SEVEN YEARS LATER: SARBANES-OXLEYS EFFECT ON THE ORGANIZATION

Benny R. Zachry, DBA Professor of Accounting Nicholls State University P. O. Box 2015 Thibodaux, LA 70310 985-448-4186 Benny.Zachry@nicholls.edu Sam Riner, DBA Associate Professor of Accounting Southern Arkansas University Magnolia, AR 71753 Jenny Simon, MBA Nicholls State University

ABSTRACT Any new law enacted that a company or organization must abide by usually comes with many changes and costs in order to follow the law properly. One of the more recent laws that companies are being faced with, and have spent billions to ensure compliance with is the Sarbanes-Oxley Act of 2002. Its main purpose was to address accounting flaws; however, all segments of the organization are feeling the effects of the Act. The purpose of this paper is to illustrate that not only have accountants and auditors been impacted by the passage of SarbanesOxley and the creation of the Private Company Accounting Oversight Board, but how many individuals and subunits within the organization have been impacted over the past seven years. Specifically, this paper addresses which organizational departments are being affected and what they are doing in order to ensure proper compliance with the new law.

Seven years have now passed since the Sarbanes-Oxley Act (SOX, the Act) was signed into law. As with any new law that a company or organization must abide by, passage of SOX came with many organizational changes and added costs in order to properly follow the law. Nationally, these costs are now purported to be in the billions. While most know that SOXs main purpose was to address accounting flaws; no one could have anticipated the far-reaching impact that SOXs passage has had on accounting and auditing issues. And what many do not know is that all segments of the organization have felt the effects of the Act. Thus the purpose of this paper is to illustrate that not only have accountants and auditors been impacted by the passage of the SOX and the creation of the Private Company Accounting Oversight Board (PCAOB, the Board), but also many individuals and sub entities within an organization have also been --and continue to be-- greatly impacted. This paper will address specifically which

organizational departments have been affected and in what way, and what these departments have done in order to ensure proper compliance with the new law. By taking a critical look at those individuals and subunits within an organization that have been affected by SOX, a clearer understanding can be had about the specific changes that

have been made within organizations and departments as they have attempted to comply with the Act. Research has shown that not only do many of their daily job functions change, but also their line of reporting may change, and even entire systems of record keeping may have been affected. It is also evident from this research that, indeed, not only have accountants been impacted by the passage of the Act, but also many other individuals involved with the organization. Specifically this paper will discuss new responsibilities of top executives, human resources (HR) departments, Information Technology (IT) departments, as well as those overseeing risk management, company travel, and stewardship of company assets, since these areas particularly have been hit hard with the many changes required due to passage of the Act. This paper will also highlight areas where more up-to-date research is needed. OVERVIEW In July 2002 the Sarbanes-Oxley Act was signed into law, thus attempting to address numerous flaws in the way some publicly traded companies have been reporting their financial information for years. SOXs main purpose was to restore the publics faith in Americas

business professionals and the accounting profession (Spurzem, 2003). Without totally rehashing the history of the Act, I will summarize the events thus far: SOX was passed as a reaction to the accounting and auditing scandals at Enron and WorldCom. Volumes have been previously written about those events, and thus will not be regurgitated in this paper. According to a June 2003 study by Deloitte & Touche (2003), Sarbanes-Oxley codifies the view that company management (1) should be aware of material information that is filed with the SEC and released to investors, and (2) should be held accountable for the fairness, thoroughness, and accuracy of this information. On the surface, this sounds simple enough, but

in reality SOX is so complex, technical in nature, and detailed, that no corner of any publicly traded company has remained untouched. Corporate culture, governance responsibility, and reporting requirements for top-level management are all recognized by the Act. Yet, most companies were not required to

completely re-invent any of their processes for these activities, instead finding it necessary to do fine tuning in order to ensure compliance with the Act and to provide necessary documentation needed for compliance. Every aspect of compliance with Sarbanes-Oxley goes back to having the proper documentation of procedures (Carpenter, 2004). The changes that companies have undergone over the past seven years to ensure that proper accounting have turned out to be very costly and far-reaching. A survey of corporate boards found that it has cost organizations an average of $16 million each per year to comply with regulations under the 2002 Sarbanes-Oxley Act (Gurchiek, 2005). The price of the

technology needed is expensive, and organizations have experienced higher labor costs because they have had to hire additional personnel because there was so much additional work that had to be done in order to achieve compliance with the Act. While SOX was the stimulus for this change, the PCAOB, itself an outgrowth of passage of the Act, is responsible for ensuring that public company financial statements are audited in accordance with the highest standards of quality, independence and ethics (PCAOB, 2005). The PCAOB was given the authority to set standards and investigate and discipline auditors of publicly traded companies (McElveen, 2005). The Board has adopted rules pertaining to

adjudications and investigations, thus giving the board far-reaching authority. For example, the Board and its staff can investigate anyone who they feel may have violated the Act or the Boards rules. Anyone under investigation with the Board must cooperate and provide necessary

documents and testimony. Hearings may also be held when violations are found. Penalties can include anything from revoking a firms registration to monetary penalties (PCAOB website, 2005). Needless to say, the PCAOB carries a big gun. According to the AICPAs summary of SOX, the PCAOB is responsible for seven things: (1) register public accounting firms; (2) establish, or adopt, by rule, auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers; (3) conduct inspections of accounting firms; (4) conduct investigations and disciplinary proceedings, and impose appropriate sanctions; (5) perform such other duties or functions as necessary or appropriate; (6) enforce compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto; (7) set the budget and manage the operations of the Board and the staff of the Board. Even foreign accounting firms that prepare or furnish an audit report involving United States registrants will be subject to the authority of the Board (AICPA, 2002). Mandatory fees paid by publicly traded companies fund the Board. Annually, the Board computes the fees based on that years budget, approved by the Securities and Exchange Commission. The fees are paid by publicly traded companies with average monthly U.S. equity market capitalization of over $25 million each and by investment companies with average monthly net asset value or U.S. equity market capitalization of more than $250 million each (PCAOB website, 2005). POST-SOX ORGANIZATIONAL CHANGES Conventional wisdom would argue that when a law is passed that pertains to accounting, that it would affect only the accounting and finance departments of an organization. However,

SOX and the PCAOB have been proven to affect virtually all areas and departments across the organizations span. Those without accounting backgrounds have found themselves trying to learn basic accounting in order to make compliance with the Act easier. And even those who know a little accounting (a little accounting can be a dangerous thing) have had to call on accounting colleagues in order to refresh their memories of basic accounting skills. Bottom line: It is now necessary that all members of an organization have an understanding of the SarbanesOxley Act and how to comply and maintain control for proper implementation of the Act. The remainder of this paper will focus on changes in the following levels or areas; however, this list and subsequent discussion should not be construed as all-inclusive: Executive, human resource, travel and asset management, IT, and risk management. Executive Level Chief Executive Officers and Chief Financial Officers are now required to certify, with signed statements, quarterly and annual financial reports (McElveen, 2002). Along with these annual reports, internal control reports must also be filed. These officers must take responsibility for establishing and maintaining proper internal controls (Aon Consulting, 2005). They must also evaluate the effectiveness of such controls as of a date within ninety days prior to the report, and present in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date (Williams & Barrenechea, 2004). Thus, these executives have learned that they had better know and understand the requirements of both financial reporting per se and the Act itself in order to certify, without reserve, the financial statements. In a survey conducted in 2004 to evaluate the performance of several groups responsible for financial reporting, executives who responded to the survey actually suggested that the CFOs and Controllers incentive compensation plans should not be heavily weighted on profits

and stock growth (Carpenter, 2004). Respondents also suggested that it would be a good idea if CFOs and Controllers also attend ethics and fraud training. It remains to be seen if either of these suggestions has been put to policy in organizations. It is believed that additional research is needed to determine whether each of these suggestions has been taken to task. Human Resources In the seven years since passage, Human Resources (HR) officials appear to have asked the most questions and had the most apprehension when it comes to proper compliance of the Act. Since it is not ordinary and customary for HR professionals to have a background in accounting and auditing, many of them, at least initially, felt as though they were operating in the dark (Pratt, 2004). The Society of Human Resource Management conducted a study one year after the passage of SOX (2003) that questioned HRs understanding of those new responsibilities and what changes had been made as a result. Survey results indicated that eighteen percent of organizations immediately created an ethics hotline. Thirteen percent of respondents had already created a policy to protect whistleblowers. But one year after passage of SOX, fifty-five percent had done nothing (SHRM, 2003). More research needs to be conducted in this area to determine if anything has happened in the successive six years to change HRs perception of SOX. Human Resources officials now work more closely with the accounting and finance departments in order to determine which Human Resources accounts will have a significant impact on the companys financial statements. In many companies, the following processes that are overseen by human resources (again, these should not be construed to be all-inclusive) have been deemed significant: defined benefit pension plans, defined contribution plans, health and welfare plans, retiree programs, stock compensation programs, and workers compensation. Each

of these functional processes can have a significant impact on a companys financial statements (Zeringue, 2009). Many organizations view the passing of this law as an opportunity to employ the best practices to manage human capital (PeopleSoft.com, 2004). It is also important that HR

departments keep good controls by documentation. Substantial time and costs are involved with managing these processes. By automating controls, companies can reduce errors and costs. Many HR officials have rewritten their companys corporate policies and manuals in order to comply properly with SOX, since many of the processes of HR have a direct and material impact on corporate financial statements. Specifically, significant HR processes have impacts on a companys cash flows, tax liabilities, and profits and losses (Smartpros.com, 2004), given that employee benefits can represent a companys third largest expense, after cost of goods sold, and non-manufacturing payroll. One plus due to implementation of SOX is that hopes

have been raised that errors related to benefits will be rectified (Katz, 2004). Travel and the Personal Use of Company Assets SOX has also put controls into place that serve to restrain certain use of company travel and assets. Newly required internal controls that monitor any expense abuses contribute to compliance with the Act. Companies now must declare any personal use of company assets to their stockholders, and travel gets involved because of the use of airline tickets, the use of special funding, and the use of company aircraft, etc. (Zeringue, 2009). Section 402 of SOX forbids personal loans to executives (Boehmer, 2004). Corporate credit cards can now only be used for business purposes and must be carefully monitored so that they are not used for personal use of any kind. Processes now must be in place and formalized in order to make sure that documentation is correct, and that there is proper backup indicating

business use. When company assets are used, that use must be properly authorized, properly recorded, and backed up by explicit documented policies. Many of these processes that have been put into place fall under the category of continuous transaction monitoring (Business Wire, 2008). Information Technology While IT has become so vital to the proper implementation of SOX, the actual legislation doesnt explicitly say anything about IT! The only portion that is relevant to IT is section 404 that discusses internal controls (Brasche, 2004). IT departments must be well informed of what technologies they need in order to comply with the Sarbanes-Oxley Act and to purchase appropriate, but not excessive, technology. The IT departments are responsible for having the proper technology in place in order for compliance to run smoothly. They must be sure that they have enough technology to aid in compliance, continuous transaction monitoring where relevant, and for internal controls maintenance. Risk Management Another area that is believed greatly affected by SOX, primarily due to the additional reporting requirements is the Risk Management division of publicly traded companies. This department frequently reviews values on Workers Compensation, Property Liability, and General Liability claims and makes adjustments to the numbers on a monthly basis for reporting purposes. When large claims occur during a month, this department notifies the CFO so that the corporation can properly accrue for the loss when it occurs rather than in the future. The risk management director now deals directly with the outside auditors, the internal auditors, officers of the corporation, and general managers, who must be made aware in great detail of the fluctuations in claims dollars. One head of a large risk management division reports that his

department now (post-SOX) spends about one half of the total time in a work month doing financial evaluations and preparing reports that are directly related to or required by SOX (Zeringue, 2009). CONCLUSION By considering the various sub-entities within an organization that have been affected by the Sarbanes-Oxley Act, a clearer understanding is made about how deep into an organization the requirements of SOX (and PCAOB) can go. Yet, I believe this paper has merely scratched the surface! It has been demonstrated that not only do some of an organizations daily job functions change, but also its entire system of recordkeeping may have changed, e.g., advent of continuous transaction monitoring. The purpose of this was paper is to illustrate how evident it is that not only have accountants and auditors been impacted by the passage of the SOX and the creation of the PCAOB, but also many individuals involved with the organization: Executives, HR people, IT staff, those responsible for monitoring travel and those charged with oversight of company assets, risk management. Even this list is not likely to be all-inclusive. This paper has also drawn attention to additional research that needs to be done in the areas of ethics and fraud training in organizations, as well as that of current HR perception and compliance issues. It is believed that now with seven years down the road from passage, all segments of an organization are doing their best in order to comply with the Sarbanes-Oxley Act. They may have kicked and screamed (some, a lot!) and may have called for the abolishment of the Act (and who knows may be successful at that), but the bottom line is, they have used the resources available to them in order to make compliance an easy or at least easier shift for the entire organization.

REFERENCES AICPA, (2002). How the Sarbanes-Oxley Act of 2002 Impacts the Accounting Profession, from www.aicpa.org. AICPA, Summary of Sarbanes-Oxley Act of 2002, from www.aicpa.org. Aon Consulting. Business Process Outsourcing Eases Sarbanes-Oxley Compliance. (2005), from Aon Consulting FORUM Web site. Boehmer, J. (2004, Jan 19). Cos. Face Sarbanes-Oxley Law. Business Travel News, from www.btnmag.com. Brasche, R. (2004, Dec). Sarbanes-Oxley is an IT Responsibility and Business Opportunity. DM Review, from www.dmreview.com. Business Wire. (2008, July 29). Oversight Systems 5th Annual SOX Survey Finds Financial Executives Seeing Diminished Incremental Benefits from SOX Compliance, from www.findarticles.com Carpenter, T. D. (2004, Mar). A Changing Corporate Culture: How Companies are Adjusting to Sarbanes-Oxley. Journal of Accountancy, from www.findarticles.com. Deloitte and Touche. (2003). Sarbanes-Oxley Act Survey on the Implications for HR, from Deloitte and Touche Website. Gurchiek, K. (2005, Jan). Sarbanes-Oxley Compliance Costs Rising. HR Magazine, from www.findarticles.com. Smartpros.com. (2004, Sept). HR Also Impacted by Sarbanes-Oxley Section 404 Financial Executive, from www.smartpros.com. Private Company Accounting Oversight Board Katz, D. M. (2004). Sarbanes-Oxley and Health Plans. from CFO.com Web site: www.cfo.com. McElveen, M. (2002, Dec). New rules new challenges: from internal auditors to CEOs, the Sarbanes-Oxley Act is affecting employees at many levels. Learn how key requirements of the act compare to new rules proposed by the U.S. stock exchanges. Internal Auditor, from www.findarticles.com. PeopleSoft, (2004). The Impact of Sarbanes-Oxley on Human Capital Management, from www.peoplesoft.com. Pratt, M. K. (2003). Sarbanes-Oxley to Rewrite HR's Job Description. Boston Business Journal, from www.bizjournals.com

Public Company Accounting Oversight Board, from www.pcaobus.org Society for Human Resource Management, (2003). Sarbanes-Oxley Act, from www.shrm.org. Spurzem, B. (2003, Oct 08). Managing Corporate Records for Sarbanes-Oxley. Storage Management, from www.searchstorage.techtarget.com. Williams, K., & Barrenechea, M. J. (2004)The Sarbanes-Oxley Act: Compliance Management Framework. Technology Executives Club, , from www.technologyexecutivesclub.com. Zeringue, Gary (2009,June) Incorporated, Atlanta, Georga. Personal Interview, Director of Risk Management, RPC