Cutting Sarbanes-Oxley costs without cutting compliance.

• Author: Heffes, Ellen M.
• Position: Financial REPORTING

Since it was passed, the cost of complying with the Sarbanes-Oxley Act of 2002 (and its associated rules and standards) has been a source of consternation for executives at many public companies. Costs have settled a bit now, but still remain too high in the minds of many executives and boards. Deloitte estimates that current compliance costs roughly correlate to a company's gross revenues--about $1 million in expense per $1 billion in revenue.

Exacerbating the issue are the realities of the business environment and expectations placed on senior executives--especially CFOs--to achieve lean operations through aggressive structural cost-cutting. Compliance-related expenses are seen by many as placing U.S. companies at a competitive disadvantage; as such, reducing related costs is on the agenda of many top executives and boards.

Thus, CFOs may find themselves in a quandary: cutting costs may jeopardize compliance, upset their audit committee or cause a material breakdown in controls; while ignoring costs may displease their management, worry stakeholders and analysts and kill the ability to enhance the company's competitiveness.

Control Rationalization

One approach can be found in the concept of Control Rationalization. Control Rationalization (CR) starts with identifying the most effective and efficient controls needed to achieve compliance and streamline efforts. For these controls, risk-based considerations are used to drive efficiency in testing. Early steps include detecting and eliminating unnecessary controls. Equally important, opportunities for improving control design and automating manual controls are targeted.

The program is based on two principles: a top-down, risk-based approach and a lean and balanced control design. A top-down, risk-based approach is founded on the notion that not all accounts, transactions and risks are equally important. One should not only consider the relative significance of these items, but also factor in some related concerns, including the nature of the business; the inherent riskiness of transactions, processes, controls and technologies and the effectiveness of the organization's human resources.

A lean and balanced control design emphasizes a holistic view in the design and application of controls. Early on, some companies initiated their compliance efforts with a bottom-up approach, treating all controls as equal, regardless of the underlying risk profile. They tested a large number of controls at...