Governance, Risk Management, and Compliance: It Can't Happen to Us—Avoiding Corporate Disaster While Driving Success by Richard M. Steinberg

Impact of SOX 404 on Financial Reporting

We know that the costs of SOX 404 are significant, far exceeding what legislators and regulators expected. But with the impetus of what happened with Enron and then WorldCom, SOX became the law of the land. The result was senior management and staff having to deal with the assessment and reporting requirements, as well as boards and their audit committees spending more time on monitoring, and thereby being diverted from activities viewed as adding more value. Here's what we saw.

• Reviews and certifications. Certainly the associated costs far surpassed what anyone expected. Initially corporate management and auditors, both internal and external, had to absorb what the law entailed and what they had to do. Some thought that in light of the internal control provisions of the Foreign Corrupt Practices Act of 1977 there would be little additional effort. But others knew well that there's a major difference between what companies did pursuant to the FCPA—which calls for companies to maintain an effective system of internal control over financial reporting (the FCPA's wording is slightly different, but the thrust is the same)—and being required to state publicly and certify that the system indeed is effective. Of course, the difference is multiplied by the SOX requirement that the external auditor opine on management's statement.
• Distracted, risk-averse boards. Some boards of directors provided less advice to management and became more risk-averse. ...