The cost of compliance may be balanced by improved efficiency and quality.

By Tom Connors

At my peril, I frequently ask senior decision makers how much Sarbanes-Oxley legislation (SOX) has benefited their companies. Because of the recently proposed management guidance from the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board’s (PCAOB) proposed changes to their audit standard, AS 2, I have had several such SOX conversations in recent weeks.

These conversations can be risky given that members of the business community continue to express substantial concern about the onerous burdens of SOX compliance—from the costs borne by individual companies to the specter of long-term detriment to our economy.

The reality is that nobody volunteers to be regulated, and new regulations, especially those as extensive as SOX, usually meet with significant resistance. In fact, complaints similar to those currently heard about SOX were expressed when the Securities & Exchange Act of 1933 was passed. Then, as now, the rules were designed to restore investor confidence in the wake of corporate scandals. As you know, the Act of 1933 went on to become an important aspect of our capital markets. In my opinion, SOX has the opportunity to do the same, and as opposed to being an onerous burden, SOX compliance can be the first step in a larger journey towards improved governance, risk and compliance (GRC), which can enhance performance and drive value over the long-term.

One can think of SOX as perhaps the largest quality improvement initiative ever undertaken by corporate America. It is clear that those companies that aimed for only a “passing grade” got what they asked for and generally did not realize the same value as those that saw SOX as a broader opportunity for improvement.

Our firm has seen a number of convincing examples of SOX providing significant improvements in the quality of financial and other operational processes and information. I’ll cite a few:

Standardizing/Eliminating Variation
The elimination of variation is a common theme of most quality improvement initiatives, but variation remains a key source of inefficiency and risk at most organizations. SOX magnified variation risk and allowed organizations to standardize everything from invoice processing to systems change management, reducing risks and improving efficiency and service levels.

Shared Services/Outsourcing
Greater standardization led many organizations to realize that many uniform processes could be performed by centralized resources (a.k.a. shared services), resulting in risk reduction and efficiency improvements. Some organizations have been able to achieve still further efficiency through outsourcing these shared service operations (in some cases offshore).

On the other hand, SOX also required many organizations to re-evaluate their third-party providers from a risk perspective, including their ability to provide independently audited reports of controls at the third party (SAS 70 reports). In some cases, this process revealed control deficiencies at third parties that required immediate attention. In others, it led to implementation of more formal monitoring mechanisms, such as formal service-level agreements and stronger auditing requirements, which ultimately streng­thened third-party performance.

We frequently hear that some of the primary benefits resulting from SOX compliance efforts are softer benefits, such as improvements in governance practices; documentation and understanding of key processes; and awareness, understanding and appreciation of controls. While it is clearly more difficult to establish a direct return on investment for these improvements, the clear connection between effective GRC and long-term value creation has been borne out in numerous studies. Perhaps none is more compelling than a study, dated September 2006, by Governance Metrics International (GMI) noting that in evaluating their five year average governance rating using their population of world-wide companies, companies ranked in the top 10 percent of governance ratings outperformed those in the bottom 10 percent of ratings by a whopping 56 percent in average return on equity.

Most companies that have already complied with SOX now have an opportunity to start with a blank sheet of paper and aim for value in addition to being able to “check the box.” And the next time you hear someone grousing about the cost of SOX, I hope now you will be armed to discuss the other side of the argument, but, in light of all the rhetoric, use extreme caution!

Tom Connors is a Partner at Deloitte & Touche LLP. He can be reached at tconnors@deloitte.com.