Few small, midsize businesses aware of Sarbanes-Oxley compliance requirements, Yankee Group finds
Boston February 18, 2004 Small and midsize businesses (SMBs) are largely unaware of the looming requirements of the Sarbanes-Oxley (SOX) Act, and few are taking steps to upgrade their information technology infrastructure to comply with the act, according to a new survey from IT research firm Yankee Group.
Yankee's 2003 SMB Applications and Web Survey revealed that only 5 to 16 percent of small and midsize businesses plan to upgrade or purchase software because of their need to comply with SOX, underscoring a lack of awareness among these firms. At the same time, only 10 to 26 percent of SMBs indicated that having to comply with federal regulations such as Sarbanes-Oxley was a major challenge.
Yankee concludes from its survey that most SMBs are not aware of the rippling effects of the act on their businesses, or of the potential business risks of non-compliance with Sarbanes-Oxley. "This is particularly important because these companies comprise nearly 50 percent of the total employers in the United States," Yankee reported.
Congress passed the Sarbanes-Oxley Act in July 2002 following a series of high-profile corporate flameouts such as Enron and WorldCom. Under the Act's section 302, which is already in effect, CEOs and chief financial officers must certify their companies' financials are accurate and complete.
Section 404 requires the CEO, CFO and outside auditors attest to the effectiveness of the internal controls that affect the financial reporting process. Compliance deadline for Section 404 are June 15, 2004, for large public companies with a market capitalization of $75 million or more; and April 15, 2005, for smaller businesses and foreign-owned companies.
Yankee noted that complying with SOX is a responsibility too big for one person to handle. It requires involvement from the CEO, CFO, legal, finance, IT and perhaps consultants to form a cross-departmental taskforce that will sift through the SOX rules, define and establish the corporate policies needed to comply; assess the integrity of each information source and step of the internal process and workflow that feeds into the company's financial reports; and analyze the current IT infrastructure to examine the technology used to produce financial reports.
Any internal process that can generate risks for the company must be fixed. Yankee asserted that while, to most businesses, Sarbanes-Oxley is a bugbear, ultimately firms will benefit greatly from increased financial accountability real-time reporting, as well as accuracy. Under Section 409, companies must disclose in real-time any material change to company revenues. While the definition of real-time is in debate, analysts expect it to be anywhere between two to five days.
Compliance requires that firms safeguard their infrastructures and processes against accounting errors and deceptive procedures that call into question the integrity of the firm's financial data. Companies must have a transparent and documented audit trail that shows where the data came from, where the data went to, and who approved the data's accuracy as it funneled through the business.
Perhaps most importantly, Yankee points out that SOX compliance, unlike Y2K, will be an ongoing effort.
Yankee offers several recommendations for SMBs, including the suggestion that they determine policies before buying technology. "The goal of SOX is to raise the bar on corporate governance and accountability," Yankee wrote. "Buying the latest software and hardware and performing systems integration won't be good enough if the underlying financial reporting internal controls are flawed and inaccurate. Firms should view technology as an enabler of compliant policies rather than the cure itself."