Who's Spending What on Sarbanes-OxleyBy Allan Alter | Posted 02-01-2004
In a classic comedy sketch, the late Dudley Moore asks a spectacularly inept restaurateur, played by Peter Cook, if he's learned from his mistakes as proprietor of The Frog and Peach. "I think I have, yes," Cook replies, "and I think I can probably repeat them almost perfectly."
Considering all that was spent on Y2K, might that also be said about today's executives when they're done dealing with the Sarbanes-Oxley Act of 2002 and other regulations? Sixty-one percent of respondents to our 2004 survey on IT spending say they plan to increase IT spending to meet regulatory requirements. Boston-based AMR Research Inc. estimates that U.S. public companies will spend $5.5 billion just to prepare for the new regulations in 2004, and there are plenty of vendors courting customers with Sarbanes offerings. "A lot of people see this as Y2K without an end date, and are using Sarbanes-Oxley to sell more services and technology, and they are trying to do it by scaring you," says Rich Mogull, research director with the information security and risk practice at Gartner Inc. Are they succeeding? How much are companies spending on compliance with Sarbanes, and just where is that money is going?
Well, business consultants and auditors are certainly raking it inthe lion's share will go to them, by all estimatesbut not, apparently, IT vendors. Estimates by AMR, Gartner Inc. and others of how much Sarbanes-related spending will go to IT fall between 8 and 30 percent. For example, Minneapolis-based Regis Corp., which owns or franchises nearly 10,000 hair salons, plans to spend between $200,000 and $300,000 on IT out of a $1 million budget for regulatory compliance, according to vice president of finance Kyle Didier. Knowles Electronics LLC, an Itasca, Ill. manufacturer, is setting aside $150,000 out of its $7 million IT budget for Sarbanes work, says vice president and CIO Randy Kjell. "Sarbanes-Oxley has not been the godsend the software industry was hoping for," says Deloitte Consulting LLC's Lee Dittmar, the Philadelphia-based coleader of its Sarbanes practice.
Maybe not, but analysts say some companies are spending as much as several million dollars on compliance. The big spenders aren't necessarily big companies, but rather the ones whose financial controls haven't kept up with expansion, are caught in the middle of a financial systems project, or need to invest in business continuity or security to ensure the integrity or availability of their data. "The real killers seem to be rapid growth, merger- and-acquisition activity, or complex, multiyear ERP-financial system projects," says Gartner's Mogull. Decentralized companies, and companies with a decentralized IT architecture, are also spending more than centralized corporations, says John Hagerty, a research vice president at AMR. The bill is also higher for companies that must cope with other regulations, rule-setters and reporting mechanisms besides Sarbanes-Oxleyincluding consumer-data-protection regulations such as the Gramm-Leach Bliley Act and terrorist-fighting laws such as the USA Patriot Act.
Where's the money being spent? Most of Southern Co.'s IT budget for Sarbanes, says senior vice president and CIO Becky Blalock, is going toward internal labor as the energy company tightens controls, improves the documentation of its financial systems and assures the security of its data. Some of the money is going to upgrades: Kjell at Knowles is working with Oracle Corp. to identify how its E-Business Suite can be used to meet Sarbanes requirements.
Corporations are also purchasing documentation and process-management packages. Southern is using Deloitte's Risk Control Tracking System, a repository for tracking compliance risks, controls, tests and remediation efforts. For $100,000, Regis obtained Certainty, a corporate compliance-management application from Movaris Inc. of Cupertino, Calif., which sends e-mail to appropriate staff when it's time to test its controls. New York City-based institutional broker-dealer Commerzbank Capital Markets Corp.(CCMC), has purchased an e-mail retention package from KVS plc, and a system from Prime Associates Inc. called Compliance Manager to prevent money-laundering and to comply with other requirements of the U.S. Treasury Department's Office of Foreign Assets Control. The big-ticket items may be infrastructure investments such as servers, storage and networks to ensure companies can back up and recover data. Such investments, which can cost over $1 million, are being made by large companies, particularly financial institutions, says Michael Croy, director of business continuity solutions at Forsythe Solutions Group Inc., a Skokie, Ill., consulting firm.
Not surprisingly, most companies would like to generate business value beyond keeping executives out of jail. Managers at Regis are looking to operate more efficiently, says Didier. Management at CCMC is considering how they can improve customer satisfaction, now that its trade information is in one data warehouse. In the words of one business executive AMR's Hagerty surveyed: "If I have to pay to comply, I want ROI."