SOX 404: Practical Approaches to Cut Costs

1
SOX 404 Practical Approaches to Cut Costs and
Add Value
Jeff Thomson and Tim Leech
June 18, 2007
2
Todays Speakers - Jeff Thomson

• IMA VP of Research and Applications.
• COSO Board Member.
• Former Strategic Business Unit CFO at
• ATT ( other decision-support roles).
• Published author, global speaker
• (ERM, performance management,
• strategic costing, strategic planning)
• Exemplary sense of humor.

3
Todays Speakers Tim Leech

• Pioneer and thought leader in GRC,ERM,
• SOX, and business ethics.
• Global speaker, published author.
• Currently, Chief Methodology Officer at
• Paisley Enterprise GRC software
• company.
• Effective July 3, 2007 Director
• Corporate Trust Maintenance
• Restoration Services at Navigant.
• EFFECTIVE JULY 1, 2007 First IMA
• Managing Director of Finance GRC
• Research Practice!
• Known to be a pot stirrer and not
• having opinions.

4
Agenda

• The Business Issue
• Drivers of High Compliance Cost
• Practical Approaches to Increase Value
• Whats Next?
• IMA Resources

5
But First, Some Help from YOU!Tee-Up Questions

• Who thinks SOX the Act should be amended right
  now to fix the problems the SEC and PCAOB have
  created?
• Who is happy with SOX just the way it is because
  it has led to pay raises, recognition and more
  work for auditors?
• Who thinks the SEC and PCAOB have got it right
  with their May guidance revisions? Who thinks we
  arent there yet?
• Who in the room could care less about SOX but
  needed to attend to get the CPE credit?

6
The Business Issue

• While SOX the law was necessary and appropriate,
  implementation has come at a high cost
• Compliance costs more than 20X original SEC
  estimates. Internal costs going down, but
  majority of filers state cost-benefit not
  realized.
• Small companies delisting or threatening to
  de-list due to disproportionately high compliance
  costs just kicking in starting in 2007 and 2008
• SOX impact on U.S. competitiveness and jobs.
• SOX has taken managements eye off the prize -
  growing shareholder value.

7
Global IPO Listings SOX Cause and Effect??
Source Thomson Financial, Equity Capital Markets
Review, Q4 2006
40
New York
Hong Kong
35
London
30
25
of Global Proceeds (US m)
20
15
10
5
0
1999
2000
2001
2002
2003
2004
2005
2006
Year
8
Small business concerns

• Is this really the system we want for our
  economy? Is it really serving the shareholders
  in a way that justifies the cost? Are we really
  helping to make America a better place to live
  and work? Or are we punishing the many for the
  crimes of the few because, in the end, its just
  plain easier?
• - Kenneth Wilcox, president and CEO, SVB
  Financial
• Group, Wall Street Journal 6/1/07
• (NASDAQ traded compliance costs now up
  to
• 17,000 per employee).

9
Another tee-up question (already?)

• How many accelerated filers in the room show of
  handscomplying with SOX now?
• How many non-accelerated filers in the room
  soon to be in the SOX compliance game??
• Any volunteers willing to share their biggest
  pain-points to date??

10
Drivers of High SOX 404Compliance CostsIMA
Research Study, September 2006
11
COST OF SOX COMPLIANCE RELATED ACTIVITIES
Creating and Maintaining Documentation and
Testing of Key Controls considered Somewhat to
Very Costly by more than 90 of the respondents
Refer to Table 9 of study for detailed
discussion
12
OF RESPONDENTS REPORTING DECREASE IN SOX
COMPLIANCE COST RELATIVE TO YEAR 1
Majority reporting decrease in all SOX compliance
activities except Self Assessment.
Refer to Table 10 of study for detailed
discussion
13
OF RESPONDENTS EXPECTING DECREASE IN SOX
COMPLIANCE COST RELATIVE TO YEAR 1
While one in three respondents expects Key
Control Testing and Remediation related costs to
decline by more than 20, only one in five
respondents expects the Self Assessment and
Attestation and Certification costs to decline by
the same percentage.
Refer to Table 10 of study for detailed
discussion
14
FACTORS DRIVING SOX 302/404 COMPLIANCE COSTS
Refer to Table 11 of study for detailed
discussion
15
FACTORS DRIVING SOX 302/404 COMPLIANCE COSTS
Refer to Table 11 of study for detailed
discussion
16
WHAT IS ACTUALLY GUIDING THE INTERNAL CONTROL
ASSESSMENTS COSO 1992 OR AS2?
17
IMPLICATIONS

• The following two cost drivers were cited by 68
  of the respondents as having moderate to large
  impact on their SOX compliance cost
• 1) Lack of practical guidance from the SEC or
  other professional organizations on how to
  accomplish the task of deciding on what
  constitutes an effective or ineffective internal
  control system
• 2)Redundant testing performed by external
  auditors and internal auditors or the
• SOX compliance group due to the inability of
  these groups to collaborate to reduce the sample
  size.
• The above findings remain valid even when the
  overall sample is analyzed by auditor type and
  management type.
• Only one out of every four respondents in our
  sample believes difficulty in using the COSO
  1992 framework in arriving at a consensus opinion
  on the effectiveness of their system of internal
  controls is a significant cost contributor.
• However only 28 of the respondents reported that
  majority of their internal control assessment was
  largely guided by and conducted in accordance
  with the COSO 1992 framework.

18
LACK OF INTEGRATED AUDIT-ANOTHER COST FACTOR
A significant percentage of respondents from
small as well as medium to large companies
continue to report lack of an integrated audit as
another cost driver.
Refer to Table 12 of study for detailed
discussion
19
PERCENTAGE OF UNNECESSARY DOUCUMENTATION AND
TESTING
For the overall sample almost 62 of the
respondents reported that 21 to 50 of the
Documentation and Testing was unnecessary
Refer to Table 13 of study for detailed
discussion
20
TYPE OF RISK BASED ASSESSMENT APPROACH
More respondents from smaller public companies
report taking a bottom up control centric
approach.
There appears to be a wide variation in
understanding and interpreting what is meant by
Risk Based Assessment Approach
Refer to Table 14 of study for detailed
discussion
21
Tee-up question

• Need a volunteer(s) How many companies in the
  room said they did their review in accordance
  with COSO but arent sure you could prove it?
• How many companies used COSO and an IT framework
  like COBIT but only listed COSO in SEC filings?
• PS We will discuss practical solutions, lessons
  learned, etc. Right now --?

22
Practical Compliance Solutions Two Levels of
Engagement

• Broader/Advocacy Level Silence is Not Golden.
• More Practical and Tactical Just do it.

23
Silence is Not Golden IMA Issue 1
New PCAOB proposed standard is more detailed and
prescriptive than SEC. Hence, PCAOB rules could
be the costly defacto standard for management.
Management Rule Book
Auditor Rule Book
Mid-Term Grade (12/06) D Final Grade
(5/07) C - Comments Better alignment, but
AS5 still likely to be defacto standard for
management.
24
Silence is Not Golden IMA Issue 2 New
guidance is not truly risk based, perpetuating
high number of key controls and cost.
Mid-Term Grade D - Final Grade D
Comments Additional fraud emphasis good but
risk assessment guidance lacking or seriously
flawed.
25
Silence is Not Golden IMA Issue 3
The regulations still call for zero material
defects in draft financial statement to get a
passing grade from their auditor.
Disproportionate impact on smaller companies.
12 ft.
Mid-Term Grade F Final Grade F Comments
Where is the evidence that investors are better
protected???
26
Silence is Not Golden IMA Issue 4
New rules still not practical for smaller public
companies ambiguity disguised as flexibility.
Compliance Cost as a of Net Revenue
BigCompanies
SPCs
Mid-Term Grade D Final Grade
D/Incomplete Comments Improved language does
not translate to practical, scalable guidance
that is cost effective.
27
Silence is Not Golden IMA Issue 5The
regulators have misinterpreted Congressional
intent on the auditors opinion, resulting in
auditor control/high cost

• .

Legislative Intent
Auditors P/F Grade on Managements ICFR
Effectiveness
Mid-Term Grade F Final Grade F Comments
Prominent registrants and countries around the
world disagree with SEC but minimal rationale
provided
28
Practical Compliance Solutions Just Do It

• Employ a true risk-based approach to assign
  compliance resources commensurate with risk,
  driving down cost and achieving value .
• . But remember you must produce financial
  statement drafts free of even a single material
  error. This is the real kicker in the current
  rules.

29
A Continuous Risk Management Process
Source Adapted from The Institute of Chartered
Accountants in England Wales, 199947.
30
Beyond SOX IMAs Risk Based Approach
31
More Tee-Up Questions .

• Group Exercise Is it really possible to give
  pass/fail opinions on control? Lets start with a
  simple exercise on fire safety.
• What practical and/or cunning solutions/strategie
  s has your organization implemented to implement
  internal controls at reasonable cost, high value
  and protection to your stakeholders?
• Notice Not just a question for the SOXers!

32
Whats Next ..

• Congressional intervention to delay small
  business implementation again??
• SEC must officially approve PCAOB AS No. 5 (this
  summer).
• SEC must finally release its own guidance
  presented at 5/23/07 open meeting.
• PCAOB to issue supplemental guidance to smaller
  registrants later this year
• Remember, Silence is Not Golden . Get engaged if
  you have an issue with regulations!!

33
IMA Resources Available NOW!!

• SMAs (Statements on Management Accounting)
• ERM Frameworks January, 2007.
• ERM Tools May, 2007
• Research studies, global discussion papers,
  comment letters filed with SEC, PCAOB,
  Congressional testimony.
• Webinars (for re-broadcast), conference topic,
  Strategic Finance articles.

34
IMA Resources Available SOON!

• ANNOUNCING IMAs Finance GRC Research Practice
  ..
• Managing Director Tim Leech
• Products and Services 6 months out Resource
  Center to help produce right, reliable and
  relevant financial reports
• Products and Services 12 months out Specialized
  certificate in assessing ICRF (per new SEC rules)
• Send email NOW to jthomson_at_imanet.org to learn
  more!!!

35
Integrated GRC Why the Next Frontier?
Market Forces

• Governance
• Alignment
• Accountability
• Work Room to Boardroom
• CrossFunctional

• Compliance
• Org, local, state and federal
• Industry Specific
• SOX Big, but just a sliver
• The accelerator, not the brakes

• Risk
• Not just Financial
• Not in Silos
• Integrated Part of Planning
• A Global Body of Knowledge

Exceed Stakeholder Expectations (Add Corp. Social
Responsibility)
Business DNA Culture, Communication, Community,
Change
36
THANK YOU ENJOY THE CONFERENCE AND REMEMBER
SILENCE IS NOT GOLDEN!!!