Final countdown to Sarbanes-Oxley compliance

Now the 15 July milestone has passed, companies will soon have to comply with the regulations or meet the consequences

Like it or not, the clock is ticking for non-US companies that need to be compliant to one of the most talked-about elements of the Sarbanes-Oxley (SOX) Act established in 2002.

With the passing of the critical 15 July milestone for foreign companies listed in the US to be compliant to Section 404 under SOX, they now have anything from a few weeks to nearly a year to meet the regulations or face the consequences. Under Section 404, publicly traded companies must have internal policies and controls in place to protect, document and process information for financial reporting.

The law requires affected businesses to comply by the end of their respective financial year after 15 July, 2006. The date is an extension of the original deadline of 15 July, 2005, set by the US Securities and Exchange Commission (SEC). Public US companies were required to be compliant in November 2004.

For most non-US companies, the journey would have started in 2004, noted Philip Chong, director at Deloitte & Touche Enterprise Risk Services. Businesses would also have started "thinking about assessing and implementing internal controls" about 12 months ago, he said.

For software giant SAP, the process of becoming compliant stretched over a few years. Dirk Metzger, head of risk management at SAP Asia-Pacific, told sister site ZDNet Asia in an email that the company began its SOX journey way back in 2002.

Besides involving process owners, SAP also appointed SOX champions, who handle SOX 404 related tasks such as effectiveness testing, said Metzger. Some 30 business units and 30 process groups were involved in the different project phases, each of which stretched "from 300 to 6,000 man-days", he added.

The software giant, he noted, also worked towards embedding SOX-required internal controls elements into SAP's risk management function, which is based on the COSO Enterprise Risk Management Framework.

Metzger said: "SAP grew the SOX 404 risk evaluation process over internal controls of financial reporting into a holistic Enterprise Risk Management function, and is currently developing a consolidated compliance and governance framework for the entire corporation. A direct reporting line to the executive board was established and an issue evaluation committee was set up, dealing with findings from SOX 404 testing and audits, thus giving the SOX topic top management exposure and attention."

According to Metzger, SAP is now undergoing half-year SOX 404 audits by its external auditor KPMG, and expects to obtain the first certification of compliance early next year.

At Nasdaq-listed Pacific Internet (PacNet), preparations for SOX-compliance commenced in mid-2004. Its CEO and president Phey Teck Moh noted that the company, whose current financial year will end on 31 December, 2006, will meet the requirements at the end of this year.

The Singapore-based ISP put together a leadership team to manage the process, and placed country managing directors and financial controllers in charge of their respective areas. Dedicated work teams were set up in some country offices to work on achieving compliance. PacNet estimates that more than 30 per cent of its employees - dedicated resources or otherwise - have been involved in the compliance work so far.

The project has been intensive "in terms of resources and commitment" but it has also benefited the company, Phey added. "The compliance process has given us the opportunity to further enhance our financial controls, which has strengthened and improved our business processes," said Phey.

Jeffrey Hoo, services and management systems field director at Symantec's regional product marketing division, noted that companies which are affected by the SOX Act already have processes in place and are working toward their compliance deadlines.

Hoo said companies in the banking and finance industry are more experienced, as "compliance is an everyday affair", unlike businesses in other industries where there is more work to be done. "A lot of time is spent defining the policies and processes, before going into the use of technology and getting people to understand and co-operate to comply," he said.

Deloitte & Touche's Chong pointed out that there are those, however, who choose to wait till the last minute to get their compliance act together. With an "immovable deadline", those that start late need to "put in more commitment from management" as well as pump in more human resources, he said.

Symantec's Hoo agreed, saying top management needs to offer "full support for compliance" and view it "as a 'must have' and not [just] 'good to have'".

Hoo added that for late movers, a good place to start is to read up on the ISO 27001 and ISO 17799 standards, "which provide very comprehensive guidelines". Companies should also find out what tools are available in the market that "can automate repeatable IT related tasks to keep the compliance cost manageable", he said.

At the end of the day, there is simply no room to fall short of the requirements. Failure to comply "is not an option", said Deloitte & Touche's Chong. The [US] SEC "takes a serious view" of non-compliance, and such a situation would also "cause investors to lose faith" in the company, he added.

Vivian Yeo writes for ZDNet Asia