Sarbox Has Tightened Controls, But Has It Reduced Fraud Risk?


A report out this week from compliance technology provider Oversight Systems suggests that changes in Sarbanes-Oxley implementation and the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard 5 have helped companies simplify their internal controls and reduce costs. However, the report also says the changes have created new problems for financial execs.


A little background: Oversight Systems, based in Atlanta, Ga., sells continuous transaction monitoring software. The "2008 Financial Executive Report on Sarbanes-Oxley" is the fifth in a series, and it is based on the company's invitation-only online survey of financial executives such as CFOs, controllers, internal auditors, vice presidents and audit officers from all over the U.S.


What I find interesting about this research are the issues that survey participants are most concerned about now that Sarbanes-Oxley compliance costs are truly dropping.


First, the research says more than half (56 percent) of the financial execs who participated in the survey aren't confident in their ability to identify the areas of their businesses that create the most risk -- which is part of what the new Sarbox 404 guidelines and AS 5 require.


Then, once those areas are identified, 39 percent say they aren't sure how to adequately keep track of everything that goes on in those high-risk areas -- especially since the goal of AS 5 and the new Sarbox guidelines is to reduce the number of internal controls that are necessary to achieve compliance. (This is where Oversight's pitch for continuous monitoring software comes in, and to a point it's justified. More efficient monitoring usually does involve automation technology, but anyway...)


Even beyond that, though, despite the fact that Sarbanes-Oxley costs have dropped and most survey participants say Sarbanes-Oxley compliance has made their financial statements more accurate and their internal controls tighter, only 29 percent of respondents say Sarbox compliance has decreased their companies' risk of financial fraud.


Does that seem odd to anyone else? If the financial controls are tighter and financial statements are more accurate, isn't the risk of fraud necessarily reduced? Maybe the questions weren't clear -- pure speculation on my part, I have no way of knowing -- but regardless, someone is confused.