Section 404 of the Sarbanes-Oxley Act has resulted in unforeseen difficulties and excessive costs for companies, according to a member of the U.S. Securities and Exchange Commission. He said companies are paying 20 times more than expected to comply with section 404. According to InfoWatch, the effects of the Sarbanes-Oxley Act are unlikely to ease for the next 2-3 years at least.
Of all the aspects of the Sarbanes-Oxley Act, section 404 is particularly noteworthy due to the unanticipated consequences and costs it has had on companies. This was the opinion voiced by Paul Atkins, a member of the U.S. Securities and Exchange Commission, at the Securities Regulation Institute last month.
Paul Atkins, who stressed that the view was his own personal opinion, pointed out that for public companies to implement the conditions set out in section 404 they had to spend 20 times more than the planned sum of $94,000.
Specialists, who carry out the audits to check whether a company's internal security systems are sufficient to meet section 404, are afraid of being second-guessed. As a result the auditors tend to go overboard, checking and documenting tens of thousands of internal control measures, which is not only “inexpedient” but also contradicts auditing models based on risk.
Considering that the position of the SEC regarding section 404 has not changed, Paul Atkins doubts that any positive changes will be made to ease the regulatory burden this year.
The situation in the sphere of regulatory measures is a mixed bag. In some areas where the screws have been tightened, lawmakers have evidently been trying too hard. The proposal by an SEC subcommittee, for example, to ease the internal control measures of the Sarbanes-Oxley Act for smaller businesses seems perfectly sensible. It has already been reported that the SEC intends to exempt companies with “micro-capitalization” (less than $125 million) from the requirements for internal control audits. However, the measures governing company accounting that are linked to internal control will remain in place. A similar amendment has been formulated for small businesses (with a capitalization of more than $125 million, but not more than $700 million). The subcommittee recommended that auditors check the internal control measures in such companies, but not to carry out an audit.
It appears that the legislators have also gone too far in their regulatory measures for government agencies. Since the Federal Information Security Management Act (FISMA) was adopted back in 2002 not one ministry has been able to satisfy all its demands.
“The whole Sarbanes-Oxley Act, and section 404 in particular, is very severe. However, if the law is reformed, it has to be done very carefully. It is no secret that the measures of internal control stipulated in the Sarbanes-Oxley Act have been responsible for exposing a huge amount of financial fraud. Considering that the law is aimed at protecting the interests of investors and shareholders, I doubt that it will be possible to ease the pressure in the next few years or so,” says Denis Zenkin, marketing director at InfoWatch.
Source: SEC