As the initial June deadline for complying with the Sarbanes-Oxley Act nears, publicly traded companies across the United States are scurrying to deploy software packages that will put them in compliance.
Not surprisingly, IT departments view the act as an opportunity to show their impact on the company’s bottom line by helping forge tighter links between business processes and technology. However, the compliance process is turning out to be more costly and time-consuming than originally expected, and in many cases, according to at least one study, companies are not turning to their IT departments to manage compliance.
The law, officially known as the Public Company Accounting Reform and Investor Protection Act and enacted in July 2002, requires companies to make new disclosures on internal controls, ethics codes and the makeup of their audit committees on annual reports.
The act is better known by its nickname, after its co-sponsors, Sen. Paul Sarbanes, D-Md., and Rep. Michael Oxley, R-Ohio, who chair the House-Senate conference committee meeting on corporate accounting reform. The initial phase of the act focuses on Section 404, which requires companies to perform a self-assessment of risks for business processes that affect financial reporting.
Public companies with market capitalizations of $75 million or more must be in compliance with Section 404 for their fiscal year ending on or after June 15. Smaller companies have until the fiscal year ending on or after April 15, 2005, to comply.
But according to several large companies embroiled in the process, compliance isn’t turning out to be quick or cheap.
Tom Martin, audit operations manager for Boise Cascade Corp., in Boise, Idaho, estimates that his company will spend about $7 million a year on Sarbanes-Oxley compliance, including 20,000 auditor-hours this year, after recording 17,000 auditor-hours on Sarbanes-Oxley compliance last year.