could choose not to trade on the NYSE and thus avoid SOX requirements. However, that would severely limit their ability to do business internationally with any sort of success. Much of the issues discussed in the case study by Sneller and Langendijk point to the physical costs and man-hour costs of auditing and complying with SOX. But, there are quite a few issues to consider beyond man-hours. Introduction Since its creation, the Sarbanes-Oxley Act (SOX) has been at the center of corporate scrutiny, especially the hotly contested section 404. Regardless of its contestation, SOX has been enacted into law, so the role of the businesses should be to do their best to comply with the law as it applies to their business. Sneller and Langendijk speak mostly of the costs associated with SOX compliance in their 2007 case study. However, there are more factors and issues they admittedly did not consider. Here in lies a few more issues and key factors to contemplate when discussing SOX compliance. Issues While the biggest issue discussed was price of head count, there are a few other factors to consider regarding costs. Simply looking at salary costs gives a moderate glance at the total cost of SOX, but it is just getting into the neighborhood of the true cost. When studying total cost, one has to look for the “fully-loaded” cost. That is the cost of all the various pieces, components, tools, and other non-labor costs adding together to give the total “fully-loaded cost.” Unfortunately, that cost is not a fixed cost, nor is it anywhere near acceptable for many companies. Smaller players in the market have also protested at being forced to pay disproportionately high compliance costs because of past scandals involving the big boys. Some public companies even took the bold decision to voluntarily delist from the NYSE because the cost of SOX compliance was deemed too expensive. (Rodgers) One approach many companies use to show achievement is listing their company on the New York Stock Exchange (NYSE). However, the cost of SOX to directly impact all companies that list on the NYSE is what causes many to either go public on the London Stock Exchange or not list at all (Sneller & Langendijk, 2007, p. 102). This is a major issue in and of itself; however, if one takes into consideration the impact on a company’s momentum and morale, there is a more realistic view of the widespread and far reaching costs associated with SOX compliance. Another major concern is the potential conflict of interest involved in how costs are estimated. The Securities and Exchange Commission (SEC) is the primary focus of the investigation done by Sneller and Langendijk. According to page 102 of their 2007 case study, the SEC is responsible to make the estimates. However, what is not clear is whether the estimates they made were with a clear understanding of how much actual cost was at the time, or if they were estimating using what their “best guess” told them. The potential for conflict of interest comes when one considers that the SEC is not only the primary consumer of this information, but also the primary driving force and enforcer of this law. What is concerning is the seeming lack of understanding of what it would actually cost to fully comply with SOX, especially section 404. The final major issue with SOX compliance is that the SEC does not factor into their estimates the additional costs associated with compliance to other required standards. For example, Payment Card Industry Data Security Standards (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA) also take a major toll in the cost of doing business. If a publicly traded company were also to accept the burden of one of these other required compliance frameworks, the costs will skyrocket. Addressing these multiple compliance initiatives strains IT resources and creates redundancies in business processes within an organization. Furthermore, the high degree of specialization among security and compliance vendors exacerbates the challenge of finding a solution that works across multiple mandates. (Shulman, 2006) Most solutions listed required significantly more time and more money in the long run. The main reason for the additional money investment is simple: companies most often do not consider the compliance requirements prior to going public. How to Make Compliance Work The easiest way to make compliance work is one of two things: either loosen the burden of compliance requirements, especially related to SOX and HIPAA, or to do more up-front planning prior to going to the public trade arena. There are complications with either solution. For example, up-front planning only really helps those that are not already publicly traded. Additionally, with the aftermath of Enron, Worldcom, and some of the major banks having issues, there is no foreseeable future where the government would loosen the requirements of SOX. So where does that leave the world of businesses? For larger businesses, that leaves a bad taste in the mouth of their boards and leaves a dent in the year over year revenue stream. For smaller businesses, there is a very significant chance they will fail; either from not being able to go “public” or from noncompliance penalties. In either case, large, small or somewhere in between, businesses need to use the democratic process and lobby to find a solution that does not require such stringent and costly requirements. The best possible solution would also restore broken trust between large, publicly traded companies and the U.S. Government, whose responsibility is to protect and represent the private citizen. In addition, larger companies should set an example of proper compliance and provide tips to smaller companies that may not know where to begin. While there are some serious issues with compliance, especially in the realm of SOX, the only company that is a victim is the one who does nothing. References Rodgers, J. (n.d.). Counting the Cost of Compliance [White paper]. Retrieved October 27, 2012, from Business Management website: http://www.busmanagement.com/article/Counting-the-cost-of-compliance/ Shulman, A. (2006, December 18). PCI, HIPAA, SOX: Is Compliance the Tail Wagging the Dog? Retrieved October 27, 2012, from E-Commerce Times: Business means business website: http://www.ecommercetimes.com/story/54759.html Sneller, L., & Langendijk, H. (2007). Sarbanes Oxley Section 404 Costs of Compliance: a case study. Corporate Governance: An International Review, 15(2), 101-111. doi:10.1111/j.1467-8683.2007.00547.x onl