Over the past few years, many international companies have given blood, sweat and tears in order to meet the stringent requirements on internal controls set by 2002’s Sarbanes-Oxley Act.

For UK companies registered in the US, this task has been complicated by other changes brought in by the UK government and the European Union. With the dust having settled for many on their first year of Sarbox compliance, it is perhaps of little surprise that so few have noticed any substantial benefits from all the effort put into compliance.

Recent research by Big Four firm Ernst & Young looking at financial services companies reveals that most remain unconvinced of the benefits the new rules bring – both to the company and from a wider perspective. Given the cost of compliance, this can be irksome. E&Y estimates that, of the companies that participated in its study, 5% of profits before tax is spent on risk management, which means (for the largest companies) in excess of £100m a year.

‘The operating models currently in place for risk and compliance across many organisations evolved in response to 20th century regulations,’ says Stephen Christie, head of the financial services risk and regulatory practice at E& Y. ‘The pace and complexity of change in the 21st century is beginning to highlight significant shortcomings in these models.’

In fact, it is probably only the larger accounting firms and other advisers that have benefited from the introduction of such regulation, as the extra work required brought them bumper pay days.

As companies enter a second year of dealing with Sarbanes-Oxley, they are desperately looking for ways in which to reduce the burden and the costs associated with it. ‘Companies, having done it once, are now looking for ways to make it more sustainable, cheaper, more efficient and much less of a hardship going forward,’ says Bob Spedding, head of internal audit at KPMG.

‘As Sarbanes-Oxley has developed, people have recognised the importance of getting the number of key controls they identify right. In the early days, I think everybody – auditors, management and advisers – probably took too tight and prudent a view on the number of controls that were key.

‘A lot of the developments that have happened within the application of Sarbanes-Oxley have been around improving efficiency in the process by taking a more risk-based approach. That allows you to do a narrower scoping and is a continuing area of development.’

And US regulators appear to be getting the message. This year, the Securities and Exchange Commission put forward proposals aimed as easing the burden of complying with the resource-draining section 404 of the Act, which requires auditors to attest to the robustness of a company’s internal controls.

It is hoped that the redesign of section 404 will help companies comply without having to devote the same amount of time and resources as they did the first time around. ‘In the early days of Sarbanes-Oxley it was decided that, as all companies were different, it wouldn’t be rule-based and people would be able to apply it as they saw fit,’ says Spedding. ‘But as time has moved on, people have sought more guidance. The SEC is asking management what sort of guidance they would like, in particular focusing on three main areas: risk and control identification, management evaluation, and the extent of documentation required. They are probably the areas that did get a little overdocumented and overworked in the early days.’

The SEC has also relaxed the rules further for smaller and foreign companies in an attempt to stop them fleeing the US market and to encourage initial public offerings (IPOs) from outside the US (see box). Those intending to list in the US will be exempt from Sarbanes-Oxley legislation for its first year.

‘Our goal is to make it easier for foreign issuers to do IPOs in the US,’ says John White, director of the SEC’s division of corporation finance. ‘They will still ultimately have to comply, but won’t have to worry about section 404 compliance during their IPO.’

Non-US companies will also be exempt from having to get auditor sign-off on their internal controls until July next year, while smaller companies will not have to comply with Sarbox until 15 December 2007. However, the changes will benefit very few UK companies, according to Jon Rowden, director at PricewaterhouseCoopers. He argues that many small companies with a 31 December year-end will not benefit from the deadline slippage, while the removal of auditor sign-off for foreign companies will not reduce the administrative burden at all, although it may help keep down auditor costs for a little longer.

Spedding also warns that even if the proposed changes come to fruition, companies should not expect an easy ride. ‘As far as we can see, it still remains a heavy piece of work,’ he says. ‘People shouldn’t imagine that it is suddenly becoming a very lightweight rule. It’s not.’

Despite the wailing and gnashing of teeth from public companies, some companies are actively incorporating the new rules into their business practice, even though they don’t have to. Some private companies are now picking up and running with Sarbox and have the luxury of not having to comply with the most arduous parts of the legislation, such as section 404.

Spedding argues that companies are typically doing this because ‘they are doing systems implementation or have completed an acquisition, so they have an opportunity to look at their controls afresh. There’s also the circumstance of a company that feels that, because of its sector or capital base, it could be acquired by a US company. Therefore, there is an awareness that Sarbanes-Oxley could be a driver in any deal and such a company may be more likely to comply just to make sure it is in a state of readiness.’

Those that have avoided Sarbanes-Oxley so far may be breathing a sigh of relief. But this might not last long. The influence of the US legislation is starting to be felt everywhere. Other countries are adopting similar rules, so those with international links are likely to feel the pinch sooner or later. ‘Japan is bringing in its own Sarbox, effective from January next year,’ says Spedding. ‘It’s a little bit lighter than the US rules, but it’s going to need working through nonetheless, and it’s going to be another burden for some organisations, especially the manufacturing divisions of some large Japanese companies over here.

‘We’ve seen the tightening in France of some of their independence rules. We’re just in an environment where country by country, the world has changed and people are tightening things up gradually in different ways,’ says Spedding.

I want to break free

Ever since Sarbanes-Oxley reared its ugly head in the US, and foreign companies got their heads around exactly what that would mean for them, they have been desperately searching for ways to get around it.

A few UK companies did manage to get out of the requirements by deregistering with the SEC, but most were unable to do this because the US regulator would not allow it for companies with more than 300 US shareholders. The financial watchdog has since relented on that point, moving the boundaries out to either 5% or 10% of shareholdings, depending on the size of the company, but many companies will still be unable to take advantage of this change of heart.

Sarbanes-Oxley has also badly hurt the US market in terms of new entrants. Neal Wolkoff, chairman and chief executive of the American Stock Exchange, has warned that it has inhibited smaller companies from accessing the US capital markets. Instead, they are remaining private, or looking to access capital in foreign markets. The London Stock Exchange has been in a key position to sweep up such business.

There are still concerns that Sarbanes-Oxley could find its way across the Atlantic, even for those companies not listed in the US. Potential bids for the London Stock Exchange or other European markets by US companies such as Nasdaq have sparked fears that the onerous rules would be imported into the EU. Despite assurances from both the FSA and the SEC that such mergers would not automatically result in listed companies having to follow Sarbox, it remains a concern form any companies, which will be keeping a close eye on any moves.

www.kpmg.co.uk