RMA Survey Results: Sarbanes-Oxley Compliance Costs and Benefits

Additional staff was hired to deal with compliance issues; SOX helped institutions implement operational risk programs

Philadelphia, Pa (June 30, 2005)—The Risk Management Association (RMA) surveyed members in May 2005 to determine the costs and benefits associated with Sarbanes-Oxley Act Compliance, specifically with sections 404 and 302. The survey found that most cost increases were due to hiring additional staff. The greatest benefit was in helping the bank to implement an operational risk program.

SOX Requirements
Section 404 requires managers to maintain an “adequate internal control structure and procedures for financial reporting.” Section 302 requires auditors to attest to management’s assessment of these controls and disclose any material weaknesses. Transgressors could receive harsh criminal penalties.

Costs of Compliance
The cost of complying with SOX has been a challenge to many institutions. Although it is difficult to measure all costs, RMA’s survey attempted to capture direct costs associated with SOX compliance.

Participants provided ranges of the incremental costs surrounding SOX implementation. Purposely excluded from the survey were the routine costs incurred in preparation of the general ledger, monthly-quarterly-annual closings, auditors, or 10K and 10Q statements. However, to the extent that any of these have or will experience a cost increase as a result of SOX, then only that incremental amount was reported. RMA broke the respondents into two asset pools. Pool A represents institutions with assets less than $15 billion and Pool B contains institutions with assets greater than $15 billion.

In addition, when asked what portion of total dollars spent as of 12/31/2004 was attributable to technology to support SOX implementation, over 66% of participants responded that it was less than 10% of the overall dollars spent. It should come as no surprise that the majority of costs to date has involved bank staff. SOX compliance has caused institutions to either divert current staff from other matters or add new staff. On a positive note, more participants responded that total Senior/Executive management involvement with SOX would decrease (32%) or stay the same (50%) in the upcoming 12 months.

Less than a third of the respondents indicated that the following executive functions would devote more time to SOX compliance:

• Head of IT (30%)
• Controller (29%)
• CFO (23%)
• Chief Risk Officer (20%)

Cost versus Benefits of SOX

SOX has “greatly” or “somewhat helped” the bank to implement an operational risk program, according to 59% of respondents. However, participants were less likely to credit SOX with materially improving the accuracy of the institution’s financial statement disclosure. Banks rated this question on a scale of one to seven, with one indicating no improved quality at all. This question received an average rating of 3, with 48% of respondents selecting either a one or two. Many observers, including Michael Oxley, cosponsor of the law, have said the benefits are hard to quantify, and SOX should be viewed as an investment for the future.

Only time will tell if the benefits outweigh the costs.

About RMA
Founded in 1914, the Risk Management Association is a nonprofit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, and operational risk.

Headquartered in Philadelphia, Pennsylvania, RMA has 3,000 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the Association by 16,000 risk management professionals in North America and numerous cities overseas, including Hong Kong, Singapore, Melbourne, Sydney, and London. Members meet regularly through RMA's strong chapter network.

Contact:
Kathleen M. Beans
RMA Public Relations Manager
215-446-4095