Eric Nee: SOX in a Box

By Eric Nee  |  Posted 05-01-2004

It's no longer enough to run an honest business and make sure sound financial practices are in place. Now, with the deadlines for complying with the Sarbanes-Oxley Act looming ever closer, every public company, and many private ones as well, must institute complex controls over their entire financial process—controls that have to be devised, tested and routinely documented to the satisfaction of outside auditors and, ultimately, to the Securities and Exchange Commission.

Yes, there are potential benefits to all this work. Companies will end up with more standardized business processes, more timely financial reporting, and increased legitimacy in the eyes of investors. But it's unlikely that the amount of time and money companies spend on compliance will pay off in tangible benefits such as higher productivity, better products or increased revenues. It's a bit like trying to justify the expense of the NASA space program by pointing to Tang.

There is one group of companies, however, that seems to have fallen in love with Sarbanes-Oxley: the providers of enterprise software. And why not? At a time when IT spending on new enterprise applications is tepid, software vendors are viewing anything that helps them sell more software as good news. And Sarbanes-Oxley seems to offer the potential for just that.

Click on the home page of any number of software companies, and you're likely to see references to Sarbanes-Oxley software, Sarbanes-Oxley white papers and Sarbanes-Oxley press releases—all trumpeting the ways in which their particular product can bring businesses into compliance.

It should come as no surprise that software companies are trying to turn Sarbanes-Oxley to their own benefit. After all, that's what marketing and sales organizations do. But CIOs should look before they leap into these supposedly ready-made answers to all of their problems. Much of what is being hyped is actually little more than old products wrapped up in new packages. More often than not, the path to compliance is found in adjusting internal business processes and existing software, rather than in buying new packaged applications. "I've seen lots of vendors trying to get on the bandwagon and position whatever they had in the context of Sarbanes-Oxley," says Paul Hamerman, a vice president at Forrester Research.

Consider time, attendance and expense- reporting software. Everyone would agree that these packages can help large firms increase productivity, save money and make sure business processes and rules are implemented uniformly across the company. That's exactly why so many firms have already purchased these applications. For those firms, there is often little or no need to buy the new so-called Sarbanes-Oxley compliant versions of these same products.

But that hasn't stopped vendors of these products from trying to spin the problem their way. Take CyberShift, a developer of time and attendance software. Its Dec. 2, 2003, press release announced, "CyberShift Workforce Management Suite Helps CEOs Comply with Sarbanes-Oxley Financial Reporting Regulations." The release quotes CyberShift CEO Robert Farina as saying, "Accurately tracking employee time and attendance has a direct impact on an organization's bottom line and ensures reliable financial reporting and forecasting as mandated by Sarbanes-Oxley."

There are many reasons why time and attendance software is a good idea, but buying it to comply with Sarbanes-Oxley requirements has to be near the bottom of the list. There is nothing in the act that compels companies to change how they track the number of hours employees spend at work each day. And if a business does not already keep accurate time and attendance records for its employees, then it has bigger problems than trying to comply with Sarbanes-Oxley.

How about niche software categories such as "enterprise incentive management" software, which is designed to help companies manage their employee incentive plans? The logic appears to be that if a computer manages the incentive plan, then it must be free from bias and abuse. Callidus Software just introduced what it calls "the first EIM solution for Sarbanes-Oxley compliance." It provides "auditable records of changes to comp plans, covering when they were made, who provided the authorization and the like." Again, some companies might find this sort of software useful, but don't go out and buy it just to comply with Sarbanes-Oxley.

This isn't the first time the software industry has tried to capitalize on threats to the existing way of doing business. Corporations are still recovering from the tens of billions of dollars they spent, and in many cases wasted, buying software to keep from getting "Amazoned." And remember Y2K?

To their credit, CIOs appear to have learned a lesson from the dot-com bust. Despite the software industry's best efforts, compliance is not turning out to be the business boom that software vendors had hoped. John Hagerty, a vice president at AMR Research, estimates that businesses will spend just a shade more than $1 billion on software this year to comply with Sarbanes-Oxley.

A billion dollars may sound like a lot of money, but it is only a fraction of the estimated $4.3 billion businesses are expected to spend this year on outside consultants, and on their own workforce, to comply with Sarbanes-Oxley. Consider also that there are more than 11,000 publicly held companies in the U.S. Divide this $1 billion among all these companies, and it comes to less than $100,000 in additional software spending per company in 2004. That's what an average business would spend to field a good salesperson in a year.

Forrester estimates that in 2004, U.S. companies will spend a total of $195 billion on software, and $776 billion on all information technology combined. If spending on Sarbanes-Oxley software is $1 billion in 2004, that comes to just .005 percent of total software spending—what some might call a rounding error.

In fact, Sarbanes-Oxley is not really a category of software at all. Several surveys of CIOs, including one by this publication, show that companies plan to promote their Sarbanes-Oxley compliance by spending on a wide variety of software, including project management, security, customer relationship management, document management, financial reporting, database management and more. Companies should have purchased many of these applications, such as security and financial reporting, anyway. Yes, some of them, such as document management software, are needed specifically to help comply with Sarbanes-Oxley requirements, but spread that $1 billion in additional spending over all of the above software categories, and it's barely a blip on the radar.

When it comes right down to it, the primary challenge at most companies is to make sure every step of the process can be documented and audited, and that's not something that can easily be put in a box. "SOX is primarily a services play," says Hamerman. "The large audit firms are doing quite a bit of consulting work on compliance readiness, helping companies go through their internal controls."

Sarbanes-Oxley can best be described as a giant headache for the larger business community. But for the software industry as a whole, it is turning out to be, in the words of William Shakespeare, "Much Ado About Nothing."

Eric Nee, a longtime observer of Silicon Valley, has served in a variety of editorial positions at Forbes, Fortune and Upside magazines. His next column will appear in July.

Illustration by John Kascht