Compliance has been a moving target, and costs have piled up early and often.
It was January 2004, and Bob Travatello, CIO of Blue Rhino Corp., the largest independent supplier of propane gas cylinder exchange for backyard grills in the United States, was feeling upbeat as he chatted with CIO Insight about his company's aggressive dive into compliance with the Sarbanes-Oxley Act of 2002 ("Better Safe Than Sorry," CIO Insight, February 2004).
With the deadline looming six months ahead, the Winston-Salem, N.C.-based company had substantially slowed its business processes in order to make compliance a top priority. Travatello was confident, even cocky, about his company's preparedness. Because it had acted quickly after the law was passed, he said, Blue Rhino was well on its way to compliance and expected no negative financial impact on the business. "I'm not sure that every company is taking it as seriously as we are," he said.
Fast forward about 18 months and Travatello is considerably less cheery. A lack of clarity around the scope of the law has led to massive overspending at virtually every publicly traded company in the United States. And Blue Rhino, now a division of Overland, Kan.-based Ferrellgas Partners Ltd., has spent the past six months in the testing and remediation phase of its Sarbanes-Oxley effortsfar longer than the company expected. Travatello is sick to death of auditors. "I see them in my sleep now," he said.
On top of that, the hope that SarbOx compliance would somehow result in a more efficient operation throughout the company has gone by the boards. "I thought SOX was going to help us, but it's only hurt our bottom line," Travatello said. Although he can't disclose actual figures, Ferrellgas's 2004 annual report is very telling. Net earnings dropped to $28.6 million from $56.7 million in 2003, and its stock price is down slightly since April 2004, when Blue Rhino was acquired. Though the slump can't be attributed entirely to SarbOx costs, "I don't think I can look a shareholder in the face and say the amount of money we've spent [on SarbOx] was worth it," Travatello said.
Of course, complaining about federal regulation is corporate America's national pastime. And there are, in fact, examples of companies that have seen business benefits to Sarbanes-Oxley compliance above and beyond avoiding jail.
As painful as it's been, SarbOx does seem to have some upside. Companies are reporting that their efforts have helped them weed out fraud, improve security and optimize business practices. Even Travatello admits that having to slow down business processes forces the company to think harder about the risks it is taking.
"We trust our people, but on some projects that deal with major systems, it's good to have different sets of eyes. And we feel better that we are doing the right thing," he said.
The one thing all companies agree on is the need to reduce the costs of compliance. Companies have two choices when it comes to their second year of compliance, and neither is pretty: They can continue to rely on their audit teams, or they can look to the already strapped-for-cash IT department to buy software that effectively manages compliance. Both options can lead to enormous cost overruns if not managed properly. The question is, which is the lesser of two evils?
"IT is the only way to bring these costs down," said Bob Tillman, director of public affairs for ARMA International, a trade group in Lenexa, Kan., for records managers. "You can't have auditors with their green eyeshades going over every line."
But software vendors have their own drawbacks, said Ted Frank, who leads the Open Compliance and Ethics Group's Technology Council and is also president of Axentis Inc. in Warrensville Heights, Ohio, which offers hosted SarbOx solutions. "Everywhere you turn, there's another compliance solution. It's terribly confusing."