Users struggle with IT compliance costs

Several IT managers have admitted that companies are finding it hard to pinpoint the exact cost of complying with the...

Several IT managers have admitted that companies are finding it hard to pinpoint the exact cost of complying with the Sarbanes-Oxley Act in the US, because it is not a one-time event like Y2k.

Eastman Chemical has not even tried to evaluate the IT costs associated with its Sarbanes-Oxley Act compliance initiative, because the work is viewed as "an ongoing effort", said Mark Montgomery, director of administrative operations support and technology systems.

Montgomery and other executives said Sarbanes-Oxley's requirement that companies annually document and attest to the effectiveness of their financial controls means compliance work will have to be done on a continual basis.

"A lot of people have this mindset that it's a one-time project," said Kyle Didier, vice president of finance at hair salon company Regis, although he added that he expected Regis to test its internal financial controls as an ongoing process, using software called Certainty developed by Movaris.

Regis has been working on Sarbanes-Oxley readiness for the past nine months and expects to complete the documentation and testing phase by the end of December. Didier said the company expected to spend slightly more than $100,000 on IT over the course of its compliance effort. The figure includes both software and manpower costs.

Meta Group analyst John Van Decker said most companies are focusing on section 404 of the law, which spells out the requirement that chief executive officers and chief financial officers certify the effectiveness of the financial controls they have in place.

Companies with market capitalisations of $75m or more have to comply for financial years that end on or after 15 June 2004. Smaller businesses and foreign-owned companies have until 15 April 2005.

Financial Executives International, an association of corporate finance managers, surveyed its members last May on cost estimates for complying with section 404. On average, the 83 respondents said they expected to spend $480,000 on software, consulting services and employee training in advance of the compliance deadlines.

Mark Nagelvoort, vice president and internal control manager at Hudson United Bank., said the subsidiary of Hudson United Bancorp expected its IT costs tied to Sarbanes-Oxley to come in at less than $500,000, though he declined to be more specific.

That includes the bank's use of a software tool called SOXA Accelerator from HandySoft Global, plus expenses for 10 IT staffers who will spend between 5% and 10% of their time working on preparing for Sarbanes-Oxley.

"We're saving significant dollars because we're using almost all in-house personnel," Nagelvoort said, and, because the banking industry is highly regulated, much of the information that Hudson United needs has already been documented for internal and external auditors.

AMR Research analyst John Hagerty estimated that Fortune 1,000 companies will spend about $2.5m on average on Sarbanes-Oxley work this year. Technology costs represent just 5% to 10% of the overall tab, Hagerty said, although that does not reflect the cost of IT-related staff time being dedicated to compliance efforts.

Hagerty added that it was tough to pinpoint an average IT spending figure for Sarbanes-Oxley "because it's influenced by organisational and systems complexity".

For instance, a company with $5bn in annual revenue and highly centralised business units and IT operations might spend $3m on compliance, while a similar-sized, decentralised company could end up spending $10m, he said.

Thomas Hoffman writes for Computerworld

Read more on Business applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.