Sarbox Isn't Just For The Big Guys

Technology has been at the forefront of Viper's compliance initiatives. It uses radio-frequency identification tags to track products and their costs during the assembly process. Data collected from the RFID tags is used in calculating financial metrics such as real-time productivity and inventory. That data is crucial for validating, monitoring, and auditing Viper's business processes and internal controls for 404 compliance. "At the end of the day, I can look at items like cost of goods sold, which goes right to the financial statements," Lowenthal says.

Business-process improvements are at the heart of Sarbanes-Oxley, he says. "You can have strong internal financial-reporting controls and weak business-process controls." For example, in a supply-chain system, it's vital to know who has access to the price list. "If a number of people can change prices, and there's no external review, then that's a weak business control."

Section 404 is the part of Sarbanes-Oxley that produced such pain for public companies in 2004, and it's the costliest to implement. Compliance costs vary by company size. The accepted rule of thumb is that companies will spend $1 million on compliance for every $1 billion in revenue.

In a survey of 68 private companies and nonprofit organizations conducted in January by law firm Foley & Lardner LLP, respondents expected to spend, on average, an additional $138,000 this year as a result of corporate-governance initiatives adopted in response to Sarbanes-Oxley, an increase of 34% over what they would have spent without the regulations.

Twenty-eight percent of those surveyed also said the costs of compliance outweigh the benefits. Many of them were pressured into compliance by board members and auditors. But 29% said the benefits outweigh the costs, up from 23% of those surveyed a year earlier.

At an SEC roundtable in April, executives vented their frustrations at the high first-year costs of section 404 compliance. The commission issued a statement recommending that management and auditors apply "reasoned, good-faith judgment" toward improving internal controls as opposed to "a one-size-fits-all, bottom-up, check-the-box approach that treats all controls equally." The statement added: "Particular attention should be paid to making sure that implementation of section 404 is appropriately tailored to the operations of smaller companies."

For some small, private companies, Sarbanes-Oxley has become a factor in deciding whether to go public. Some choose to be acquired or stay private rather than incur the overhead of compliance. "The concept of one-size-fits-all is flawed," says Ted Schlein, managing partner at venture-capital firm Kleiner, Perkins, Caufield & Byers, who serves on an SEC advisory committee on the impact of Sarbanes-Oxley on smaller companies. "It's like using a sledgehammer on a pin."

It isn't just small companies that are affected, though. In the insurance industry, regulators are debating whether to mandate Sarbanes-Oxley compliance for private insurers. Northwestern Mutual is taking no chances; it intends to be compliant by next year, CIO Barbara Piehler says.

North Carolina's State Employees' Credit Union, with $12 billion in assets, has voluntarily complied with some Sarbanes-Oxley provisions such as formally adopting a corporate-governance policy, adding compliance language to the audit committee charter and employee code of ethics, and implementing whistle-blower provisions. "We will continue to enhance transparency of operations and financial reporting whether or not legislative action requires us to do so," said Randy Partin, senior VP of internal audit, in a statement issued in May when the credit union revealed its Sarbanes-Oxley plans.

But those provisions are relatively easy to implement compared with section 404. In a survey early this year of 91 publicly traded community banks that the Independent Community Bankers Association of America conducted, respondents said they expect to spend $200,000 on average on section 404 compliance during 2005, the first year of compliance for nonaccelerated filers. The banks had average assets of $482 million--about the amount that a major bank could be expected to spend on Sarbanes-Oxley compliance. Asked when they expect to deploy a permanent software-based system for 404 compliance, 50 banks said they didn't know. Of the other 41, seven had deployed a system last year and 25 planned to deploy one this year.

What can't be done with software has to be done manually. Survey respondents said they expect to dedicate more than 2,000 staff hours and document 78% of their internal controls to comply with section 404.

When layered on top of other banking regulations, Sarbanes-Oxley could drive some small banks out of business, TowerGroup analyst Craig Focardi says in a report. He suggests that smaller banks concentrate testing and documentation resources on business processes that are mission critical or account for the largest portion of revenue.

Venture capitalist Schlein advocates adopting different levels of section 404 compliance based on company size. "As companies mature," he says, "that's where more governance is needed."

Continue to the sidebar:
Snapshot: Private Adopters Are Bigger And Faster Growing