Today’s Financial Times includes a front page story about the effect
of Sarbanes-Oxley on the fees companies are paying to external auditors: 
On the average, they have doubled this year.  Yow ! 

The FT story emerged from a study of large company spending on SOX
compliance published earlier this week by the Corporate Executive Board, a
consulting firm.  The same study reported that, in addition to the higher
fees for auditing, the companies surveyed spent an average of $5 million to $8
million on SOX Section 404 compliance work in 2004.

The numbers are in the news because companies with fiscal years ending
December 31 will be releasing their annual reports over the next few
weeks.  This will be the first year that these companies will have to
report on the effectiveness of their internal controls, as required by Section
404 of the Act. After the companies make their own assessments of internal
controls, the auditors are required to render an outside opinion on the internal
controls.  In a related story in today’s Financial Times, titled
"Crunch Time," sources from the Big Four accounting firms estimate
that perhaps 10% of the companies will report that there are material weaknesses
in their system of controls.

It appears that we will find out how the markets react to reports of material

The FT reports that companies typically have three questions for their

  • Are we in the clear?  Are our controls effective?
  • How can we make SOX compliance less expensive?
  • How can we turn this into something we can do year after year?

In diagnosing the sources of "material weakness" in internal
control systems, auditors put problems with information technology systems at
the top of the list.  The problems take different forms, but include
difficulties in controlling access to data and difficulties associated with the
project-oriented focus that has been characteristic of initial compliance

The companies that reveal material weaknesses over the next four weeks will
almost certainly stay in "project" mode — they will have no other
choice.  But, for the 90% of the companies that successfully make it
through the first year of Section 404 testing and evaluation, the real challenge
will be how to turn this from "crunch time" into a normal part of
business — a part that supports, rather than subtracts from, the rest of the

Are there readers of this column who can share, in general terms, the steps
that their companies are taking to make this transition?  It seems
reasonable to expect that increased use of content-based technologies to
automate parts of the internal control system would be part of the
solution.  Is that turning out to be the case?  Send me an
or post a comment.