by Jason Rohlf – July 21, 2010

I am a firm believer in maintaining strong and lasting friendships, and the maintenance method I choose largely depends on the nature of the friendship. For my closest friends, this typically includes periodic texts and emails and an annual trip to Las Vegas followed by the requisite 11 months of recovery time. When I take my kids to the park, I catch up with their friends’ parents. I play ice hockey once a week, and this affords me the opportunity to catch up with other lovers of the beautiful sport. And LinkedIn and Facebook allow me to reach into my past and catch up with oodles of my old workmates and grade school chums, or at least to play voyeur into their (sometimes) interesting lives.

Certain events of the last few weeks have given me cause to catch up with another one of my dear old friends—the Sarbanes-Oxley Act of 2002 (or as I endearingly refer to him, “SOX”). OK, maybe that’s overstating things a bit; after all, SOX has only been around for 8 years and that’s really only old in dog-years. Nonetheless, SOX and I got together for a cup of coffee and a little bit of reminiscing, and I’d like to take this opportunity to bring you up to speed on what my good pal has been up to:

• Last December, the United States Supreme Court heard the argument filed by the Free Enterprise Fund challenging the constitutionality of the Public Company Accounting Oversight Board (PCOAB) and ultimately SOX. On June 28, 2010, the Court issued a 5-4 decision that gave the Securities and Exchange Commission (SEC) more leeway to relieve PCAOB Board Members; however, aside from this change, the Court chose not to open up the legislation to further scrutiny, so all indications are that my friend SOX won’t have to go changing any time soon…

• ...or will he? On October 2, 2009, the SEC issued a release that put an end to the parade of SOX section 404(b) filing extensions afforded to small public companies (defined as those with a market capitalization below $75 million). The release stated that these non-accelerated filers will see the last extension expire beginning with the annual reports of companies with fiscal years ending on or after June 15, 2010. SEC Chairman Mary L. Schapiro commented that, “Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance.”

• Fast forward to last Thursday. Congress passed the Restoring American Financial Stability Act of 2010 by a heavily bipartisan 60-39 margin (read more in the New York Times). Among the sweeping reforms and regulations aimed primarily at the Financial Services industry, the bill included a provision to permanently exempt the very same non-accelerated filers from 404(b) filing requirements. President Obama is expected to sign this bill into law later this week.

As I discussed back in December in my article SOX or Not: Strong Internal Controls Hold Their Value, despite the heavy scrutiny that my buddy SOX has come under recently, I still believe that the benefits of maintaining a sound, comprehensive system of internal controls far outweigh the costs. Needless to say, I was pleased to read Protiviti’s 2010 Sarbanes-Oxley Compliance Survey in which their results indicate that 70% of respondents indicated that the benefits of Sarbanes-Oxley outweighed the costs (versus 39% of respondents when asked during Year One of SOX).

Now let’s move beyond the various legislative goings-on for something a little more exciting (at least for me). Last Wednesday, I had the pleasure of facilitating the latest RSA Archer SOX Compliance Working Group session. I really enjoy these sessions because they are primarily driven by the users of our eGRC solutions, and they provide a forum for customers to share thoughts and ideas on any topics of interest or issues they may be facing as a collective.

Last week’s session was focused on the process of scoping controls for SOX purposes. We discussed the various elements that factor into the scoping process (see chart), the approach participants take when encountering “gray” areas (i.e., those elements of the business that fall at or just below financial thresholds), the frequency with which controls are re-scoped and what effect the economic downturn has had on each organization’s SOX processes.

I typically learn a great deal from the practitioners who participate in our Working Groups, and last week’s meeting was no exception. I found that there are varying methods being employed to determine the financial significance of controls (clearly the most important driver of scope) and that all who offered their thoughts during the session are incorporating some level of qualitative analysis in their scoping decisions (the “gut” factor). 

For me, the most interesting thing I picked up from the session was that serious consideration was being given to the effects of the economic downturn, from how to treat “borderline” entities that have fluctuated between in and out of scope (due to a “down” financial cycle) to the impact of staff reductions on the ability to maintain proper segregation of duties at various points of critical processes. All in all, it was a great discussion, using up each and every one of the allotted 60 minutes and hopefully setting the stage for (Shameless Promotion Alert!) another great SOX Working Group session on Wednesday October 6.

It sure was good to catch up with my buddy SOX, and I’ll be sure to keep you posted on any further developments in his life. At the very least, I’ll let you know when someone posts unflattering pictures of him on Facebook…