Sarbanes-Oxley Compliance: Round Two

By Jodi Mardesich

The backlash over Enron and other corporate financial scandals in the United States resulted in the Sarbanes-Oxley Act of 2002, federal legislation that was originally intended to protect investors, but has now become the bane of CIOs and IT departments. Ask a group of IT executives what the biggest waste of time was in 2005 and they would probably respond with Sarbanes-Oxley compliance. An online poll of IBM users last year asked respondents to look ahead 10 years and identify an ineffective and wasteful use of their time in 2005; the largest percentage, 28%, fingered Sarbanes-Oxley compliance efforts.

While the Sarbanes-Oxley Act doesn't name any type of technology as a requirement, companies are relying on the CIO and IT department to put in place the controls and processes the legislation requires. CIOs need to look at the potential positive impacts that SOX compliance can have on their organizations, but it's sometimes hard to see beyond the drain on financial resources and manpower.

Besides consuming the IT department's precious time, SOX compliance has proved costly: Spending on IT financial compliance management will increase to between 10% and 15% of IT budgets in 2006, up from less than 5% in 2004, according to the Gartner Group. And in some cases, increased budget allocations for SOX compliance are interfering with spending in other areas.

"Projects that were not aligned with compliance and corporate governance were delayed or cancelled, and SOX efforts inhibited the purchase of large amounts of software related to building new technologies and deploying new projects," says French Caldwell, research vice president for Gartner.

But there may be a silver lining in the SOX cloud: Smart CIOs are viewing SOX compliance as a tool to drive business integrity and operational efficiency, says Paul Hamerman, vice president of enterprise applications research at Forrester Research. That is especially true of section 404, which requires evaluating and documenting internal controls used in putting together financial reports.

"After examining their controls, most companies found that their business applications were too fragmented and business processes were not consistent across operating units," Hamerman says. This realization is prompting many companies to invest in long-overdue upgrades to accounting and financial reporting systems. "Making transactional systems and process improvements will support a more manageable controls environment, and it will lead to better internal efficiency," he adds.

The first round of SOX audits began last year, as the first companies affected filed their required financial reports with the U.S. Securities and Exchange Commission. As the second round of audits begins, savvy CIOs will take a more mature view of the ongoing process, using technology to automate the control and reporting process, fine-tune the process to focus on areas of risk, and find an approach to compliance that is sustainable.

• Use software to automate the process In the first round of SOX compliance efforts, companies relied on tools they had available, such as spreadsheets or workflow tools, because software designed to automate the process either hadn't been developed or wasn't established. But software tools are maturing now. "2006 will be the year of acceleration for software tools to continuously monitor and automate controls," Hamerman says. "Companies will adopt these tools to detect errors, monitor transactional integrity, and prevent fraudulent or unauthorized activities." Efforts should not stop at or be limited to SOX, however. "Companies should look for solutions to support multiple regulations and multiple business units," says Tom Eid, research vice president for Gartner.
• Narrow down the controls monitored In the first year, companies didn't know which processes and controls would be audited. Experts recommend fine-tuning the approach to focus on risks. Rather than taking an exhaustive approach and monitoring everything, focus on controls in areas that have a direct affect on financial reporting. In addition, learn from the past and pay strict attention to the controls the auditors focused on in the first round of auditing. In other words, decide which controls matter and don't waste time on the ones that don't.
• Find an approach that's sustainable The SOX compliance audit will happen for the foreseeable future, unless laws change. Start figuring out how to make compliance efforts sustainable. Besides using software to automate the process, create a set of policies and procedures to follow to repeat the process next year and the year after that. In addition, set up an internal team to oversee the process and work with outside consultants if you are using them.

SOX compliance efforts are not going away. Experts advise approaching compliance as an ongoing process, one that will continue to drive efforts to align technology with business goals. The bottom line: SOX is forcing CIOs to keep larger business goals in mind with every IT project and effort they undertake.

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon, Slate, and Yoga Journal.