IT Compliance Institute, October 10, 2006:

Trends and Technologies

Foreign Correspondence: SOX Efficiencies and EU Issuers

As of July 2006, many foreign companies listed on US exchanges must comply with some Sarbanes-Oxley requirements. Can foreign companies learn from the US SOX experience? How will differing rules for foreign issuers impact compliance costs? Experts suggest that less effort might lead to more compliance for EU companies.

By Mathew Schwartz

While Sarbanes-Oxley originally only applied to publicly traded US businesses, since July 2006, many foreign companies listed on US exchanges must now comply—if their market capitalization exceeds $75 million—with at least some SOX provisions.

What are the ramifications of SOX compliance for such companies? Will SOX map to any regulations they must already meet? Indeed, do European companies' existing regulatory aptitudes give them a competitive advantage over their American counterparts?

Early SOX movers—large US companies—do have at least one advantage: many are now largely SOX-compliant and already refining their efforts, which allows them to renew their focus on becoming more competitive.

Yet the longer a company can wait to comply with SOX, the better their chance to tap improved industry best practices, retain consulting firms with better regulatory experience, and implement improved off-the-shelf compliance software. The longer they wait, potentially, the less with which they must comply. Hence by sitting out the painful, early days of SOX compliance, experts suggest most foreign companies will, on balance, spend less to comply. Does that equal a competitive advantage?

Foreign Regulatory Aptitudes and SOX

Many foreign companies, of course, already operate in strong regulatory climates, facing for example much more stringent data privacy laws than in the United States. As a result, they also have more experience with such frameworks as ITIL and such standards as ISO 17799. Does this make it easier for them to excel at SOX?

"When you look at companies outside the United States, you'd expect they would have some advantages when they come to SOX," says Chris Farrow, director for Configuresoft's Center for Policy and Compliance. In particular, "they've had two-to-three years to watch their peers, look at lessons learned, and decide what their priorities have to be."

Yet Ethiopas Tafara, who directs the SEC's international affairs office, argues in the International Financial Law Review (September 2006) that SOX-like efforts in other countries are creating regulatory parity with the US, because there has been "widespread global adoption of the major provisions of the Sarbanes Oxley Act."

The major provisions of SOX are that management must state their responsibility for internal control efficacy in the company's annual report and report on the state of those controls; and that an auditor must also sign off on such controls. "These three main provisions have basic equivalents" in many foreign countries, writes Tafara. For example, "a number of jurisdictions—including France and Japan—have established rules-based internal controls requirements through legislation, with the Japanese and French legislation closely resembling the internal controls requirements of SOX." China and Canada are also moving toward "a rules-based approach," while other countries are allowing companies to "comply or explain," including Australia, German, Hong Kong, the United Kingdom, and potentially a forthcoming European Union directive. Other countries, however, such as Mexico and Brazil, have only voluntary compliance requirements, if any.

On balance, then, he says the three main provisions of SOX "have not competitively disadvantaged US markets, simply by virtue of the fact that they have been widely adopted elsewhere."

Yet do his examples bespeak "widespread adoption"? Many foreign laws so far only require companies to disclose their internal controls; not to attest to their effectiveness. Furthermore requirements for how auditors asses the state of those controls tend to be lax or nonexistent. All of that means foreign companies today can spend less, and perhaps far less, on SOX or SOX-type compliance.

As SOX Ages, Mellows

Most foreign companies today do not yet have to comply with major SOX provisions. For example, in August 2006, the SEC extended deadlines by a year for management and external auditors' attestations of control effectiveness. The extension applied to almost half of domestic companies and almost two-thirds of foreign companies. SEC chairman Christopher Cox says the deadline extensions are the SEC's attempt "to be sensitive and responsive to the particular needs of smaller public companies and foreign private issuers, and to minimize the burdens that Section 404 may impose on them." He also says the SEC and PCAOB are redesigning Section 404 "in a way that is efficient and cost effective for investors."

Some organizations are asking why, if the SEC admits Section 404 needs an overhaul, such deadlines should even be set, before experts can see and test the SEC's changes? As an August 2006 letter from the US Chamber of Commerce to the SEC says, "it would simply be inappropriate to push these companies into implementation until we are sure that the process has been substantially improved." It recommends first taking a year to test changes with larger companies—who already comply with SOX—before imposing them on others. Exactly when the majority of foreign companies will actually have to comply with SOX remains an open question.

Foreign Companies' Own SOX Challenges

Given the well-documented costs and guidance problems, perhaps not surprisingly, most foreign companies don't appear to be actively rushing to comply with SOX. For example, "the European business community as a whole is still really, really far behind where they should be," notes Farrow. "There are a lot of signs saying, maybe you guys aren't ready, and the SEC keeps backing down, relinquishing controls. They're not being held up to as quite a hard standard as some US businesses." At the same time, "we're still talking to [US] companies who are having a really difficult time getting their controls in place to deal with audits."

Foreign companies may, however, face their own unique, and expensive, SOX challenges. For instance, Farrow says a business partner's customers in Australia are evaluating voluntary SOX compliance. "A SOX-type financial reform was inevitable, they wanted to get ahead on it—just in case they decided to go public, but really to get cleaned up ahead of time," he says. "But the biggest problems they had were the processes they had in place, and the guys working on the Australian accounting standards weren't used to the processes required by SOX."

Given such differences—revamping a company's accounting practices is no small task—he expects foreign companies and smaller US companies to continue lobbying for SOX extensions and revisions. So far, this has been a largely successful strategy, and allowed them both to forestall much if any spending on actual SOX compliance. "Because they keep getting one exemption after another, I wouldn't be surprised if we saw some companies holding off on implementing some big things, waiting to see if SOX will continue to loosen up."

Of course, getting any company to comply with SOX will boost the use of controls meant to diminish accounting chicanery. Yet by waiting as long as possible, many foreign and small companies should face easier, faster, and less expensive SOX efforts. Doesn't that equal some sort of competitive advantage?

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.