everal years ago, in the wake of explosive corporate accounting scandals wrought by Enron, Tyco, WorldCom and others, Congress passed the Public Company Accounting Reform and Investor Protection Act of 2002. It has teeth much like the sweeping financial reform regulations enacted during the Great Depression in response to scandals linked to the infamous 1929 stock market crash.

Dubbed the Sarbanes-Oxley Act (SOX) after its main architects, Sen. Paul Sarbanes and Rep. Michael Oxley, the 2002 legislation passed 99-0 in the Senate and 423-3 in the House. Its objective is to rebuild public trust in the corporate community by requiring that all publicly traded companie conform to new, exacting standards in financial transactions and audit procedures. To mitigate fraud, executives of these companies must sign off on all financial statements done under their watch. (Needless to say, SOX directly or indirectly affects all ISOs and merchant level salespeople through its impact on payment processing.)

The appeal of privacy

Some processors, such as Heartland Payment Systems Inc., have recently gone public; others, including First Data Corp., have been publicly traded for some time. But they're all on SOX's radar: Every publicly held processor must now be in compliance with SOX.

Some experts posit that as a result of SOX, payment processors may think hard before going public.

Others may take their businesses private again. This is because the industry's lackluster growth rates don't please investors, and processors tend to be small or medium-sized corporations that can ill afford SOX's rigorous reporting requirements.

"I could foresee small businesses that could go public not doing so to avoid having to deal with SOX," said John S. Quarterman, the author of Risk Management Solutions for Sarbanes-Oxley Section 404, published by John Wiley & Sons Inc. this January. "In fact, people more paranoid than me have suggested that some big companies may seek out SOX violations in smaller companies and use them in takeover bids, given that the smaller company may not be able to afford the changes necessary to become compliant without being absorbed by a larger entity."

IPayment, which has been publicly held since 2003, recently agreed to be acquired by an entity formed by Chief Executive Officer Gregory Daily and President Carl Grimstad. The plan is to make iPayment privately held again. "I firmly believe that a transaction of this sort would reduce the costs and management efforts incident to the company's status as a public company and enable management to focus on operating the company's business and on value creation," Daily wrote in his Nov. 1, 2005 proposal to iPayment's board.

Although First Data has announced no plans to go private again, Dan Schatt, a Senior Analyst for Celent LLC, said doing so could not only resolve some business challenges but could also streamline costs associated with SOX.

"First Data has an uphill battle ahead, trying to fix some of the problems they face," Schatt said. "Their recent move to spin off Western Union and strengthen their existing processing business made a certain amount of sense. Western Union was a crutch, and it had no synergies with the card processing business. But investors liked it because of its growth, which exposes the problems public companies have in this industry.

"Processors are competing for pieces of an increasingly smaller pie; this is a single digit growth industry right now. One possible solution for First Data would be to carve their business up into smaller entities (they have nice revenue streams, if not nice growth figures) and sell them off, in effect taking them private again, piece by piece."

More to SOX than meets the eye

Many see SOX as purely an auditing requirement or an information technology (IT) expense, but it reaches into diverse business areas. Even the Public Company Accounting Oversight Board, which was established under SOX to guide the act's implementation, does not view SOX compliance as an accounting issue. According to the board's Auditing Standard 2, "... This broad definition of internal controls impacts all functions within a company." SOX even applies some whistle-blowing and document-destruction provisions to privately held firms.

It's not just a technology issue either, pointed out Gartner Research Group Vice President Debra Logan. "It regulates processes and business practices, not technology," she said. "In the modern enterprise, however, technology often defines and executes business processes or parts of business processes. The technology and business processes regulated by Sarbanes-Oxley are so entwined that it's impossible to separate them."

In addition, Schatt said, "Data disclosure could become a much more prominent issue as a result of Sarbanes-Oxley, particularly as we see new payment types, like contactless payments, gaining ground."

And Quarterman pointed out that recent data security lapses exemplify situations that possibly could have been covered under SOX. He said, "The compromise of 40 million credit card accounts at CardSystems is an example of the need to comply with existing policies, such as not keeping data after transactions are complete. "Maybe SOX would have covered the CardSystems case; I wonder. But it would cover numerous cases of identity theft from financial organizations, such as the 3.9 million Social Security numbers that Citigroup said were lost by UPS in transit. Simply encrypting the tapes before sending and keeping track of where they were would have made the loss mostly moot and would have revealed when it happened more quickly." (See "Consumer data at its most vulnerable?" The Green Sheet, June 27, 2005, issue 05:06:02.)

The high cost of SOX

According to Quarterman, the hardest part of SOX compliance for small to medium-sized businesses is getting all the paperwork done, interpreting the requirements correctly, finding the right auditors to ensure that the requirements were interpreted correctly and keeping the costs within reason. "Plus, doing the rest of risk management without being too distracted by SOX," he said.

The actual costs of SOX compliance are hotly debated. Many organizations use a rule of thumb that guides them to plan on spending about $1 million on SOX Section 404 (pertaining to internal control reports) compliance for every $1 billion in annual revenue.

But in a recent study of U.S. Securities and Exchange Commission (SEC) filings, A.R.C. Morgan, an international financial consultancy based in The Netherlands, found that companies in the $1 billion revenue range are already spending more than $2 million on IT consulting and other outside services. The study further found that adding internal resource spending and growing auditor fees, the figure likely increases to more than $3 million.

A recent Gartner study shows that IT financial compliance management spending will absorb 10% to 15% of IT budgets in 2006, up from less than 5% in 2004.

Tom Eid, Research Vice President for Gartner said that the pressures of meeting SOX deadlines may have led many chief information officers to implement one-off projects to meet each new regulatory challenge. Companies that choose one-off solutions, he said, will spend 10 times more on IT solutions for compliance than counterparts that consolidated compliance efforts.

Challenging SOX

The most vocal objections to the law have come from smaller publicly traded companies that want to ease its requirements for reporting on internal financial controls because of the costs they impose. "There is much discussion within the SEC about how Sarbanes-Oxley may be imposing a greater cost than anticipated," said Securities and Exchange Commissioner Paul Atkins at a recent conference in Brussels, Belgium.

The SEC apparently recognizes that compliance could be onerous for smaller businesses: an SEC advisory committee will meet Feb. 21 to finalize recommendations for scaling back regulations on smaller public companies. At its last meeting, the panel proposed a recommendation to exempt 80% of public companies from a section of SOX that requires hiring outside auditors to assess the quality of internal controls over financial reporting.

And on Dec. 14, the agency's commissioners, faced with criticism that SOX could be deterring foreign countries from listing on U.S. exchanges, voted 5-0 to propose a new rule to make it easier for non-U.S companies to delist from a national securities exchange and deregister securities under Section 12(b) of the Exchange Act.

On another front, SOX is being challenged on constitutional grounds by the pro-business Free Enterprise Fund, an anti-tax group that hired Kenneth Starr (best known as the special prosecutor in the Monica Lewinsky affair during Bill Clinton's presidency) as its counsel.

The group maintains that SOX violates the Constitution's separation of powers among the three governmental branches because the five-member oversight board isn't appointed by the U.S. president and cannot be removed by him, and because Congress cannot control the SOX budget. Constitutional scholars say a victory for the Free Enterprise Fund is unlikely, but some speculate that the group hopes to force Congress to reconsider parts of the legislation.

The Basel II alternative

"While the thought behind SOX was good, the law itself appears to have been passed in haste," Quarterman said. "I hope Congress will reconsider all or parts of it. They might want to consider the Basel II [Revised International Capital Framework] requirements that banks are planning to voluntarily require of themselves.

"They [Basel II requirements] take into account problems that predate the Enron and WorldCom scandals and go beyond the jurisdiction of any one government. Most importantly, they are more about producing a culture of ethics in a company than about crossing every 't' and dotting every 'i'."

For more skinny on SOX, visit the Sarbanes-Oxley Compliance Journal at www.s-ox.com or the SEC's Web site at www.sec.gov/spotlight/sarbanes-oxley.htm .