SOX clock ticking for businesses

The Sarbanes-Oxley Act has kicked in for non-U.S. companies, and those that prepared early may breathe easier when the time is up.

Like it or not, the clock is ticking away for non-U.S. companies that need to be compliant to one of the most talked-about elements of the Sarbanes-Oxley Act established in 2002.

With the passing of the critical July 15 milestone for foreign companies listed in the United States to be compliant to Section 404 under the Sarbanes-Oxley (SOX) Act, they now have anything from a few weeks to nearly a year to meet the regulations or face the consequences. Under Section 404, publicly traded companies must have internal policies and controls in place to protect, document and process information for financial reporting.

The law requires affected businesses to comply by the end of their respective financial year after July 15, 2006. The date is an extension of the original deadline of July 15, 2005, set by the U.S. Securities and Exchange Commission. Public U.S. companies were required to be compliant in November 2004.

For most non-U.S. companies, the journey would have started in 2004, noted Philip Chong, director at Deloitte & Touche Enterprise Risk Services. Businesses would also have started "thinking about assessing and implementing internal controls" about 12 months ago, he said.

Pulling their SOX up
For software giant SAP, the process of becoming compliant stretched over a few years. Dirk Metzger, head of risk management at SAP Asia-Pacific, told ZDNet Asia in an e-mail that the Walldorf, Germany-based company began its SOX journey way back in 2002.

Besides involving process owners, SAP also appointed SOX champions, who handle SOX 404 related tasks such as effectiveness testing, said Metzger. Some 30 business units and 30 process groups were involved in the different project phases, each of which stretched "from 300 to 6,000 man-days", he added.

The software giant, he noted, also worked towards embedding SOX-required internal controls elements into SAP's risk management function, which is based on the COSO Enterprise Risk Management Framework.

"SAP grew the SOX 404 risk evaluation process over internal controls of financial reporting into a holistic Enterprise Risk Management function, and is currently developing a consolidated compliance and governance framework for the entire corporation," said Metzger. "A direct reporting line to the executive board was established and an issue evaluation committee was set up, dealing with findings from SOX 404 testing and audits, thus giving the SOX topic top management exposure and attention."

According to Metzger, SAP is now undergoing half-year SOX 404 audits by its external auditor KPMG, and expects to obtain the first certification of compliance early next year.

At Nasdaq-listed Pacific Internet (PacNet), preparations for SOX-compliance commenced in mid-2004. Its CEO and president Phey Teck Moh noted that the company, whose current financial year will end on Dec. 31, 2006, would meet the requirements at the end of this year.

The Singapore-based ISP put together a leadership team to manage the process, and placed country managing directors and financial controllers in charge of their respective areas. Dedicated work teams were set up in some country offices to work on achieving compliance. PacNet estimates that over 30 percent of its employees--dedicated resources or otherwise--have been involved in the compliance work so far.

The project has been intensive "in terms of resources and commitment", but it has also benefited the company, Phey added. "The compliance process has given us the opportunity to further enhance our financial controls, which has strengthened and improved our business processes," said Phey.

Better late than never
Jeffrey Hoo, services and management systems field director at Symantec's regional product marketing division, noted that companies that are affected by the SOX Act already have processes in place and are working toward their compliance deadlines.

Hoo noted that companies in the banking and finance industry are more experienced, as "compliance is an everyday affair", unlike businesses in other industries which require more work to be done. "A lot of time is spent defining the policies and processes, before going into the use of technology and getting people to understand and cooperate to comply," he said.

In the Asia-Pacific region, Australia, Hong Kong and Singapore "are known to many as major financial hubs and they take compliance seriously", said Hoo. These countries lead the way in terms of getting SOX-compliant, he added.

Deloitte & Touche's Chong pointed out that there are those, however, who choose to wait till the last minute to get their compliance act together. With an "immovable deadline", those that start late need to "put in more commitment from management" as well as pump in more human resources, he said.

Symantec's Hoo agreed, saying that top management need to offer their "full support for compliance" and view it "as a 'must have' and not [just] 'good to have'".

Hoo added that for late movers, a good place to start would be to read up on the ISO 27001 and ISO 17799 standards, "which provide very comprehensive guidelines on what and how to do". Companies should also find out what available tools there are in the market that "can automate repeatable IT related tasks to keep the compliance cost manageable", he said.

At the end of the day, there is simply no room to fall short of the requirements. Failure to comply "is not an option", said Deloitte & Touche's Chong. The [U.S.] SEC (Securities and Exchange Commission) "takes a serious view" of non-compliance, and such a situation would also "cause investors to lose faith" in the company, he added.