When President Bush signed the Sarbanes-Oxley Act (the bill was actually called the "Public Company Accounting Reform and Investor Protection Act" in the U.S. Senate) into law on July 30, 2002, I never in my wildest business-trade-writing dreams thought it would provide me job security for the next half-dozen years.
Even today, as risk management issues appear in the business page headlines almost every day, "SOX compliance" for me has a similar throw-back ring to it as, say, "dot-com," "Mars Odyssey space probe" or "President Bush."
But for tens of thousands of finance, accounting, compliance, risk and internal audit professionals, SOX compliance remains quite current. That's why a new 49-page report on the current state of Sarbanes-Oxley compliance from Protiviti is not a throwback at all, but quite useful. The report is based, in part, on feedback from more than 400 executives, corporate SOX leaders and audit professionals.
I'm not going to even try to summarize all of the findings in the report here; instead I and other Business Finance bloggers will share our takes on the results (Chief Editor Peter Alpern discusses the report and gets Protiviti Executive Vice President Bob Hirth's take on the results) over the next few of weeks. Here, I want to point to a couple of important, high-level points contained in the report.
First, Sarbanes-Oxley compliance remains, for most publicly listed companies, major expense. These activities may not get the headlines that, say, cyber security breakdowns or Dodd-Frank practices receive, but they still qualify as a major component of most governance, risk management and compliance (GRC) programs.
Most companies now spend in the range of $100,000 to $1 million annually on SOX compliance-related activities, according to the report. More than 80 percent of small companies spend less than $100,000 annually, and nearly 70 percent of mid-sized companies spend less than $500,000 on SOX compliance.
Second, while the cost of compliance has certainly increased over the past several years, so have the benefits.
The study finds that the benefits of Sarbanes-Oxley compliance, which include stronger internal control environment as well as improved effectiveness and efficiency in operations, actually outweigh the cost of compliance in many companies. If you had told this to an internal auditor and a controller in 2002, 2003 0r 2004, they would have looked at you as if you were from Mars.