Think Sarbanes Oxley extension changes things? Think again

Is it déjà vu all over again?

Some IT folks are comparing Sarbanes Oxley Act (SOX) regulation compliance to the Y2K computer craze. In both cases IT departments have been overwhelmed by the complexity and costs of multiple systems changes. And with loads of other business priorities being temporarily shoved aside for companies locked in both Y2K and SOX mania, the tradeoffs have been profound.

But that's where the similarities end. CIOs knew within minutes after midnight on Jan. 1, 2000, if all their Y2K work had paid off. In contrast, parts of the SOX legislation are so vague that 32% of IT workers and 53% of board directors, recently surveyed by Foote Partners, seriously doubt whether their companies would -- or even could -- have been compliant by the end of their fiscal year. The federal government has now pushed the Nov. 15, 2004, deadline to 2005. Another big difference: There will be substantial annual SOX-related compliance costs for many years to come, absent in the case of Y2K.

To shed some light on what comes next for the IT department once the SOX deadline arrives, my firm queried 197 business and IT executives and board directors, representing a cross section of public companies of various industries and sizes. Here are highlights from what we heard:

Small and midsize companies will continue to suffer the most.

The provision governing internal auditing, known as Section 404, is proving far more burdensome and expensive than originally expected, especially for small to medium-sized businesses. Many of these SMBs reported they had been devoting as much as 25% of their IT department resources and 30% to 40% of their technology executive's time to SOX compliance in the past year. The consensus is that a substantial burden will be felt at least until the first few SEC audits. Moreover, the cost of just being a public company is expected to rise more than 90% because of SOX and other governance reforms, resulting in increased accounting expenditures, board compensation, directors' and officers' insurance, and legal services. An interesting factoid: In the 16 months after SOX legislation was enacted, according to accounting firm Grant Thornton International, there was a 30% increase in public companies going private.

The definition of internal controls will continue to expand, increasing complexity.

For many companies facing SOX regulation, initial systems assessments uncovered inadequate, poorly documented controls requiring massive overhauls, often a huge expense. As management and boards have gotten their arms around SOX and begun understanding how broadly internal controls reach and how far they need to go, they have been significantly expanding their conception of what Section 404 compliance entails. It's become apparent that a broader control environment of management, internal audit and information systems is necessary -- one that encompasses a vast array of financial, operations and IT processes. Depending on how deep the SEC digs in on enforcement, this is expected to significantly intensify SOX efforts and costs for the next few years.

SOX spending will continue.

AMR Research reports that SOX compliance spending will reach $5 billion to $6 billion by the end of 2004. Big companies like General Electric will spend $30 million on SOX this year alone, while most Fortune 100 companies have been spending less than $3 million per year on the IT-related portion of compliance initiatives. SOX-related expenses are expected to decline somewhat, with those interviewed expecting financial regulatory compliance budgets to total $7 million to $8 million annually going forward, approximately one-third devoted to IT activities.

There will be a flood of pent-up project work.

Many companies report that they had been freezing planned upgrades and enhancements and postponing important projects right up to the old deadline, directing resources instead to SOX compliance. With the extension, the question now becomes should companies continue to force delays or cancel outright? You can be certain that a lot of pent-up work will hit in the first half of 2006, because approximately 40% of corporations end their fiscal year on Dec. 31.

Section 409 likely to add to IT's burden.

Section 409 also takes effect on Nov. 15, requiring real-time disclosure of material events that may impact the financial results of the business. Businesses will need to focus more on the recognition, analysis and communication of activities. This will no doubt create extra work for IT departments by affecting the deployment of technologies to address areas such as exceptional financial variances; winning or losing major projects; revenue recognition events; initiation or termination of significant agreements or customer relationships; new investments or termination of funding; and large deferred expense or revenue items.

Overseas business relationships will become harder to manage.

Companies with U.S. headquarters must ensure that all foreign outposts meet federal standards. SOX compliance by overseas vendors or business partners -- more at issue than ever due to the enormous popularity of offshore outsourcing -- has amplified risks and complications. Equally daunting will be the enforcement of regulations for multiple organizations in a supply chain spanning numerous countries. U.S. companies cannot simply plead ignorance on how their overseas vendors manage important data. Instead, they will need to make certain that information flowing from third-party vendors has appropriate data controls, especially if it's incorporated in financials or rolled up in a balance sheet. Again, another complexity that will increase IT-related compliance costs.

Dramatic changes in the CIO, CFO and CEO relationships.

Some refer to SOX as the "revenge of the bean counters," that is, a power shift back to finance and accounting after years of IT-enabled productivity and supply chain activities driving many corporate decisions. Others point to Section 302's sub-certification of financial reports provisions and other aspects of the legislation that appear to make CIOs (1) personally accountable for the accuracy and integrity of data flowing through systems and (2) more influential as leaders of internal controls initiatives that will keep their superiors out of jail (and perhaps even elevate CIOs to board-level representation on the audit committee). Regardless, Sarbanes-Oxley is arguably the greatest test yet of a CIO's standing within the enterprise, one that should bring CIOs into tighter alignment with mainstream business policy and practices and the senior executives responsible for them.

By enacting such tough legislation to make corporate activities more transparent to shareholders, the federal government has forever changed the way companies fundamentally operate. Many believe this will alter the fabric of corporate culture. It is certain to generate millions of dollars in fines and likely to send some executives to jail. The truth is, it will take time and numerous judicial tests to determine if 100% compliance with the law, as it is now written, is reasonably within any company's grasp.

David Foote is president and chief research officer of Foote Partners LLC, a research firm and management consultancy based in New Canaan, Conn.. Foote has advised leading corporations and governments worldwide on information age management strategies for more than 20 years. Contact him at [email protected]

Read more on IT risk management