How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Check our similar posts

How Sustainable is Suez Environment

French-based Suez Environment works in the water and waste-management environment, with specific reference to water production, treatment, & pollution disposal, and waste treatment, recycling, incineration and site desensitisation. Its more than 65,000 employees distributed worldwide have participated in flagship projects like Renault’s goal of 95% reclamation of vehicle parts, and Lyonnaise des Eaux?s saving of 12 million cubic meters of water in a single year.

Suez Environment claims to have consistently increased the recovery rate of treated waste, decreased direct and indirect greenhouse gas emissions, and made significant inroads into the production of sustainable energy on behalf of its clients. But then surely that’s Suez Environment’s business, and with over 65,000 employees we are entitled to expect this. Given that there have been persistent allegations of privatised water distribution bumping prices up to the detriment of the poor, how effective is Suez Environment at practising what it preaches back home?

GDF Suez is its largest shareholder and includes it under its environmental and societal responsibility umbrella. This makes environmental performance an overarching goal alongside management systems, health and safety, risk and procurement, and ethics. Its environmental ambitions spin out into the following strategies:

  • Understand the interactions between our activities and the environment
  • Open dialogue with stakeholders and foster partnerships with them
  • Set quantitative and qualitative targets at all levels of the organisation
  • Achieve optimum balance between financial and environmental challenges
  • Be proactive; anticipate impacts on the environment and plan for them
  • Increase employee awareness through interactive training and education
  • Be constantly innovative; share successes within the organisation
  • Monitor progress continuously and publish measured results achieved.

These goals direct the Suez Environment management team?s attention towards optimising performance in key areas like greenhouse gases, energy management, renewable energy, biodiversity, responsible water management, pollution prevention and health and safety considerations.

Among numerous other examples, its waste incineration programs convert hazardous and conventional waste into heat used to generate electricity without requiring virgin carbon products. Elsewhere, the same energy warms market-gardening tunnels and work places on winter days.

Suez Environment uses sophisticated energy management software to analyse information that’s transmitted by data logging devices online. ecoVaro provides a similar service in the cloud. ecoVaro adapts to your requirements providing fresh insights to your business.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
How to be cleaner and greener indoors

The supply of water on planet earth is finite hence the need to conserve this precious resource. Water is a utility that is often used in and outdoors and for that reason, water conservation activities should be undertaken everywhere.

Get greener everywhere
Water saving can be achieved through various ways. Of utmost importance, fixing leaks should be undertaken in all areas. Small household leaks can add up to gallons of water lost every day. It is therefore important to check all water system fixtures and ensure that there are no leakages.

Greener bathroom habits
Turning off taps- this should be practised in the bathroom especially while shaving and brushing teeth. One could also consider using showers instead of baths since showers use less water and get into the habit of taking shorter showers.

Clean and green dishes
The kitchen is one of the areas where a lot of water is used. Some of the ways through which water can be conserved in the kitchen are:

  • Use of basins when washing dishes by hand
  • Using a dishwasher – when using the dish washer, it is important to make sure it’s fully loaded. Scraping plates instead of rinsing before loading it into the dishwasher will also go a long way in the conservation of the valuable commodity called water

Green your laundry and earn green bucks
The other area where water saving can be made is the laundry room. Washing only full loads of laundry will ensure that your washing machine is running at full efficiency hence you will be able to maximise your washer for energy efficiency. Always ensure you use the appropriate water level or load size selection on the washing machine. All these will not only save water but energy too and since savings are earnings you can smile all the way to the bank where some green bucks will be credited to your account.

What Sub-Metering did for Nissan in Tennessee

When Nissan built its motor manufacturing plant in Smyrna 30 years ago, the 5.9 million square-foot factory employing over 8,000 people was state of art. After the 2005 hurricane season sky-rocketed energy prices, the energy team looked beyond efficient lighting at the more important aspect of utility usage in the plant itself. Let’s examine how they went about sub-metering and what it gained for them.

The Nissan energy team faced three challenges as they began their study. They had a rudimentary high-level data collection system (NEMAC) that was so primitive they had to transfer the data to spread-sheets to analyse it. To compound this, the engineering staff were focused on the priority of getting cars faster through the line. Finally, they faced the daunting task of making modifications to reticulation systems without affecting manufacturing throughput. But where to start?

The energy team chose the route of collaboration with assembly and maintenance people as they began the initial phase of tracking down existing meters and detecting gaps. They installed most additional equipment during normal service outages. Exceptions were treated as minor jobs to be done when convenient. Their next step was to connect the additional meters to their ageing NEMAC, and learn how to use it properly for the first time.

Although this was a cranky solution, it had the advantage of not calling for additional funding which would have caused delays. However operations personnel were concerned that energy-saving shutdowns between shifts and over weekends could cause false starts. ?We’ve already squeezed the lemon dry,? they seemed to say. ?What makes you think there?s more to come??

The energy team had a lucky break when they stumbled into an opportunity to prove their point early into implementation. They spotted a four-hourly power consumption spike they knew was worth examining. They traced this to an air dryer that was set to cyclical operation because it lacked a dew-point sensor. The company recovered the $1,500 this cost to fix, in an amazing 6 weeks.

Suitably encouraged and now supported by the operating and maintenance departments, the Smyrna energy team expanded their project to empower operating staff to adjust production schedules to optimise energy use, and maintenance staff to detect machines that were running without output value. The ongoing savings are significant and levels of shop floor staff motivation are higher.

Let’s leave the final word to the energy team facilitator who says, ?The only disadvantage of sub-metering is that now we can’t imagine doing without it.?

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today