One of the most challenging aspects to Sarbanes-Oxley compliance is that the legislation is a moving target. If you're compliant now, the winds of business change may place you out of compliance in a few months.
"Companies are getting a false sense of security: They think they've reached a sustainable level of compliance-and then they do a merger or acquisition," says Michael Kuhbock, founder and co- chair of the Integration Consortium, a non-profit coalition of technology companies, academic institutions and other interested parties that share information in a noncompetitive environment to foster a deeper understanding of the fluid nature of business, technology and integration. Its members include American Express, Oracle, Intuit, Pacific BlueCross, the Insurance Technology Group, Boston Corporate Finance and dozens of others from industry and government.
The consortium is teaming with the Avalanche Corporate Technology Cooperative, a private cross-business intellectual property exchange, on a Sarbanes-Oxley compliance project. Kuhbock envisions the project as a forum for firms to share information that can bring compliance knowledge to light, and save costs and legal headaches at the same time. "If we can work collaboratively together in a safe harbor, we can create a synergistic environment," he says.
The project hopes to lower the cost of compliance by reducing the effort needed to create new controls, documentation and assessment procedures and by reducing efforts required by external auditors in auditing controls. It will also create a framework that will lead to better control and accuracy of public reporting and reduced risk in financial reporting. Additionally, it hopes to foster an environment that's more complete, better documented and easier to audit. The aim is to create the SOX Integration Framework, which is part standards, part best practices.
Part of the thinking behind the cooperative is that there's still no clear blueprint for how to comply with the law, but many firms-either in the technology business, law, finance or other industries charged with abiding by the legislation-have nuggets of knowledge that can benefit everyone without giving away a competitive advantage. "No one has full control over the direction of where [SOX] is going," Kuhbock says.
The cooperative's members expect to share information leading to a list of successful strategies in meeting new requirements for the financial reporting controls required by the law. Participants will create common frameworks and content for controls definition, documentation, testing and monitoring. Members are putting out the call for more participants from across various industries to assist in identifying and delivering risk, control and assessment documents from their own Sarbanes-Oxley regulation and compliance audit experiences.
These materials, along with industry-specific reference models of monitoring preferences, will be gathered and stored in the Avalanche Repository. Members can access the repository to identify and manage efforts to fill gaps, disclose tools and support other participants' efforts to create compliance control environments.
Sustainability is one of the largest challenges in compliance, since what it means to be in-line with the law changes as business conditions change, with a merger being just one example. "It's a major moving target and a major expense," Kuhbock says.
Kuhbock says one hopeful benefit of the collaboration is a platform to learn from the mistakes and successes of other companies. "No one knows that they don't know," he says. "It's like walking into a jungle without knowing where you're going," he points out.
Jay Hansen, CEO of Avalanche, says companies are shelling out big bucks in an attempt to comply with Section 404 of the legislation, which goes into effect in November. Section 404 requires insurers' annual reports to include an "internal control report," which states the responsibility of management for establishing and maintaining an adequate internal control structure and procedure for financial reporting. As of the end of each fiscal year, firms must also convey how they are containing and assessing the effectiveness and procedures of internal control structures. Additionally, each issuer's auditor must attest to, and report on, the assessment made by the management of the issuer. To say the law is complex-and expensive to adhere to-is to understate.
Hansen says companies with more than $5 billion in revenues could spend more than $4 million, while firms with revenues under $5 billion could spend up to $2 million to adhere to Section 404. "There is value in structured collaboration," Hansen says. "By combining efforts between companies, the overall cost of compliance can be cut down."
The collaboration is still in the development stages, so a full picture of adoption is yet to emerge, though given the importance of the legislation, Kuhbock and Hansen are hopeful. A Webinar and a half-day on-site demonstration are both scheduled for the fall. "Financial institutions are public; they have to comply," Kuhbock says. "There's no place for anybody to go."
