Several IT managers have admitted that companies are
finding it hard to pinpoint the exact cost of complying with the
Sarbanes-Oxley Act in the US, because it is not a one-time event
like Y2k.
Eastman Chemical has not even tried to evaluate the IT costs
associated with its Sarbanes-Oxley Act compliance initiative,
because the work is viewed as "an ongoing effort", said Mark
Montgomery, director of administrative operations support and
technology systems.
Montgomery and other executives said Sarbanes-Oxley's
requirement that companies annually document and attest to the
effectiveness of their financial controls means compliance work
will have to be done on a continual basis.
"A lot of people have this mindset that it's a one-time
project," said Kyle Didier, vice president of finance at hair salon
company Regis, although he added that he expected Regis to test its
internal financial controls as an ongoing process, using software
called Certainty developed by Movaris.
Regis has been working on Sarbanes-Oxley readiness for the past
nine months and expects to complete the documentation and testing
phase by the end of December. Didier said the company expected to
spend slightly more than $100,000 on IT over the course of its
compliance effort. The figure includes both software and manpower
costs.
Meta Group analyst John Van Decker said most companies are
focusing on section 404 of the law, which spells out the
requirement that chief executive officers and chief financial
officers certify the effectiveness of the financial controls they
have in place.
Companies with market capitalisations of $75m or more have to
comply for financial years that end on or after 15 June 2004.
Smaller businesses and foreign-owned companies have until 15 April
2005.
Financial Executives International, an association of corporate
finance managers, surveyed its members last May on cost estimates
for complying with section 404. On average, the 83 respondents said
they expected to spend $480,000 on software, consulting services
and employee training in advance of the compliance deadlines.
Mark Nagelvoort, vice president and internal control manager at
Hudson United Bank., said the subsidiary of Hudson United Bancorp
expected its IT costs tied to Sarbanes-Oxley to come in at less
than $500,000, though he declined to be more specific.
That includes the bank's use of a software tool called SOXA
Accelerator from HandySoft Global, plus expenses for 10 IT staffers
who will spend between 5% and 10% of their time working on
preparing for Sarbanes-Oxley.
"We're saving significant dollars because we're using almost all
in-house personnel," Nagelvoort said, and, because the banking
industry is highly regulated, much of the information that Hudson
United needs has already been documented for internal and external
auditors.
AMR Research analyst John Hagerty estimated that Fortune 1,000
companies will spend about $2.5m on average on Sarbanes-Oxley work
this year. Technology costs represent just 5% to 10% of the overall
tab, Hagerty said, although that does not reflect the cost of
IT-related staff time being dedicated to compliance efforts.
Hagerty added that it was tough to pinpoint an average IT
spending figure for Sarbanes-Oxley "because it's influenced by
organisational and systems complexity".
For instance, a company with $5bn in annual revenue and highly
centralised business units and IT operations might spend $3m on
compliance, while a similar-sized, decentralised company could end
up spending $10m, he said.
Thomas Hoffman writes for Computerworld