76% of the European companies affected by the requirements of the Sarbanes-Oxley Act (SOX) have underestimated the implementation costs of the regulations. This was the result of a study conducted recently by the managing consultancy Detecon International and the auditing firm Rölfs WP Partner AG. The consultants surveyed 21 stock corporations listed on stock exchanges which have implemented the SOX review procedures. According to the study, 30% of all of the surveyed companies give a figure of more than $20 million for the SOX implementation expenditures. The ongoing annual costs currently reach a level of at least 25% of the implementation costs, and all of the companies are also assuming that the expenditures for the reviews will rise in the future. This indicates that the efficiency of the processes with their controls, the documentation, and the reviewing procedure has substantial potential for optimization. 15 companies named the missing documentation as a cause for the control deficiencies. The necessary subsequent work has above all taken up the time of the companies’ own employees, a complaint made by 20 companies. “Most of them underestimate in particular the expenditures for the control self-assessments, the internal reviews required in advance. Many overlooked the fact that some of these must be conducted daily and that the additional work for one employee totals several days,” says Anne Bernzen, managing consultant and responsible for corporate governance and performance at Detecon. In her opinion, the objective now must be to reduce the expenditures for controls and reviews and to integrate SOX better with the internal control systems and corporate governance.

Exchange Supervisory Authorities Recommend CObIT
What instruments are available to companies to reduce the review expenditures? The American exchange supervisory authority SEC, together with other organizations such as the PCAOB (Public Company Accounting Oversight Board) and the ISACA, a worldwide professional association for IT auditors and security managers, recommends the use of the two frameworks COSO and CObIT to achieve SOX compliance. CObIT (Control Objectives for Information and Related Technology) provides a recognized governance model for IT processes which is published and further developed by the IT Governance Institute of the United States. It functions as a framework for the entire IT governance and covers all areas of IT. COSO (Committee of Sponsoring Organizations of the Treadway Commission), on the other hand, aims to improve the quality of the financial reporting, risk management, and company management. The recognized standards serve companies affected by SOX as a framework for the control of all of the business processes such as fixed assets, corporate financing, sales, purchasing, or human resources. IT is only one of a number of process groups which are relevant under SOX, although it is regarded as a key sector due to its system support for all of the other areas. In the meantime, ITIL (IT Infrastructure Library), a procedure library of best practices for the organization of the IT service management, has become established in Europe. However, the IT-related SOX controls go far beyond the scope of an IT service management and take into consideration the functional capability of the technology as well. Wolfram Hohaus, managing consultant at Detecon, therefore opines: “If a company has already implemented CObIT, this is fully adequate from a SOX viewpoint and there is no need to implement ITIL in addition. But if ITIL is already available, the best practices should definitely be used. The ITIL processes can be supplemented with the relevant CObIT processes.” But there are problems due to the fact that very few companies have any mapping between ITIL, CObIT, and SOX. “This leads to the creation of various documentation levels and controls which have not been coordinated with one another, usually resulting in substantial added expenditures.” Anne Bernzen sees the establishment of models which are completely individual for a specific company and largely uncoupled from CObIT and COSO as critical: “This results in additional expenses, especially in the case of mergers when the two partners must once again adapt their differing process models.”