Is your business exempt from Sarbanes-Oxley (SOX) external audit review? If so, that exemption may actually cost your business as much as it saves, according to a recent study published in late June by notable academic institutions.
The study, led by academics at the University of Washington and Georgetown University, found that while exemption from SOX auditing can benefit businesses financially — by way of avoiding steep audit fees — it can also cause businesses to incur even costlier expenses from misreporting, including:
- Lower operating performance due to non-remediation
- Market values that fail to reflect a firm’s underlying internal control status
What is the SOX Act?
The Sarbanes-Oxley (SOX) Act was passed by U.S. Congress in 2002 to help curb fraudulent accounting activity by corporations.
More specifically, provision 404(a) of the SOX Act requires organizations to establish internal accounting controls and reporting methods, while section 404(b) requires external auditor oversight of firms’ internal control over financial reporting
Companies with less than $75 million in market capitalizations have been permanently exempt from 404(b) since 2010, thanks to the Dodd Frank Act — a reprieve small businesses were granted for fear they wouldn’t be able to shoulder the burden of costs associated with compliance.
SOX Compliance and the Cost of Exemption
However, the burden of compliance might be one worth shouldering, according to the study, which is entitled The benefits and costs of Sarbanes-Oxley Section 404(b) exemption: Evidence from small firms’ internal control disclosures. The study was based on a sample of more than 5,300 exempt organizations and annual observations from 2007 to 2014.
It certainly confirms that audit fees are no small expense — with audit fee savings amounting to an estimated aggregate of $388 million for those exempt firms evaluated during the seven-year analysis. Still, the study found the cost of 404(b) exemption to be much greater than the savings.
From 2007 to 2014, the study’s sample firms lost out on tremendous potential future earnings — estimated at $856 million in aggregate — because they didn’t properly remediate their internal controls. Further, they experienced an additional $935 million in delayed aggregate market value because of untimely internal control disclosure.
Ultimately, the study determined, “Section 404(b) exemption is costly to the extent that it results in firms’ failure to discover or disclose ineffective internal controls (e.g., misreporting).” The two main losses that stem from misreporting — as mentioned above — include lower operating performance due to non-remediation and market values that fail to reflect a firm’s underlying internal control status.
Technology Solutions and SOX Compliance
In conclusion, the consequential misreporting that occurs because of either non-compliance or a lack of oversight with accounting controls and reporting methods can be costly. These costs of course don’t even account for the penalties and fines incurred by the larger organizations that do actually have to comply with SOX 404(b).
For this reason, larger companies turned to technology for help when the requirements were put in place. In fact, the SOX Act generated a huge increase in the provision of software to support the requirements of the act — costly and cumbersome software that is now antiquated and can’t support the evolving nature of the requirements or companies’ changing needs.
However, in the last several years, new SaaS technology has been developed to help address internal accounting controls and reporting methods–proving to be quicker, more secure and more effective, with reduced internal support required. Even risk management technology can now integrate solutions for resolving such issues.
This means the technology is accessible to large and small organizations, alike — regardless of whether SOX 404(b) compliance is required or not — and at a fraction of the costs that stem from misreporting.
Are you interested in learning more about how risk management technology can solve your SOX compliance or audit woes? Read more about Riskonnect’s Sarbanes-Oxley SOX solution.