OR&C Sponsor's analysis: Sarbanes-Oxley

None of the US or European respondents that are legally required to comply with SOx have decided to do so. Of those that are complying, 80% of those in the US feel the costs are too high and the benefits too low. However, the PCAOB seems to be giving guidance that will enable firms to focus on the higher-risk areas, which should help them to alleviate some of the cost and effort required. There may be a case that the in-depth nature of the process to date is largely due to consultancy houses trying to ensure they are not accused of missing any details. The EU has also intimated that it will not be going the prescriptive route for any similar legislation it might enact in the future.

On the upside, it seems companies have found an increased focus by senior management on op risk management and compliance. This, coupled with the benefits of increased reporting and control quality, should help to get senior level buy-in for future projects and efforts. With these two main points in mind it is odd to find that people are not concentrating their methodologies and technologies on ensuring a consistent approach across operational risk and SOx. Over a third of respondents had already purchased two separate systems or had no intention of purchasing a solution for either framework. It seems that both operational risk and SOx can learn from each other, and that the business benefits significantly from a cross fertilisation of ideas and technologies.

As the implementation of the SOx Act matures, it may turn out that a less detailed but more risk-focused approach, tightly coupled with op risk management efforts, will emerge and provide real value for money for the shareholders it had envisaged helping.