The Sarbanes-Oxley Act of 2002 (SOX) directly impacts publicly-traded companies and companies that meet certain Securities Exchange Commission (SEC) filing requirements. Most private companies, not-for-profit organizations, and government agencies are not required to comply with SOX. However, since the goals of the act include accountability, reliability, and transparency, which are important values for most organizations, some have elected to voluntarily adopt certain provisions of SOX.
The Federal Reserve System (FRS) is one example of such an organization. As the nation's central bank, the FRS has a longstanding commitment to excellence in conducting its activities and fulfilling its principal missions. Earning and maintaining the public's trust and credibility are keys to the FRS's effectiveness as a central bank. The FRS must operate efficiently and effectively, maintaining high standards of internal controls over financial reporting and safeguarding of assets-just as public companies are required to do. The FRS has made a concerted effort to comply with SOX for the benefit of its stakeholders, which include bankers, investors, employees, businesses, and citizens.
In 1997, the FRS adopted the COSO framework for assessing internal controls, and in 1999, the Federal Reserve Act was amended to require an external auditor review of Federal Reserve financial statements. As a member of the FRS, the Federal Reserve Bank of Philadelphia (FRBP) has historically placed great emphasis on strong internal controls. In the past, the annual auditor attestation on the FRBP's internal controls was conducted using the auditing standard of the American Institute of Certified Public Accountants (AICPA)-AT 501: Reporting on an Entity's Internal Control over Financial Reporting.
Under SOX, the Public Company Accounting Oversight Board now has authority for issuing audit standards, and in 2004, Auditing Standard No. 2 (AS 2) was implemented. This auditing standard superseded the previous AICPA standard. The AICPA standard is still applicable to nonpublic entities, while AS 2 is required to be used for internal control attestations of public companies. While it is not formally subject to AS 2, which is considered a more rigorous standard, the FRBP has enhanced its internal control processes so that they meet the requirements of AS 2. The level of internal control testing by its external auditor increased substantially in the FRBP's efforts to attain an unqualified opinion on its internal controls under AS 2.
Other organizations not subject to SOX are taking a similar proactive approach. For example, Drexel University (Drexel), a not-for-profit organization, has identified and documented its critical business processes, as required by Section 404 of SOX.1 As per Section 301 of SOX, Drexel requires financial literacy for audit committee members and expanded responsibilities for whistle-blowing complaints. In addition, the chief executive officer and chief financial officer certify the financial statements, as required by Section 302 of SOX.
Although Drexel has experienced additional costs due to the increased documentation and additional resources that result from implementing certain elements of SOX, it has also identified significant benefits, including creating potential opportunities for streamlining business operations, educating employees on the importance of strong internal controls, and ensuring that policies and procedures are consistent with business objectives.
In general, SOX corporate governance reforms are becoming more widely accepted by nonpublic entities. For example, some are establishing audit committees, increasing their number of independent directors, and adopting conflict of interest policies.2 SOX is also affecting small private companies that want to go public. For example, Title II of SOX deals with auditor independence. A company preparing to go public must ensure that its CEO, controller, and CFO have not been employed by its audit firm during the 12 months prior to its audit. In addition, it must comply with the limitations on the amount of consulting services performed by its independent auditor.3
Entities not subject to SOX should consider the additional costs when determining whether to incorporate SOX requirements into their corporate governance program. Although SOX compliance should improve corporate governance and lead to fraud reduction, some companies have complained that the cost of compliance is too great. A 2005 survey performed by Financial Executives International, a group of 15,000 financial executives, found that public companies were spending an average of $4.4 million on SOX compliance. Another survey conducted by NASDQ found that public companies with less than $100 million in revenue were spending an average of 1.3 percent of revenue to comply, while the companies with sales greater than $5 billion spent an average of 0.3 percent of revenue.4 In general, larger companies with greater economies of scale cover the increased overhead for compliance with SOX more effectively.
The SEC has taken action to address some of the issues related to SOX compliance, including the high cost. In May, the SEC announced plans to make compliance with SOX Section 404, which deals with internal controls, more efficient and cost effective. The SEC's plans also call for revisions to AS 2. Continuous improvements to SOX implementation and the ongoing evidence of the benefits SOX provides may likely result in more nonpublic entities embracing SOX.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.