Bernard Denoyer knows finance; he's spent the past decade as a finance executive. As vice president and controller for Xenomics, a developer of genetic testing technology, Denoyer spends his days steeped in numbers.
So when it came time for the 12-employee New York company to meet requirements of the Sarbanes-Oxley Act, Denoyer set up a compliance system using Microsoft Office Visio, a flowchart application to document and organize ideas, processes and systems—just the sort of things that Denoyer thought the financial reporting mandates in Sarbanes-Oxley would require.
But after setting up this framework, Denoyer realized that neither he nor other Xenomics employees had the time to continue the process—essentially gathering the information and crafting reports. It was time for outside help.
Xenomics is not alone. Small companies are finding that complying with Sarbanes-Oxley—especially the infamous Section 404—is a significant challenge. Large companies began meeting the reporting demands of Section 404 last year. But the Securities and Exchange Commission has given smaller companies—those with market capitalizations of less than $75 million—until July 2007 to comply with 404.
Given that delay and the fact that most companies with fewer than 100 employees have market caps below $75 million, few truly small companies have faced Section 404 yet. But by looking to medium-sized companies that have already implemented SOX, as the 2002 law is called, small organizations can set strategies for handling the regulation. Although the bigger companies may have hundreds of employees, they still struggle with implementing SOX because they don't have the large staffs and budgets of Fortune 500 companies.
Their experience highlights several steps that small companies should follow. Namely, small businesses should take stock of whatever internal finance and IT knowledge they have. They should consider how to leverage existing software packages they're already using. Most companies will need to hire consultants to help them figure out how to comply with the regulation, but many will be able to do it themselves after the first year.
The Big Picture
SOX requires public companies to keep detailed financial records and to document their auditing processes for the SEC. The goal is to make it easier for regulators and shareholders to monitor corporate activities. Section 404 requires public companies to develop and use internal controls in all their financial reporting processes so that they can be verified by outside auditors.
The delay in the Section 404 requirement follows two postponements by the SEC in response to complaints that the reporting requirements are overkill for small businesses.
"Sarbanes-Oxley really doesn't scale down very well," says Tony Riley, CFO of Avanex, a fiber-optics company in Fremont, Calif., with about 800 employees and $160 million in revenue. With a market cap of $114 million, just $39 million over the cut-off point, Avanex is a company that had to comply early. "Small companies just don't have the manpower to document everything they do."
For example, a CFO might be reviewing certain financial documents regularly, but Section 404 requires documentation for that review process so that it's verifiable. "Many of these requirements are far too unwieldy for these micro-cap companies" and can easily double or even triple a company's annual audit fees, Riley contends.
Nevertheless, companies must prepare for the reporting mandates. And Riley says smart use of information technology is a key element. Once a company figures out exactly what must be documented, it should automate the process, he says. "A lot of small companies have good IT systems, but they don't utilize the full capability of these systems."
The effort might be painful upfront, but in the long run it should increase efficiency and productivity, says Scott Gracyalny, managing director of risk technology solutions at Protiviti, a Chicago auditor and risk consultant. In fact, adequate attention to how IT can help comply with Section 404 can have several long-term benefits, he says.
Companies "will be seeking ways to extract value from their Sarbanes-Oxley compliance management processes, but to do that they will need to think more strategically about their technology investments and move from project to process as well as from tactical to strategic investments in technology," Gracyalny adds.
Among the benefits he cites:
- increased accuracy in financial operations and reporting;
- decreased risk of financial fraud;
- increased likelihood that should fraud occur, it will be quickly detected and the individuals responsible will be held accountable.
The first step is to take stock of internal financial and IT expertise. There is a boatload of software on the market to help with SOX compliance. These products range from simple database applications for collecting the data to unique SOX-related tools and even special modules for other apps or to plug into a company's enterprise resource planning (ERP) platform.
But choosing software and possibly bulking up a company's hardware infrastructure to support the new apps is just the tip of the iceberg. A business also needs experts who understand the Section 404 requirements, how to apply any chosen software and how to create a reportable—and also repeatable—process.
Few small companies have the staff or the knowledge to do all this work themselves. Even for companies with some SOX knowledge, extensive in-house technology resources and time to manage the process, hiring a consultant to jump-start the process might make good business sense.
From the Inside Out
That was true for ViaSat, a wireless networking company with $346 million in annual revenues and about 1,000 employees. The Carlsbad, Calif., company set up a compliance module—Oracle Internal Controls Manager (ICM), says Aaron Sager, ViaSat's manager of business systems. It chose ICM because ViaSat had already standardized on an Oracle ERP several years earlier, he notes. The company then hired an independent consultant that had worked with Oracle in the early stages of ICM's development.
ViaSat also hired a manager of compliance whose job is to learn the intricacies of the Oracle software. "He'll be the one who manages the data flow, and he'll be responsible for overseeing government compliance," Sager says. And there is another external consultant to help with testing.
Biosite, a 1,000-employee biomedical company in San Diego with $245 million in annual revenues, took a similar route. Company executives thought they could handle most of the job in-house because the company's director of SEC reporting was formerly an auditor at a major accounting firm. Nevertheless, Biosite initially hired consultants to analyze its accounts payable system and recommend where to improve internal IT controls. The company then took over and implemented the recommendations.
"Having somebody here who can adjust schedules, work with people when they are available and be familiar with internal controls and your audit process is invaluable," Biosite CFO Christopher Twomey says. "And it didn't cost nearly what it costs to have a third party do it."
The total cost of the initial portion of the project, which included performing a review of the accounts payable system and related processes, came to $35,000, he says.
Biosite didn't have to spend much on software, either. Initially, the company gathered its compliance data in an Access database but has since upgraded to SharePoint, a Windows component that has document sharing and collaboration utilities.
Some small companies might not be ready to fully automate their processes and that's OK, says one accounting expert. "It's reasonable to have your documentation reside on an offline spreadsheet or document format if your business is not complex, doesn't change a lot and doesn't have a large geographic footprint," says R. Trent Gazzaway, managing partner of corporate governance at Grant Thornton, a tax, accounting and business consultant in Chicago.
As for Xenomics, Denoyer says he's glad that he at least started the process himself. "It was invaluable in determining how much of the work we would have to outsource," he says.
Denoyer cautions against a company entirely removing itself from the process. "Make sure to maintain constant contact with the auditor to ensure that everyone is on the same page," he says.
The hardest part, the companies on the front lines say, is setting up the initial system and getting through the first year. But once processes are in place and have made it through their first year of operation, companies can ease consultants out, Protiviti's Gracyalny advises.
Grant Thorton's Gazzaway adds, "Qualified external resources can serve the dual purpose of helping to effectively complete the first evaluation while training the internal resources to take over in subsequent years."
Companies that take a strategic approach to implementing SOX can derive the following business benefits from compliance, according to a recent survey of financial executives by Oversight Systems, a vendor of SOX tools: