The participants, who included 54 panelists and many other executives and association leaders who sent written statements, confirmed these were no urban legends.
Some complaints concerned IT: Lisa Soda, representing CIOs of American Petroleum Institute member companies, wrote that without guidance on computer controls from the SEC, "some companies may be required to do more to comply with SOX than others," partly because "different auditing firms were emphasizing different controls."
Frank Brod of Financial Executives International wrote that Section 404, which governs internal audit controls, was delaying the installation of systems. "The current rules make it impractical to add a new IT system late in the year, since many new software systems simply cannot be installed, tested and potential control issues remediated before year-end."
Even consultants weighed in: Leon Level, vice president and CFO of Computer Sciences Corp., noted that his company's clients were spending too much. "The resulting costs are wholly disproportionate to the benefits," he wrote, citing companies that had spent millions of dollars on data-center audits.
Businesspeople have complained about regulation since the time of the Code of Hammurabi. Yet the recent complaints over Sarbanes-Oxley leave no doubt that CIOs now face a regulatory environment that is more costly, more demanding and more confusing than ever. Sarbanes-Oxley is not the only offender.
The Health Insurance Portability and Accountability Act, the USA Patriot Act and many other recently enacted regulations also require attention, and companies are still learning how to comply. "Because they are new issues, it's difficult to understand how your peers are addressing the same challenges," says Scott Cohen, editor and publisher of the electronic newsletter Compliance Week.
The costs to corporate America of complying with a variety of government regulationsestimated by AMR Research Inc. to total $15.5 billion in 2005, of which $5.2 billion will be spent on ITcan be especially high for smaller companies.
"Smaller financial institutions and companies don't have the financial capabilities to just go out and spend $200,000 on e-mail archiving," says Jamie Yancy, chief technology officer of Legent Clearing, an Omaha, Neb., firm that clears trades for independent broker-dealers.
No wonder 46 percent of the respondents to this month's CIO Insight study on compliance say meeting regulations today is a greater burden than preparing systems for the Year 2000.CIOInsight.com Health Care Information Technology
Most Relevant Statistics:
This month's study investigates how the new regulatory environment is affecting companies and IT organizations. It follows up the results of a May 2004 CIO Insight-Gartner survey on Sarbanes-Oxley and examines the other recently enacted regulations CIOs face. In all, 270 IT executives participated in our survey. The good news: Four out of five IT executives believe their company is devoting enough resources to meet their obligations, and three out of five believe their company has compliance well under control.
The troubling part is that full compliance still eludes many organizations and many are struggling with their compliance processes. Achieving and maintaining compliance is soaking up IT resources; companies are devoting approximately 10 percent of their IT budgets and IT staff to regulatory compliance this year.
But despite these investments, fewer IT executives than last year now expect compliance with Sarbanes-Oxley will benefit their companies.
It seems likely that more companies will now simply do the minimum required to meet the letter of the law, rather than leverage their efforts to address the security, transparency and privacy concerns that underlie them.
This picture might be brighter a year or two from now.
SEC Chairman Donaldson has instructed his staff to consider improving the guidance provided to both auditors and managers. And as companies master the learning curve, they should improve their compliance processes. "The knowledge IT executives will have 18 months from now will be significantly more vast than what they have today," says Compliance Week's Cohen. But if CIOs are to help their companies achieve compliance effectively, then they must think of compliance as one of the central business issues they face, rather than as a distraction from their real work, as 65 percent of IT executives do.
Ultimately, compliance is not a technology issue; it's an alignment challenge. As Yancy says, "The IT talent base has never been regulation-focused; it's been IT-centric."
And CIOs might not like it when their company's chief compliance officer, or their finance and legal executives, weigh in on IT decisions and priorities.
But like it or not, as Yancy says, "It will now be the responsibility of the technologists to get outside their world and learn about the audit and compliance community."
"Fundamentally," says John Higbee, vice president, CIO and chief systems security officer of AvMed Health Plans in Miami, "companies need to realize that this is not just a bunch of government bureaucratic nonsense. A lot of what's written in there is just good business sense. If you look at it that way, you'll develop projects that will address the issues."