sarbanes-oxley AS THE TRIAL of former Enron executives draws to a close in Houston, Texas, the whole Enron episode should serve to remind Hong Kong companies with a United States listing to make absolutely sure their procedures and financial controls fully comply with the requirements stipulated by the Sarbanes-Oxley Act. The legislation, often abbreviated as SOX, came into force in the US in 2002 and was the direct result of the Enron debacle and others around the same time. The Act imposes stricter rules for publicly listed companies, while making chief executives and chief financial controllers more directly responsible for any infringements or oversights. In particular, the Act sought to improve disclosure and enhance corporate responsibility and auditor independence. The standards set apply across the board and are not open to different interpretations, regardless of a company's size or type. 'The consequences of having a deficiency in those areas have become more significant,' said Lester Sussman, managing director of Resources Audit Solutions, the California-based division of Resources Global Professionals, which offers corporate governance and risk management services. This includes providing specialist advice on internal audit matters, as well as SOX compliance. A grace period relating to compliance has been in effect for non-US companies with a listing in the US. However, for fiscal years ending after 15 July, 2006, all such entities will be obliged to implement section 404 of the Act and comply in full. Clearly, this will also have an impact on the professional responsibilities and job prospects for auditors and accountants in Hong Kong and the mainland. In working towards compliance, Hong Kong-based companies, of which around 40 currently fall under the scope of SOX, face a number of challenges. But, as Mr Sussman pointed out, they could learn from the US experience. 'Almost all companies dramatically underestimated the level of effort required,' he said. 'Problems came from a mismatch of skill sets, a lack of knowledge of controls and limited experience in documentation and testing.' All this has made the compliance process highly challenging for both management and auditors. Subsequent industry reports show that many of the bigger US companies have used more than 100,000 hours of staff time to become compliant. Some of the reasons for this were deferred maintenance of systems, limited guidance, time required to correct deficiencies, and a steep learning curve for employees. 'If you look at it from a project standpoint, it is not a one-time effort, but there does have to be a big initial push in the first year,' Mr Sussman said. 'Therefore, many companies will want to outsource or hire people with the necessary experience, rather than relying on staff who have to learn on the job.' He said various pilot projects involving foreign businesses had identified the areas that most often required attention. These included tax accounting, financial statement processes and entity-level controls. However, auditors and finance departments should also be on the alert for material weaknesses in revenue recognition, tax reporting and accounting for leases. 'The initial challenge is usually to understand the documentary controls currently in place, since these are often set up at different times and in different ways,' Mr Sussman said. The recommended starting point was to put everything on the table and see what was really happening. Only then was it possible to assess whether existing controls were effective, and SOX compliant. Mr Sussman said the traditional emphasis was on what was effective from the company's point of view. However, with the new regulations, it was essential to concentrate on examining internal processes and demonstrating how individual items made their way to the financial statement. 'It means, for example, you have to re-examine processes for billing, accounts payable, payroll and monthly reporting, and assess the security and effectiveness of general IT controls,' he said. In terms of best practice for compliance, Mr Sussman said it was important to develop continuous assessment programmes. Internal monitoring becomes an integral part of an organisation's operations. He also advised diversified companies to establish standardised procedures and centralised controls. These would ultimately reduce the number of separate tests required at process level, so that one system of checks at company level would suffice. It was also advisable to make full use of available technology to identify, manage and remediate any deficiencies. Mr Sussman said auditors working for first-time foreign filers should keep a close eye on such key aspects as anti-fraud controls, segregation of duties and foreign currency transactions. He also reminded companies of the importance of prompt action. 'If they don't have a report from an auditor, then the SEC [Securities and Exchange Commission] in the US will regard it as a deficient filing, and there could be penalties,' he said. A SEC roundtable discussion held last year to review the effects of the legislation in the US noted that the costs associated with implementing SOX were excessively high and that the process left room for improvement. In many cases, however, the higher-than-anticipated costs were the result of decentralised operations, disparate systems or simply inefficient controls. 'It's safe to say a large number of companies have significantly improved their control environment,' Mr Sussman said. 'The legislation has also provided an incentive to upgrade technology infrastructure.' Assessing the role of auditors, the PCAOB (Public Companies Accounting Oversight Board) recommended that auditors should exercise judgment and tailor audits to the risks faced by individual clients. The board also said it paid to adopt a top-down approach and, where possible, to take advantage of the work of others. 'Audit plans should be customised, focused and performed by appropriate personnel,' Mr Sussman said. 'Many firms in the US used a one-size-fits-all checklist approach, so they expended more effort than necessary on lower risk areas and were not fully focused on the unique risks specific to each company.' Reflecting on the general prospects for the accounting profession, Mr Sussman said there was now a high demand for qualified personnel.
