compliance costs

Small company 404 costs higher than study's estimate

Tue, 05 Feb 2008 06:59:59 -0500

The Lord & Benoit study on small company 404 costs generated a lot of media--that was the point. But now cfo.com reports that some think the study's average total cost of compliance, including management assessment of controls and audit fees, of $78,457 seems to be low. Other consultants seem to think the costs will be at least double, especially if you have to do some hiring. But Lord & Benoit says costs can be kept under control via savvy management, which includes following guidance from the SEC and COSO. The controversy underscores the need for careful planning, ahead of the auditor's attestation portion, which will not kick in for another year.

For more:
- here's the cfo.com article

The costs of restatements

Tue, 22 Jan 2008 06:59:59 -0500

For large companies, financial restatements have become less of an issue. As companies have moved down the Sarbanes Oxley learning curve, they have reduced mistakes greatly. But the issue looks large for smaller companies, who are still more likely to restate earnings. Compliance with 404 may boost the number of restatements. A sobering thought, especially as the credit crunch lingers, is that restatements often translate into more expensive loans. Financial Week notes a study by professors John Graham of Duke University, Si Li of Wilfred Laurier University and Jiaping Qiu of McMaster University, that found that loan spreads for companies that issued restatements paid about 210 basis points over LIBOR compared with an average 141. When restatements were due to fraud, it was 245 points. The study also found that these loans also carry more stringent covenants, higher collateral requirements and shorter terms. There's an obvious lesson here.

For more:
- here's the Financial Week article

Are the costs of Sarbox compliance really going down?

Tue, 07 Aug 2007 06:59:59 -0400

The conventional wisdom, when it comes to large-ish companies anyway, has been that companies are getting more savvy about compliance and that the costs have plateaued. Well, the latest Foley & Lardner survey has found that out-of-pocket costs associated with Sarbanes-Oxley compliance, including fees for vendor-based auditing and legal services, rose 12 percent last year to an average of $10 million for large companies ($1 billion plus in revenue). That's a significant hike. Audit fees, however, rose only 6 percent vs. 3 percent in 2005 and a whopping 67 percent in 2004. So while audit fees may be under control obviously, there are a lot of other costs as well. Legal fees and board compensation have driven the non-audit costs. The survey also found that 1 in 4 respondents say they are thinking about going private, the same as last year.

For more:
- here's the survey

Compliance Readiness--A Way of Life

Mon, 16 Apr 2007 20:01:30 -0400

Compliance Readiness--A Way of Life

By Paul Reymann, CEO, ReymannGroup

Over the past few years, organizations have undertaken massive efforts to implement Sarbanes-Oxley Act (SOX) Sections 302 and 404 requirements. Yet many organizations face other compliance requirements in addition to Sarbanes-Oxley--HIPPA, GLBA, FISMA, and others.

For companies that are publicly traded, financial service providers, healthcare providers, government agencies and others, noncompliance with new rules carries significant risk and sanctions. Common among these laws and rules are requirements that companies are proactive in strategically managing business and IT processes, applications, information, technology, facilities, and security. Management is now accountable for creating a risk management environment that recognizes the bonds between technology infrastructure, business processes, reputation, compliance, and effective internal controls. A company's ability to comply with these mandates materially affects its day-to-day success and long-term performance.

Common Compliance IT Threads

Many compliance requirements and rules are mandated across multiple laws and adopted industry initiatives. Fundamentally common among many of today's compliance mandates is the need for technology solutions that help enable a company to:

Pass audits
Proactively comply
Assure data integrity
Continuously manage risk
Ensure business continuity
Improve operating efficiency
Detect, reconcile, and report material events
Protect sensitive customer and corporate assets
Prevent or respond rapidly to fraudulent activities

Each compliance requirement carries associated costs; companies that are subject to multiple requirements must find ways to reduce their compliance costs. The effort to comply with multiple regulations simultaneously creates process challenges--overlap of compliance efforts between multiple groups; differing audit perspectives and requirements; priority setting; and potential confusion resulting from implementing overlapping controls.

By focusing on the common aspects of these laws, organizations can avoid duplicate efforts and streamline their compliance program. Here's how to create a robust and coordinated IT compliance program that leverages best practices to support operational excellence:

Create a culture of accountability

Achieving compliance begins with commitment from the organization's top executives, and achieving IT control begins with the CIO. When the CIO insists on defining processes and instituting a culture of effective controls and accountability, an organization will be able to achieve its compliance goals, as well as attain new levels of operational excellence. Auditors call this the "tone from the top." Management must say and do the right things to reinforce the need for controls to be successful.

Optimize Internal Audit Resources

With a culture of accountability established, organizations can then optimize their use of internal audit resources, in addition to trusted partners and technologies. Auditors and audit technology can provide early insights into areas of strength. They can also help identify weaknesses that create a competitive disadvantage and potential noncompliance. And they can highlight other risks to daily operations. Organizations of all sizes are discovering that material audit findings and problems increase their audit costs, expose them to higher reputation and compliance risk, and lead to financial reporting errors and delays.

Best Practices Enable Compliance

Regulatory requirements frequently offer a high-level process and risk-focused framework for achieving compliance-not detailed, actionable practices. Therefore, CIOs, compliance officers and other senior executives must rely on industry-recognized best practices and internal control methodologies to help them identify appropriate steps to enable compliance. Standards that are commonly referenced include those issued by The Committee of Sponsoring Organizations (COSO) or defined in the Control Objectives for Information and Related Technology (CobiT). Payment Card Industry (PCI) Data Security standards have been defined to help establish effective controls throughout merchant networks. These and other standards create new operations, technology and information security mandates--as well as new challenges.

Specifically, these regulations and best practice standards require that organizations assure security, prove effectiveness and separation of controls, document changes, and be able to provide underlying detail. However, for some organizations, this can be more challenging than it appears. According to a recent KPMG survey, IT controls dominate the significant deficiencies, and material weaknesses identified through the SOX 404 assessment. Change controls account for most of these weaknesses.

Audit Technology is an Enabler

Effective change control auditing requires automated preventive controls, independent detection, proactive corrective capabilities, and real-time reporting in order to meet regulatory control, evaluation, and disclosure requirements. Companies can implement technology to support such processes and make it easy for people to do the right thing.

Preventive: Use a change management/authorization system such as Remedy or Service Desk that guides the change process, tracks the status of changes, and creates an "audit trail" of authorizations.
Detective: Use an automated, independent detective control like Tripwire or random change audits to monitor the production environment for changes, compare changes with authorizations and detect "out of band" changes.
Corrective: Implement process and technologies like provisioning systems or backup/restore programs to put things back when unauthorized change is detected.

Perform Pre-audit Reviews

Adopting a "no-surprise" stance, many companies now perform pre-audit reviews to help identify problems and weaknesses early and allow sufficient time to correct problems. Many of these pre-audit reviews focus on the information technology infrastructure and use audit technology solutions to quickly identify the areas of most concern and prioritize remediation resources. While internal and external audits will always find some area of improvement, pre-audit reviews help effectively manage formal audits and limit material findings.

Self-assess Your Readiness

Use this Compliance Self Assessment Checklist to jump start your efforts to assess your organization's compliance readiness and opportunities for improvement--any negative responses suggest areas of exposure that may require additional attention:

1. Does your Board and management set the "tone at the top" and communicate compliance and ethics values, mission and vision to all staff effectively?

2. Is your compliance program integrated with your overall business strategy?

3. Do you assess compliance risks and does this process integrate with your enterprise risk management (ERM) efforts?

4. Is there a senior position in the organization which provides oversight and leadership for the compliance and ethics efforts and does this position have sufficient organizational status to be effective?

5. Is your process for updating policies and procedures effective?

6. Do you provide comprehensive training and conduct performance evaluations for each job to ensure compliance responsibilities are understood and adhered to, and that necessary skills are learned and employed?

7. Are employees, agents, and other stakeholders able to safely raise issues regarding compliance and ethics-related matters?

8. Do you scrutinize the source of compliance failures?

9. Has the organization been consistent when taking action against violators of the Code and Program?

10. Is there an ongoing process in place to monitor the effectiveness of the compliance and ethics program? And is there a process for determining which issues are escalated to the Board and for informing the Board when issues are resolved?

It is imperative to develop a culture of compliance throughout your enterprise that enables business units and auditors to work together to implement and maintain the most cost-effective IT control infrastructure. CIOs and senior managers need to assign resources (whether internal or outsourced) to significantly shorten compliance attainment times, enhance the organization's overall compliance posture, and minimize business disruption.

With increased privacy and security awareness among consumers, businesses and elected officials, best practices are being incorporated into new laws and regulations that mandate higher operations, security, and risk management standards. Today's organizations must be able to prove that their corporate governance, internal controls, network infrastructure, business processes, and operations are safe, sound, and secure. New laws and rules now dictate how businesses must govern, work, communicate, and securely interact throughout the internal corporate structure and with external parties such as customers and strategic resource partners. Such mandates directly impose obligations on the CIO to ensure that effective IT controls are established throughout the organization. Operational excellence is no longer a prudent business decision--it's a way of life.

Paul Reymann is one of the nation's leading financial institutions regulatory experts and co-author of Section 501 of the Gramm-Leach-Bliley Act Security rule. Fortune 500 companies have leveraged Mr. Reymann's subject matter expertise to develop successful go-to-market strategies for information security and technology products and services within key vertical markets.

Mr. Reymann is recognized in the prestigious 2006 Heritage Registry of WHO's WHO. He is referenced frequently in industry news and magazine articles. He is also the author of numerous articles and papers on technology risk, transactional web sites, customer information, network security and other technology and safety and soundness topics. You can reach Paul at paul@reymanngroup.com or (410) 956-7336.

Will the SEC's new rules help small companies?

Mon, 18 Dec 2006 19:01:39 -0500

If you run compliance or finance at a small-company, the SEC's latest Sarbox proposals give you a lot to ponder. On one hand, many will likely see the proposals as a disappointment. Smaller public companies will be granted an exemption from Section 404, which is what the venture industry really wanted. And compliance deadlines remain the same (the end of 2007 or 2008). But that doesn't mean there was no relief. A lot of the measures proposed will have a huge impact on small companies. In particular, managerial knowledge of the company can be used as a basis of compliance, which might allow some to shave costs of outside consulting. The big issue comes down to whether the Sarbox rules are truly scalable. The short answer seems to be "yes." How much this will reduce the $1 to $3 million in compliance costs that the average VC portfolio company pays is still unknown.

For more:
- read this Red Herring article

ALSO NOTED: Sarbox gooses in-house lawyer pay; LSE bent on staying out of Nasdaq's clutches;

Mon, 13 Nov 2006 19:01:38 -0500

> A new study finds that a lack of guidance and the ill-fitting nature of COSO's 1992 framework has boosted compliance costs. Initial reaction: Tell us something we don't know. Article

> The London Stock Exchange's strong growth may help it thwart overtures by the Nasdaq. At least, that's what LSE execs hope. Article | The CEO maintains the exchange is not for sale. Article

> Corporate America has made its Sarbox views know to the world. It sure seems as though there is broad consensus on trade. The only exception seems to be editorial writers. Article

> In-house lawyers salaries keep on going up. And Sarbox is one big reason. Article

And Finally... The stock market actually likes governmental gridlock. Article

New study documents benefits of Sarbox

Mon, 23 Oct 2006 20:01:39 -0400

There have been several studies that have documented the benefits of Sarbox. The most publicized was one in the Harvard Business Review, The Unexpected Benefits of Sarbanes-Oxley, by a pair of Deloitte & Touche executives. Now there is a study by MIT Sloan Assistant Professor Ryan LaFond. He finds that the law has resulted in significant benefits for businesses, including smaller firms. He found that compliance costs were rising even before Sarbox was enacted, as companies found that poor controls led to lower quality reports. Which was noticed in the marketplace. Sarbox provided the medium for improvement. The study also suggests that the costs of compliance wane a bit after the initial burst of activity. That point remains debatable. Some firms may build on their compliance efforts.

For more on the study:
- Here's a summary from NewsFactor

Total compliance costs dip, audit fees continue to soar

Mon, 26 Jun 2006 20:01:33 -0400

A lot has been made of a recent Foley & Lardner study which found that overall costs of corporate compliance fell 16 percent in 2005. But the study also showed that audit fees are keeping total fees from falling even more. The biggest line item for total compliance costs is audit fees. Public companies with less than $1 billion in annual revenue paid nearly $3 million in 2005, almost triple the amount before Sarbox was enacted. Accounting firms are certainly not complaining! Audit fees rose most for small-cap companies, 22 percent, compared to only 4 percent for S&P 500 companies. For the sake of comparison: Legal fees fell nearly 40 percent, corporate governance costs fell nearly 60 percent and productivity time lost fell 46 percent.

> Here's the ChicagoBusiness article.