Sarbanes-Oxley has created a good deal of work and related expense for companies that are not corporate behemoths. But they might be missing an opportunity if they don’t turn SOX to their advantage.

by Peggy Cope

The signing of Sarbanes-Oxley in July of 2002 was a watershed moment in corporate America, and six years later is still defining a fair amount of how companies now do business. Beyond simply mandating that firms stay on the right side of the law to keep their executives out of jail and shareholders happy, it imparts an ethical imperative and moral compass. But all this comes at a price—a consideration that is of growing importance during times of global financial turmoil.

Anthony Zecca, partner at accounting and consulting firm J.H. Cohn, which specializes in staying on top of increasingly complex auditing and reporting issues, SEC filing/reporting, and corporate governance practices, talks about the compliance issues companies face when they outsource F&A functions, particularly in the middle market.

For public companies that have had to deal with SOX, outsourcing has become a way to deal with resource issues, according to Zecca. And going back over the six years since the legislation took effect, he said, the biggest compliant about SOX has been the cost of compliance, which has hit mid-market companies particularly hard.

“One of the paradigm shifts that have occurred in the last few years is once companies got past ‘Let’s just comply with the law’—and some were quite deficient in terms of formality of controls systems—all their time was spent on documenting controls. A golden opportunity was being missed.”

In terms of documenting systems, he said, out of every 100 hours put into testing a specific process, 50 were used to test, and the remaining 50 went into documenting the test. “Companies were spending thousands of hours documenting systems,” said Zecca. “Instead of spending that time on documentation, they should use some of it for process improvement opportunities, turn the SOX investment into a return on investment.”

When a mid-market company documents controls and systems, it doesn’t take much more to look at how those systems can be improved. This ties into outsourcing because for companies that bring in advisors, it’s easier for an outsider to spot problems than it is for someone who has been on the inside for years.

“For people on the outside who are trained in controls and process improvement, it’s easy to raise a flag and say, ‘You are spending a thousand hours doing X—maybe you don’t need to be doing that.’” By getting away from merely documenting and moving toward improving processes, potentially through outsourcing, a mid-market company can combine these elements and turn Sarbanes-Oxley compliance into a profit-making opportunity, rather than just an added cost the organization must meet.

Middle Market Challenges
One of the biggest challenges companies face is the fact that compliance is ongoing. If the firm has been complying for five or six yeas, it’s now in a maintenance mode of dealing with SOX. They have refined their systems and defined controls frameworks, and there’s not a whole lot of challenge any more in that area, for those that have been doing it. A resource challenge remains, however, and many mid-sized companies won’t have the resources to do all that SOX requires.

But other, non-accelerated public companies that have not yet had to comply with Section 404(b) for external audit face many challenges beyond resources. Most that have not had to comply yet have taken a hands-off approach to it, signing Sarbanes-Oxley 302 and 906 certifications every quarter, but they haven’t done any work to validate that the controls work.

“When SOX becomes fully applicable to them, they will face a host of challenges. If they find material weaknesses, and executives have been signing off that everything is OK, they face the challenge of risk of having material weaknesses they haven’t yet defined,” said Zecca.

Another risk that mid-market organizations face is a $500 million company doesn’t have the resources it needs to deal with the complexity of SOX compliance. “The level of effort in SOX when it comes to dealing with controls can tax firms that don’t have enough staff in F&A who possess the right competencies to deal with this,” Zecca noted. As a company’s size gets smaller, this becomes more difficult; the middle market will face challenges in how to effectively deal with the complexities of accounting in a way that passes muster with SOX.

These challenges can be met perfectly by an outsourced solution. Some companies that used to be able to call on an external auditor for help can no longer do so under new rules. A good outsourced solution can be done during peak periods, every quarter, or as need arises, working about four months out of the year. “Companies don’t need it the rest of the time,” Zecca added. “Most public companies have gone to an outsourced solution for that. People go in to work with them during the peak periods.”

To help mid-market companies cope with the challenges of SOX, J.H. Cohn developed six tips (see sidebar) to help organizations stop looking at SOX as a nuisance or something they have to wrestle with, and turn the requirements into an advantage from the company’s point of view.

The secret of using SOX requirements to your advantage is to note how to make your processes more effective.

“One thing that’s been lacking in public companies is dashboards and analytics,” Zecca said. “That’s real-time compliance. SOX is about preventing material weaknesses, but for most companies, it doesn’t help to find out they had a control breakdown in a major area after the fact, so they run around trying to fix it. Take the company that has foreign locations as an example. They can set up a system with metrics for monitoring controls; if an order goes through that’s outside the norm, they can use the process to report back on a dashboard to the CFO showing that the gross margin was way off, so you know something happened. Real-time analytics streamline the monitoring of controls, rather than going in after the fact. SOX tests things after the event. Making it real means taking internal controls for SOX and making it real-time.”

By living the six points, companies find that their controls systems improve. This can take an organization to world-class operation, using Sarbanes-Oxley as the impetus.

“Moreover, it allows mid-market companies to improve themselves geometrically,” said Zecca. “Most companies just do what they do every day—they don’t stop to examine whether they are doing it the best way, the most profitable way.

“With mid-market companies, which don’t have limitless resources, outsourcing is a perfect fit to help maintain SOX compliance. From the SOX point of view, you need the assurance that your business partner has controls in place to protect their client’s integrity.”