RealTime IT News

Work Remains for Sarbox Compliance

Businesses have a lot of work ahead of them before they're fully compliant with federal data retention and financial reporting rules under the Sarbanes-Oxley Act, a new study concludes.

The survey, co-funded by PricewaterhouseCoopers and compliance software vendor Virsa, said businesses that hit their marks during the first year of reporting under the new law.

But the survey, published today, also found that many are struggling to implement automated business controls for staying in compliance.

Doug Laird, Virsa's senior vice president of marketing, said for many, the cost of compliance is too high and still involves manual effort, rather than automated systems.

"What everyone did was the sprint to get compliant, whatever it took. But it's not a one-off thing, it's an every year sort of thing," he said. "People are looking for systems and automation that will allow them to become compliant. They're looking for help in doing that."

As internetnews.com has reported, the so-called Sarbox regulation was created to provide control over corporate governance, disclosure and financial accounting in the auditing community after the Enron and WorldCom financial scandals led to billion-dollar losses. The corruption affected financial markets and investor trust.

As a result, the law mandates that publicly traded corporations submit an assessment of their internal financial auditing controls to the Securities and Exchange Commission (SEC). In addition, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company's financial statements. Failure to meet reporting criteria can lead to hefty fines or even jail time.

Monday's study, conducted by CFO Research Services, surveyed 180 senior finance executives in the U.S. and around the world about their data retention and reporting efforts.

Fifty-eight percent said they plan to focus on adding more business controls, such as data storage and transaction-processing controls.

Almost two-thirds of the survey discovered potentially damaging control weaknesses during the process of becoming Sarbanes-compliant.

More than 40 percent of those surveyed have implemented security and access controls in their networks. More than 20 percent said they plan to automate that process. About 45 percent said they don't have security for access controls in place but plan to within six months.

On the "to-do" list for almost 40 percent of the respondents is an automated information retention and reporting structure; currently, about 20 percent actually have such automation in place.

Half of those surveyed agreed that perceptions of loose governance or poor controls by investors translates into a lower share price on the stock market. But Sarbanes-Oxley compliance isn't cheap.

While automating compliance and control efforts are a high priority with roughly 30 percent of those surveyed, 45 percent called it a moderate priority to get something in place in the next 12 months.