Overspending is the norm, leaving lots of room for improvement.
The cost of complying with Sarbanes-Oxley in 2004 was roughly 30 percent higher than companies estimated. But a high compliance bill is nothing new for U.S. companies, many of which already adhere to a slew of regulations. According to a 2001 U.S. government report entitled "The Impact of Regulatory Costs on Small Firms," companies spent roughly $800 billion annually on federal compliance issues before Sarbanes-Oxley was even drafted.
So why weren't companies better prepared for the new law? "It implies that proper auditing wasn't really being done before," said Lane Leskela, an analyst at Gartner Inc. "If auditors had been doing significant deep audits for the past few years instead of merely genuflecting over the numbers, would we have seen this escalation of costs for SarbOx? We have a huge gap in the willingness to enforce a lot of the laws already on the books." That, of course, is the very problem that Sarbanes-Oxley is meant to solve.
Compounding the catch-up costs is the fact that the Securities and Exchange Commission has provided little leadership over exactly what the scope of SarbOx should be, and as a result, "the audit firms have jumped in and decided what they want," Tillman of ARMA said. "The CEO doesn't want to go to jail, so he says, 'Pay the auditor.' It's a recipe for disaster."
Because internal and external audit teams have different definitions of complianceand methodologies for achieving ita costly and time-consuming tug-of-war ensues. "Auditor A does it one way, auditor B does it another, and they will never admit the other is right, because then the billable hours go down," Blue Rhino's Travatello said.
According to Financial Executives International, an association for accounting and finance professionals, companies spent more than half of the money that went toward SarbOx on auditors$2 million on average. Gartner estimates that audit fees are up as much as 35 percent from a year ago.
As it turns out, those who sat back and waited to see how SarbOx would develop have fared betterand spent lessthan those, like Blue Rhino, that charged ahead. "In retrospect, the minimalist approach at the onset of SOX was more acceptable than we thought it would be," said John Hagerty, a vice president at AMR Research.
The Role of Standards in Cloud Security
Security is often cited as a primary cause for concern...Watch Now
Ensuring Resources for Mission Critical Workloads
Application workloads can thrive in cloud environments,...Watch Now
Improving Security in the Public Cloud
One of the main concerns about moving data to a public...Watch Now