Sarbanes Oxley compliance becoming easier

Firms are improving their Sarbanes Oxley compliance activities

US companies are improving their compliance to the Sarbanes Oxley act, according to new research released this week.

The Sarbanes Oxley legislation was signed into US law on the 30th July 2002 after data scandals such as those involving Enron, Tyco International and WorldCom, created a need for corporate governance. The Act imposed regulatory requirements on enterprises and established stricter reporting processes and increased transparency.

Compliance Week, a US corporate governance newsletter, has released data showing a 44.2 per cent drop in compliance weaknesses from two years ago.

From 15th November 2004 to 15th November 2005 there were 624 weaknesses disclosed, whereas from 11th October 2006 to 11th October 2007, only 348 weaknesses were reported. Compliance week conducted its research using data from 97000 publicly listed companies.

Matt Kelly, Compliance Week managing editor, said the decrease in breaches is a consequence of companies “learning the ropes.”

Costs have also reduced because of the introduction of compliance systems, Kelly explained. At first companies tended to hire out outside consultants to handle audits but now tasks are brought inside to corporate staff, Kelly said.

Also businesses are bringing in controls to satisfy a number of regulations at once, a practice Kelly calls “control mapping.” For example a business will bring in data privacy rules to fulfil both finance and healthcare types of regulations.

However Kelly expects different results next year because small companies will start their Section 404 compliance for the first time. Until now, “most small filers (the large majority of public companies in the US) have been whistling in the dark about Sarbanes-Oxley, somehow hoping it would just go away for them,” Kelly added.

Section 404 of the Sarbanes-Oxley Act requires publicly-traded companies to maintain internal controls of financial reporting processes, such as the General Computing Controls, which are assessed by auditors during annual 404 audits.

Small companies needing to fulfil new compliance rules will cause more 404 weaknesses to be disclosed in total, Kelly believes. “But there is likely to be a clear break between large companies experienced with SOX, who will probably keep improving and small companies still learning the ropes and finding lots of errors,” Kelly added.

David Rae, deputy editor at UK publication Financial Director, pointed to the not quite as onerous regulation laws in the UK; Combined Code. Rae predicts that now companies have got systems in place to implement compliance rules, there will be a similar decrease in breaches in the UK.