SOX again. Getting to the real numbers.

I sense a series of enterprise software and law-compliance posts brewing.  I tried to explain some compliance stuff last night via email, but I failed.  Signal-noise ratio was wonky.  So I’ll post instead.  Warning if you find law, finance costs and software boring, stop reading now.

I’d rather pick up on other laws than the Sarbanes-Oxley Act of  2002, it tends to crowd out discussion on other important laws, and paints a very US centric picture of compliance.   But given that the Act is undergoing a timely fine tuning, I figured it was worth a revisit.

Details here on the SEC site. 

Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources,” said SEC Chairman Christopher Cox. “With the Commission’s new interpretive guidance for management on the evaluation and assessment of its internal controls over financial reporting, companies of all sizes will be able to scale and tailor their evaluation procedures according to the facts and circumstances. And investors will benefit from reduced compliance costs.”

You can watch the SEC broadcast here.  (nice transparency!)  I’ll explore the implications of these changes in another post, but it seems that the US is moving to a more principles based control framework, which is more like the UK’s FSA model.  SOX isn’t being scrapped or radically transformed, but after 3 years of year-ends   the SEC is a better position to improve the “protection-cost” ratio.

Vinnie has a regular go at  SOX, SOX costs,  and indeed those selling compliance tools.   His recent post is no exception, commenting on Oxley saying he would have done things differently..

Wish he had said that 3 years ago – but sounds like we are back to “normal times” after pissing away billions on gun-to-the-head compliance spend.

In this post I’d like to explore SOX costs in a little more detail, because I’ve been privy to some interesting research.  As part of my job I have access to the Hackett Group Research, and I’d really urge anyone who is interested in understanding technology and best in class performance spend some time reading their stuff. It is thorough, independent, compelling and worth the money.

In 2005 Hackett commented.

This is the first time in Hackett’s 14-year history of benchmarking that finance costs have risen for typical companies.

2005 was the first year that Section 404 really hit home for most companies: they had to begin to comply with the requirement in their annual reports for their first fiscal year ending on or after April 15, 2005.

Hope Hackett don’t mind me linking the graph here.


Again in 2005 Hackett said.

Hackett’s research also found that world-class finance organizations now spend 42 percent less in the finance function than typical companies, and have 44 percent fewer finance staff. According to Hackett’s research, world-class finance organizations now spend 42 percent less than typical companies overall (0.73 percent of revenue versus 1.26 percent). Typical companies have seen an 18 percent increase in total finance costs since 2003, while world-class finance organizations have seen a 5 percent drop during the same period.

Compliance costs have risen significantly for both world-class and typical companies since 2003. World-class now spend 36 percent less on compliance than typical companies (.060 percent of revenue versus .094 percent). For instance we see that the typical company is spending an additional $340,000 per billion in revenues or a total of $940,000 per billion in revenues for additional internal finance and external resources to meet today’s compliance requirements.

There are a couple of things I’d like to pick up on this.

1. The impact of SOX is clear here. The big jump in costs can largely be linked to SOX related projects, especially the panic projects that drove early spend.  Interesting though that the world class companies cost of compliance post-SOX is lower that of the peer group pre-SOX.  The impact of SOX is less on world-class companies than on the peer group too, the jump in absolute terms being significantly smaller.

2. Now, let’s  move on to the more recent numbers from Hackett. (I don’t have a graph  I can share publicly, but book of numbers owners can look it up)  The finance costs as a percentage of revenue for world class companies have now dropped down to  below pre-SOX levels, whereas for typical  companies the cost continues to climb. The delta is growing. For those companies that lurch from audit to audit and spreadsheet to spreadsheet the cost of compliance will spiral,  as SOX is just one wave in the ebb and flow of compliance demands.  For those that invest in compliance automation, strong foundation systems and smarter processes, the picture is a whole lot better.  Hackett has the numbers to prove it. 

The message here is clear. Moan about SOX all you like, but the best companies in the world have focused on putting in place the processes and the technologies to drive down the cost of compliance.  Every year they will relentlessly improve their  processes, further automate and drive out more costs. Yes, compliance costs, but how big that cost becomes is entirely up to you.  SOX will not be the only law that causes compliance challenges.

I’m not sure where the  shame comes into it.  The finance folks that I talk to want a finance function that provides transparency, control and trust at the lowest possible cost.  And that is just for starters.


Technorati tags: , , , ,

17 thoughts on “SOX again. Getting to the real numbers.”

  1. Thomas, for an area crawling with accountants you should have better financial data. It is similar to a Deloitte study I blogged about last year. It claimed to show the benefits from SOX but had nothing but soft justifcations – as an accounting firm they would dismiss something like that from a client in 2 minutes flat.

    The data you present above says the typical company cost continues to climb. Hacket’s top quadrant companies reflect less than 5% of all public companies in the US, so I could surmise from your data the cost from SOX and other complaince continues to bite hard.

    “Shame” came from the Fortune cover article. I did not dream that up. Fortune, you have to admit. reflects corporate execs. The article reflects the views of many (most) CEOs, CFOs and CIOs that SOX was a punishment to all for the sins of a few.

    In this day and age when Chinese instant cities come up in 6 months, when something is not working you don’t take 5 years to fix it. Rep oxley could have easily made his statement it was not working 3 years ago. We did piss away a lot of money in the 3 years since.

    I do know a thing or two about accounting. I was certified as a CPA, and gave away my certification 6-7 years ago because I am not a practicing accountant. The first lesson I learned at PW was an internal control should not cost more than the beneft it delivers. The Big 4 appear to have forgotten that, and along with many software vendors.

    Every dollar spent on compliance takes away from other innovation and efficiency initiatives. There is no free lunch. We can fret about global competition and do something about it.. Or we can piss it away on stuff like this. And feel good we are “compliant”

  2. Vinnie,
    perhaps check this out too. This and many other studies point to a reduction in SOX costs…

    SOX isn’t broken. That is where we differ. It needs adjusting sure, but given that most companies have had 2 year ends with it I think the reforms are coming at about the right time.

    What reforms would you like to see? What are the alternatives?

    You may find the site I linked to in the next post interesting.

    I really cant see how you can blame this one on the software vendors. Compliance isnt a zero sum game either. Why does compliance software sell well to organisations that have nothing to do with SOX? Like local governments or private companies.

  3. No, Thomas, you and Deloitte and the accountants tell me what we really got with SOX.

    More investor confidence? Assure me Enron will not happen again.

    Better oversight? What exactly were the auditors, the SEC, etc doing prior to 2001. Sad thing is if you read the WSJ reporters book on Enron, they were REPORTING their creative transactions in their investor reporting. The watchdogs did nothing. Young auditors telling experienced supply chain execs they could not do this or that in the name of SOX is not my idea of better oversight.

    Better controls, better documentation? From 95 to 2001 every SAP or Oracle pitch I heard was you will get integrated this, better documented that, wall to wall best practices. Did the systems fail? Were they oversold?Whey do we now need an elaborate new GRC set of functionality?

    Corporate America was already paying for all that. They have been made to spend even more on the very watchdogs and systems which should have been doing their jobs…

    If SOX is so damn good how come Europe is not rapidly adopting it. China, India. They are usually quick to adopt US best practices…

    Ok, so we spent the money, now show me how we are better off. Show me the financial pay back. Show me improved improved confidence in the financial system.

    Because that is good money we could have invested in a number of innovation areas.

  4. Vinnie,
    If I may, I’ll refer you to an older post of mine.

    Measuring the success of SOX is easy. Look at the nasdaq, the Dow etc today. Now imagine that there had been no SOX. Read what the chairman of Goldman Sachs said in 2002…
    All my suggestions have one aim: restoring trust in our system—trust in the accuracy of financial
    statements, trust in the integrity of corporate management, trust in the honesty of investment
    analysis. Without such confidence, we all lose. Investors will forego gains, entrepreneurs will
    have less access to capital, there will be fewer and less attractive jobs, less business to be done,
    and fewer tax dollars to support government programs. And the impact would fall most heavily on the less privileged. It is our job to see that our capital markets continue to be models of fairness and efficiency.

    Now of course, not all of this is due to SOX, but it has helped to repair individual investor trust, and the proof of that is the health of the market today.

    For the acclerated filers SOX costs declined 23% last year. To 2,9 million. (see post from today) By this measure SOX looks like a bargain. This is less than a typical CEO salary package increase last year.

    But 404 requires slimming down. The PCAOB guidelines need attention. Yes SOX could be improved.

    But I wish folks would look beyond 404.

    403 has improved the backdating problem, but do I see you praising that? No.
    Sections 409, 303, 306,401….


  5. Thomas, to claim SOX costs have declined recently as an achievement is similar to saying – praise me, I have stopped hitting my spouse.

    You did not address my earlier point. What were the systems already in place in 2001 deficient in that we now need a whole generation of GRC functioanlity? And what were auditors doing for the already high fees theyw ere making then?

  6. I believe I did address it.

    The spouse violence metaphor is entirely uncalled for. It is has no place in this sort of discussion.

    the 404 reform is aimed at addressing excess audit, audit costs have been too high. Here we agree. PCAOB guidelines needed reforming.

    When you have actually seen the software come back and tell me what you think. It is tough to knock something you have never even looked at.

    in the meantime please explain why the software sells in places where SOX does not apply.

    One could easily say every dollar paid in excess CEO pay could be spent on innovation. This would be a much bigger number.

  7. if one aim of SOX was to restore investor confidence I should think it has succeeded very well. Want hard numbers? Look at the Dow.

    but SOX reductionism completely misses the point. the compliance spend should address multiple problems, not just one. In that sense Vinnie is correct. A myopic focus on SOX is not sensible. A disciplined, methodical, systematised approach to governance and risk management- is.

  8. I’m no expert, but surely the benefit of SOX was that organizations both in the USA, and to some extent, the UK have realized the need to control and manage their financial information. Posting a set of results where the figures can’t be explained is surely bad practise. SOX has ensured software companies understand the problems and find a way of addressing these key issues. Regarding costs, surely if organizations start to see beyond the large software companies who jump on bandwagons, they’ll see some great solutions, that actually help the business practises – it’s not just a stick.

  9. I cannot believe so many of you think government policy has caused the stock market stabilization. Or that SAP which has mostly private sector customers is continuing to push the “compliance is good” agenda.

    Here’s Fortune’s take from the same article I quoted

    “For all that business has done to rehabilitate itself since, a significant factor has been what government has failed to do. It did not become the hero the public wanted. In the fight against terror, polling shows, just over half of Americans think the Iraq war made the U.S. more vulnerable to terrorism, not less so. Washington scandals – the Jack Abramoff lobbying mess, the Mark Foley sex mess – reminded voters that politicians can be every bit as sleazy as any executive.

    One episode did more than any other to turn attitudes around. That was Hurricane Katrina, when government at nearly every level looked utterly incompetent while businesses became the heroes. FedEx delivered 440 tons of relief supplies, mostly at no charge. Wal-Mart meteorologists informed managers that Katrina was headed for New Orleans more than 12 hours before the National Weather Service told the public; the company later hauled millions of dollars of supplies into the worst-hit areas days before FEMA showed up.”

    On the spousal abuse – sorry bad example.

    But please don’t cite stats for a bad investment and say things have improved because the investment is declining. It is bad money, may be a little less. Maybe.

  10. 1. SOX helped stabilise the market at a critical point. Ask Greenspan, Cox, Donaldson if you don’t believe me.
    2. Could it be better, sure.
    3. Let me quote business week in response.
    Not so fast, says a growing chorus of investors. Lost amid all the boos over SarbOx, they say, are some major benefits. The biggest: SarbOx and related reforms have produced much more reliable corporate financial statements, which investors rely on when deciding whether to buy or sell shares. For them, SarbOx has been a godsend.

    What’s more, says Duncan W. Richardson, chief equity investment officer at Eaton Vance (EV ) Management and overseer of $80 billion in stockholdings, even the act’s much disparaged requirements for testing internal financial controls could drive gains in corporate productivity and profits. Says Donald J. Peters, a portfolio manager at T. Rowe Price Group (TROW ): “The accounting reforms have been a win.”

  11. Greenspan turned around and criticized it last year. Oxley now says it could have been better written. There is remorse from many of the same guys who endorsed it.

    Fine – make the pendulum swing for the billions we wasted in its overzealous implementation last few years, not keep expanding compliance.

    On this side of the pond we have a healthy cynicism for government and politicians.

    A large percentage of SAP customer base is private sector. Help them improve supply chains, customer service – not add to the “compliance taxation”. Make your money through innovation not regulation…

    BTW – thanks for the forum…I have to work on client stuff so have to step off the debate, but appreciate the passion and debate…

  12. Communications
    In a rapidly moving news environment, FDF operates a 24/7 press office and provides communications support to members FDF is the voice of the UK food and drink manufacturing industry. We work hard to promote the interests of the UK’s most important manufacturing sector.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: