Sarbanes-Oxley Is Now a Fact of Business Life
10:12 AM EST Thu. Nov. 11, 2004
From the November 15, 2004 issue of VARBusiness
Many companies entered the SOX maelstrom thinking the bulk of money they spent to comply would be a one-time expense. Unfortunately, that does not appear to be the case. Based on a later survey in May, spending has continued to escalate. Consider the findings:
Based on this update, we expect spending to top $6 billion this year. Requirements have shifted during the past year. For many companies, SOX compliance has been a moving target. Nearly two-thirds of companies had reported that compliance efforts only got larger as 2003 progressed. Why? Outside auditors and advisers had counseled customers how, in their opinion, they needed to approach Section 404—Documentation of Internal Controls and Business Processes—mandates, and those opinions became more conservative over time. As well, four out of five companies surveyed viewed SOX compliance as covering a broad range of financial, operational and IT-based business processes, not just the financial processes and controls they envisioned earlier in the year. As a result, spending on technology components to support SOX and other compliance options should grow by nearly 1,000 percent between 2003 and 2004.
Longer-term approaches are being evaluated even as initial work is completed. As SOX compliance goes from tactical (finance-driven) to strategic (enterprise-based), more constituencies—in particular, IT and CIOs—are becoming vocal in how to create a repeatable and sustainable compliance regimen.
Our survey indicates that a solid majority of companies want and expect business improvements to result from SOX compliance spending. If they are spending money to comply, naturally they would want some ROI. The expected business improvements are modest, but companies articulate what they want to see happen, including better alignment between all business policies and related controls; improved capability to manage risks in the business; heightened importance of compliance-related activities as part of every activity; improved governance of IT functions' core-to-business operations; improved accountability across the entire organization; improved financial decision-making; better visibility into performance at business-unit levels; and improved ability to react to changes in market conditions.
Compliance spending will rise in 2005. Many companies thought they had already made all the key decisions; it was just about execution of essential activities. But others are starting to ask, "How do we make this repeatable, sustainable and cost-effective into year two of SOX and beyond?" As reality sinks in and thinking matures, we're seeing companies revisit SOX compliance with an eye toward long-term manageability.
Although we can't fully estimate aggregate-planned spending at this time, all indications are that 2005 IT-related compliance budgets will continue to grow. Our first-blush estimates indicate that IT-compliance budgets will rise at least another 10 percent in 2005.
The SOX Road Forward
As firms put their collective heads down and march toward looming compliance deadlines, SOX will remain top of mind for many business executives into 2005. First-wave companies (with fiscal year-ends after June 2004) are now delivering their initial Section 404 documentation to auditors to support their assertion that critical controls are in place and effective. Now it's up to the auditors to do their work.
In The Wall Street Journal, John Thain, CEO of the New York Stock Exchange, questioned whether the costs of Sarbanes-Oxley are too high and an inhibitor to long-term growth. There's no doubt this issue will be debated for some time to come. But prudent company management appears to be accepting compliance as a fact of today's business life and is planning to increase spending in the long term.
John Hagerty (info@amrresearch.com) is vice president of research at AMR Research.
