The clock is ticking for non-U.S. companies that need to be compliant with one of the most talked-about elements of the Sarbanes-Oxley Act.
July 15 was the critical milestone for foreign companies listed in the U.S. to be compliant with Section 404 of the act. They now have anything from a few weeks to nearly a year to meet the regulations or face the consequences.
U.S. lawmakers passed the Sarbanes-Oxley Act, also known as SOX, in 2002. The regulations within aim to prevent financial malpractice and accounting scandals like that at Enron. Under Section 404, publicly traded companies must have internal policies and controls in place to protect, document and process information for financial reporting.
The law requires affected businesses to comply by the end of their fiscal year after July 15, 2006. The date is an extension of the original deadline of July 15, 2005, set by the U.S. Securities and Exchange Commission. Public U.S. companies were required to be compliant in November 2004.
For most non-U.S. companies, the journey would have started in 2004, noted Philip Chong, director at Deloitte & Touche Enterprise Risk Services. Businesses would also have started "thinking about assessing and implementing internal controls" about 12 months ago, he said.
SAP--a case in point
For software giant SAP, the process of becoming compliant stretched over a few years. Dirk Metzger, head of risk management at SAP Asia-Pacific, told News.com's sister site ZDNet Asia that the company began its SOX journey way back in 2002.
Besides involving process owners, SAP also appointed SOX champions, who handle SOX 404 related tasks such as effectiveness testing, Metzger said. Some 30 business units and 30 process groups were involved in the different project phases, each of which stretched "from 300 to 6,000 man-days," he added.
The software giant, he noted, also worked toward embedding SOX-required internal controls elements into SAP's risk management function, which is based on the COSO Enterprise Risk Management Framework.
Metzger said: "SAP grew the SOX 404 risk evaluation process over internal controls of financial reporting into a holistic Enterprise Risk Management function, and is currently developing a consolidated compliance and governance framework for the entire corporation. A direct reporting line to the executive board was established and an issue evaluation committee was set up, dealing with findings from SOX 404 testing and audits, thus giving the SOX topic top management exposure and attention."
According to Metzger, SAP is now undergoing half-year SOX 404 audits by its external auditor KPMG, and expects to obtain the first certification of compliance early next year.
At Nasdaq-listed Pacific Internet (PacNet), preparations for SOX-compliance commenced in mid-2004. CEO Phey Teck Moh noted that the company, whose current financial year will end on Dec. 31, 2006, will meet the requirements at the end of this year.
The Singapore-based Internet service provider put together a leadership team to manage the process, and placed country managing directors and financial controllers in charge of their respective areas. Dedicated work teams were set up in some country offices to work on achieving compliance. PacNet estimates that more than 30 percent of its employees--dedicated resources or otherwise--have been involved in the compliance work so far.
The project has been intensive "in terms of resources and commitment" but it has also benefited the company, Phey added. "The compliance process has given us the opportunity to further enhance our financial controls, which has strengthened and improved our business processes," Phey said.
Jeffrey Hoo, services and management systems field director at Symantec's regional product marketing division, noted that companies that are affected by the SOX Act already have processes in place and are working toward their compliance deadlines.
Hoo said companies in the banking and finance industry are more experienced, as "compliance is an everyday affair," unlike businesses in other industries where there is more work to be done. "A lot of time is spent defining the policies and processes, before going into the use of technology and getting people to understand and co-operate to comply," he said.
Deloitte & Touche's Chong pointed out that there are those, however, that choose to wait until the last minute to get their compliance act together. With an "immovable deadline," those that start late need to "put in more commitment from management" as well as pump in more human resources, he said.
Symantec's Hoo agreed, saying top management needs to offer "full support for compliance" and view it "as a 'must have' and not (just) 'good to have.'"
Vivian Yeo of ZDNet Asia reported from Singapore.