When Congress crafted the Sarbanes-Oxley Act of 2002, legislators assembled the bill "in record time" and did little to work with corporate executives to determine the demands the compliance requirements would place on businesses, said Arthur Levitt, former chairman of the U.S. Securities and Exchange Commission.
Still, members of the business community who are now pushing hard for major reforms to Sarbanes-Oxley because of the high costs of compliance "are being shortsighted," since the mandate for public companies to document their financial controls have "been well worth the costs" for investors, said Levitt.
"If you have any doubts about this, ask those thoughtful shareholders for any of those 586 companies that reported material weaknesses [with their internal controls] during the first four months of the year," said Levitt. He served as a panelist at a regulatory compliance conference held in Washington on Tuesday that was sponsored by BindView Corp., a Houston-based security software provider.
Unlike with the Sarbanes-Oxley Act, the founders of the Health Insurance Portability and Accountability Act actively sought involvement from health care industry professionals in order to make the requirements scalable and practical, said John Parmigiani, co-author of the HIPAA security provisions. He is also president of John C. Parmigiani & Associates LLC, an Ellicott City, Md.-based health care industry consulting firm.
"You need to get a lot of involvement from industry when crafting regulations, and you need to set realistic time frames," said Parmigiani. "If you"re a two-person [medical] clinic, you can"t take [the same approach to HIPAA compliance] as the Mayo Clinic."
When many large public companies had to document and test their internal controls for the first time under Section 404 of the Sarbanes-Oxley Act last year, the exercise was a real bear for IT departments, since most had never audited their IT controls, said Everett C. Johnson, international president of the Information Systems Audit and Control Association in Rolling Meadows, Ill. "In the IT arena, the process turned into an Ironman event," he said.
Even though the process of documenting, evaluating and testing IT controls "was a big challenge for a lot of IT organizations," Johnson said he believes the self-audit and external audit requirements imposed by Sarbanes-Oxley "helped lead to better compliance."
Dave A. Richards, president of The Institute of Internal Auditors in Altamonte Springs, Fla., said that for the hundreds of companies that met Section 404 requirements for the first time in January, 20 percent of their time went to documenting their controls and 15 percent to 20 percent of their time was spent remediating that documentation. He doesn"t expect those requirements to be as time-consuming in the future as more companies begin to automate their processes.
For his part, Levitt believes incoming SEC Commissioner Christopher Cox will work with legislators to modify requirements imposed under the Sarbanes-Oxley Act, such as making it less expensive for smaller businesses to comply with the controls documentation requirements under Section 404.
Looking ahead, Levitt believes that the greatest corporate governance challenges yet to be resolved are those associated with executive compensation, which has reached levels "that are almost obscenities," he said. For instance, former Morgan Stanley & Co. CEO Philip Purcell was recently given a severance and retirement package worth an estimated $106 million.
The SEC has to put in place rules that require public companies to disclose whether executive compensation is performance-based and to provide details on the various factors that contribute to performance-based compensation, Levitt said.