How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Check our similar posts

Server Application Solutions – Don’t Let Spreadsheets Hold Your Business Back

The problems and limitations of spreadsheet-based systems are well documented. That’s why we at Denizon have come up with ways to give you freedom from these UDAs (User Developed Applications). With the server application solutions we offer, your IT and financial system can be:

Totally devoid of spreadsheet risks

By getting rid of spreadsheets, you also get rid of broken links, incomplete range selections, accidental deletion of cells, incorrect copy-pasting and other spreadsheet-related slip-ups.

In their place, we offer a faster but more robust and reliable centralised system. Errors are substantially minimised by built-in controls, while inconsistencies are avoided because changes made by one user are automatically reflected on the data delivered to others.

Built-in business-critical controls

Some solutions are designed to add control features on spreadsheets. We believe that such features can only be truly effective in today?s fast-paced and dynamic business environment if they are already inherent in the design of the IT solution; not something that’s merely added as an afterthought.

For one, while these band-aid solutions may succeed in adding controls, they don’t get rid of the slow, tedious, and time-consuming processes that accompany spreadsheet systems.

Less prone to fraud

Weak controls and the absence of reliable audit trails are two factors that encourage fraudsters to prey on spreadsheet systems.

With our server-based applications solutions, your data is protected by user-based access controls that allow users to see only the information that they’re supposed to see and modify data which they have been granted sufficient access rights to.

Our solutions also produce clear audit trails for painless tracking, viewing and searching of user-entered changes. This will enable you to pinpoint who changed what, as well as where and when the changes were made.

Ready for regulatory compliance and beyond

When better controls are enforced, financial reports become more reliable. That should give your company the edge it needs to easily comply with SOX as well as other regulations and, as a consequence, build stakeholder confidence.

And because our solutions can churn out accurate reports for regulation compliance at shorter turnaround times than spreadsheet systems, you end up saving more man-hours. That should give your team more time to innovate, analyse information and deliver goods or services to your customers faster.

Designed for agility

Let’s face it. Spreadsheets, which used to serve as nifty ad-hoc business tools, are no longer suitable for agile organisations. When faced with the demands of rapidly changing markets and dynamic environments, spreadsheets can instead slow a business down.

Multi-dimensional reports, dashboards, report filters, drill-downs, collaboration and automated reporting, budgeting and forecasting capabilities are needed for gaining insights and making fast critical decisions.

Sad to say, your trusty spreadsheet application is not designed to provide these features. Hence, it’s time to move on to the type of solutions that are.

Our solutions can transform your IT and financial systems and make them better-equipped to meet the demands of today?s rapidly changing economic environment. With features designed for agile businesses, our solutions can help you tackle change with ease.

Automatic consolidation eliminates errors and wasted time caused by tedious copy-pasting of data and linking of cells.

Better collaboration capabilities allows team members to bring their heads together for planning, budgeting and reporting even while on the go.

Mobility support enables users to input data or retrieve information through their wireless mobile devices.

Superior sharing features ensures that everyone is exactly on the same page and viewing real-time information.

Dashboards provide insightful information at-a-glance through KPIs, graphs and various metrics.

Drill-downs enable users to investigate unusual figures and gain a better understanding of the details that contribute to the big picture.

Easy to learn interfaces allow your organisation to cope with fast personnel turnaround or Mergers & Acquisitions.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

How Armstrong World Industries is going Cradle-to-Cradle

The Cradle-to-Cradle concept holds that human effort must be biometric, in other words enrich the environment within which it functions as opposed to breaking it down. This means manufacturing must be holistic in the sense that everything is reusable and nothing is destroyed. Armstrong World Industries was the first global mineral ceiling tile manufacturer to achieve Cradle-to-Cradle certification. We decided to take a closer look at how they achieved this.

Armstrong Worldwide Industries has five plants in the UK alone. These produce an annual turnover of ?2.7 billion. They have been making ceilings for more than 150 years. Fifteen years ago and way ahead of the curve it started recycling, and has maintained a policy of not charging contractors for waste ever since. Along the way, it developed a product that can be re-used indefinitely.

The Challenge

Going green must also be commercially sustainable. In Armstrong?s case, it faced a rise in landfill tax from ?8 per tonne per year to ?80 per tonne per year. This turned the financial cost of waste from a nuisance to a threat. It calculated that recycling one tonne of ceiling materials would:

  • Eliminate 456kg of CO2 equivalents by saving 1,390 kWh of electricity
  • Preserve 11 tons of virgin material and save 1,892 gallons of potable water

They hoped to extend their own recycling project by asking demolition and strip-out contractors to join it, so they could reprocess their scrap as new batches of tiles too.

The Achievement

As things stand today, an Armstrong ceiling tile now contains an average of 82% recycled content. Indeed, if they could find more ceilings to recycle this could reach 100%. In the past two years alone, Armstrong Worldwide Industries UK has saved 130,399m? of greenfield from landfill, being the equivalent of 520 skips that would otherwise have cost contractors over ?88,000 to dispose of.

The Broader Context

Armstrong Worldwide Industries is a global leader in water management, and is bent on minimising its reliance on fossil for energy. It has implemented online measurement systems that feed data to its corporate environmental, health and safety system. This empowers it to produce reports, track corrective actions and measure progress towards its overall goal of being carbon neutral.

Next time you sit beneath an Armstrong Worldwide Industries panelled ceiling, spare a thought for how much ecoVaro consumption analytics could contribute to your bottom line (and how it would feel to be lighter on carbon too).

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Enhance and Streamline IT Processes

You can’t be assured of a competitive advantage by just buying the latest technology. Your top competitor can easily match that feat by simply spending as much on the same tools. To be always at least a step ahead, you’ll need to perform tweaks on your IT processes aligned with the strengths of your organisation.

IT solutions are like a pair of sneakers. If they fit perfectly, they’ll help you run the extra mile. If they don’t, you can develop blisters faster than you can reach a single mile.

In all our efforts to enhance and streamline your IT processes, we’ll start by looking at all your logistical advantages, limitations, and objectives to determine which technologies suit you best. Once we’ve obtained them, we’ll perform the appropriate customisation to make them perform optimally under the conditions unique to your organisation.

Below are just some of the enhancements we can apply to your organisation:

  • Put up application and systems monitoring to identify bottlenecks and underutilised resources in your IT infrastructure.
  • Propose areas where you can plough back the generated savings to further improve your ROI.
  • Take scalability into consideration when pushing for certain IT investments to ensure that the IT solution will work for your organisation not only today but even as your organisation grows.
  • Introduce mobile-capable enterprise-class IT solutions that allow seamless collaboration between team members working at different locations on the globe so that pressing matters can be resolved and decisions can be arrived at as quickly as possible.
  • Integrate Business Intelligence into your IT system so that massive collections of data can be processed into insightful information which managers can draw on to make intuitive decisions.
  • Introduce avant-garde solutions, like virtualisation and infrastructure sharing, which may require large scale changes but can also significantly reduce operational costs.

Find out how we can increase your efficiency even more:

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today