Adrian Giles, senior partner of UK-based business venture specialists Venesis, examines how the Sarbanes-Oxley legislation will affect companies in the UK.
Regularity compliance has always been an important part of the cost of running a business. Most market sectors, from healthcare and financial services to industrial manufacturing, are all subject to compliance and regulation by legislation and statute laws that impose demands on how they should conduct business and clearly state the penalties for non-compliance.
However, against a whole wave of financial scandals driven by fraudulent accounting practices that involved major US corporations such as Worldcom and Enron and Tyco, the US Senate and House of Representatives passed the Sarbanes-Oxley Act on 30th July 2002 to restore investor confidence and underwrite the integrity of financial information. One of the key sections is Section 404, although only 169 words in length, it lays out the requirement for the management of a US public company to report annually on the operational effectiveness of the company’s internal controls over financial reporting. Additionally, the company’s auditors must attest to and report on the management’s assertion over the effectiveness of internal financial controls. Consequently, the legislation has the potential to have a profound impact on the governance and behaviour of any business with a US listing, including 470 non-US companies.
What are the implications of the legislation?
Sarbanes-Oxley now places the responsibility and accountability for the tracking of information for full day-to-day activities that have an impact upon financial performance very clearly upon the shoulders of the management teams of those businesses, with teeth that do bite – the CEO and CFO can be fined up to £3million, go to prison for up to 20 years or both.
Compliance with Section 404 requires that businesses now have to document and attest for the operational effectiveness of a wide range of processes that have an impact upon the accuracy of their annual financial performance and reporting. These include traditional financial processes such as accounts payable and receivables, but also covers those that have an indirect financial impact, for banking and financial institutions these include the processes around the movement of money and customer funds, such as direct debit, cheque clearing and the procedures for opening or closing accounts.
Even with using the accepted standard frameworks like that of COSO developed by the Committee of Sponsoring Organisations of the Treadway Commission in the US, the complexity and rigor required for preparing a business for compliance with Sarbanes-Oxley is very high. The process is turning out to be far more difficult, time consuming and expensive than originally forecast or budgeted for. The average cost of compliance with Section 404 for the first year of compliance alone for a major business in the UK is estimated to be between £10-20 million and consume approximately 20 FTE-years of internal time.
Despite these huge costs, there are predictions that between 10-20 percent of the companies will fail to fully comply in the first year and will have to report that they have material weaknesses in their financial reporting processes. However, because all the Sarbanes-Oxley provisions are subject to further clarification by the SEC, there is an expectation that auditors will be less critical with their findings for this first year.
Through the preparation and readiness for compliance, many businesses have documented and tested hundreds, if not thousands, of controls. However, Sarbanes-Oxley also requires that this is not just a singular event and that compliance work must be performed on a continual basis to annually document and attest to the effectiveness of their internal controls. Indeed, Section 302 of the Sarbanes-Oxley Act sets out that the CEO and CFO are required to certify that the financial statements and other information that is included in each quarterly report are a true and accurate presentation in all material respects.
The experience of Venesis has highlighted that although almost all Sarbanes-Oxley programmes have been structured around using the COSO framework, too few businesses have really used the monitoring component of this internal control framework. Many are too focused on the detailed control activity and the level of detail documented for both the design and operational effectiveness of those controls. Far greater value could be achieved if they increased the focus upon monitoring transactions for control compliance.
In many ways this is not surprising, most businesses focused upon Section 404 compliance and meeting the initial deadline. Often in the haste to achieve compliance, many have taken a very granular bottom-up approach. Rather than taking more of an ‘end-to-end’ approach, being in the ‘weeds’ of it has just often resulted in identifying far too many controls than is necessary. This makes ongoing compliance more complicated and time consuming.
What are the implications for UK corporates with US listings?
This first wave of preparation for Sarbanes-Oxley compliance is now completed, with the first US filings beginning to be made. For foreign companies listed in the US, the original date of 15th July 2005 has been extended by a further 12 months after pressure from Digby Jones of the CBI on the US Securities and Exchange Commission (SEC) to allow for additional time for UK businesses to prepare.
* There are 113 UK companies listed on the NYSE and NASDAQ, these include household names such as BT, Shell, BP, HSBC and Toyota, each facing ongoing compliance costs of tens of millions of pounds.
* Sarbanes-Oxley has a far reaching jurisdiction, making it necessary for all foreign companies with a dual listing on a US exchange with 500 or more US-based shareholders to make themselves compliant.
* Corporate governance in the UK is moving towards a Sarbanes-Oxley type regime already, if a new white paper is any guide. The Company Law Reform White Paper has tougher penalties for accounting offences. Liability for breaches in legislation would be extended beyond directors and company secretaries.
* There is also speculation that the strict data protection laws in Europe may make compliance with Sarbanes-Oxley actually in breach of the Data Protection Act of 1998. UK companies that complete item 8.1 of the registration form for Sarbanes-Oxley – agreeing to provide information at any time in the future – are abusing data protection rights.
* In November 2004, Accountancy Age reported that between 10 and 20 major UK companies were considering delisting from either the NYSE or NASDAQ as a result of the rapidly increasing costs for compliance with Sarbanes-Oxley. Indeed, one of the highest profile delistings was Lastminute.com which quit the NASDAQ in August 2004. Sir Christopher Bland, chairman of BT said there was no chance of BT delisting from the US stock market and “we’ve just got to grit our teeth and get on with it”.
* The emergence of Sarbanes-Oxley and other regulations such as HIPAA, the Gramm-Leach-Bliley Act and the US Patriot Act has moved governance, risk and compliance to the forefront for businesses both in the US and worldwide. This new regularity environment is onerous to all businesses regardless of geography, as many do not have the infrastructure in place to handle the costs of complying.
* UK banking and capital markets are facing similar levels of regulation with Sarbanes-Oxley style compliance with the emerging presence of the Basel II accord and Solvency II in Europe.
For more information visit www.venesis.com
•Date: 6th May 2005 •Region: UK •Type:
Article •Topic: Operational risk
this article or make a comment - click