When the Sarbanes-Oxley Act (SOX) was originally passed in 2002, many companies were less than enthusiastic about it. Concerns about the additional accountability and the internal changes that would need to take place weighed heavily on the minds of many company executives. These concerns turned out to be well founded. Some companies struggled to make the deadlines, and others missed them completely. Reasons included the high cost and enormous effort involved. In some cases, department directives were even changed to focus on meeting compliance.
For example, an information security survey released by Ernst & Young in November found that over the 12 months prior, the main driving force for information security in 61 percent of firms surveyed was compliance rather than worms and viruses. However, as we approach year three, some companies have started to warm up to SOX as they begin to realize the advantages of implementing the required controls in their environment.
Changes in Attitude
The change in attitude toward SOX compliance comes as evidence of several benefits have surfaced. The typical IT department, in particular, has been greatly affected by the new regulations. Specifically, Section 404 mandates that the affected companies establish and maintain adequate controls over financial information. The goal is to improve data integrity and mitigate the chance of issuing incorrect or fraudulent financial reports. As a result, protection of the financial data has fallen primarily into the hands of IT staff.
Gartner Group recently reported that IT budgets in most major firms are expected to see an increase of between 10 and 15 percent this year. This is up from a 5 percent expected increase a year ago. Much of the spending is likely to be focused on streamlining the effort involved in compliance. This includes system controls, auditing, process flow monitoring and automation, which has become prominent in meeting compliance.
A survey by CFO Research Services, Versa Systems and PricewaterhouseCoopers released in August found that automating the compliance and control environment was a priority for 76 percent of companies.
With the influx of dollars expected for their departments, IT managers can also use the opportunity to justify other projects that can potentially tie into compliance as well, such as e-mail archiving and storage management.
The net effect of investing in compliance on the bottom line cannot be ignored either. Upgrading reporting systems can improve testing, risk management and operational performance, as well as allow for better financial oversight in the environment. These improvements can lead to better forecasting and more efficient data retrieval by consolidating data from different sources for reporting purposes.
One illustration of the benefits of this is that almost half of the respondents in the CFO Research Services survey indicated that SOX efforts are helping to more effectively manage corporate risk.
Analyzing current processes and seeing what can be automated or eliminated altogether will help to reduce waste and allow a company to run more efficiently and save money. This could help an organization to be more competitive as well.
However, this is nothing new. Some financial companies reported discovering newfound efficiencies that led to significant cost reductions over Basel II compliance as well.
SOX compliance has helped make corporate ethics training more common within the corporate environment. According to a 2005 survey by the Ethics Resource Center, 69 percent of employees reported that ethics training in their organizations was up, as compared to 14 percent who said so in the same survey conducted in 2003.
Some companies have even hired ethics officers to help monitor and advise on good business practices, educate employees on ethical matters, and develop and implement a code of ethics for the company.
This is important because employees and stockholders need to see that top management is sincere about developing and supporting an ethical culture within the organization. With fraud and abuse costing U.S. companies over US$600 billion annually, this is as important as ever.
Improving data integrity and corporate responsibility can lead to other positive results, including new partnerships within the organization. Finance and IT departments historically have had little to do with each other. Since IT plays an important role in securing financial information, representatives from both areas have been able to work together on compliance and build relationships with the audit and legal departments. Part of this is due to necessity.
For controls to be effectively developed, documented and implemented, the different departments involved need to have a thorough understanding of the company’s financial reporting structure. This education can help lead to better collaboration on future projects and initiatives.
Granted, the cost of implementing these regulations will run into the billions of dollars. Some companies may feel that they are being punished for the sins of a few bad apples, but the affected companies will have stronger controls in place as a result of the effort.
Furthermore, whether it’s reexamining a department whose importance in the organization has been previously overlooked or streamlining business processes and improving stockholder confidence, the rewards for meeting SOX compliance will continue to materialize as time goes on.
Joe Malec is a security analyst for Enterprise Rent-A-Car, specializing in compliance and application security. He is the president of the St. Louis chapter of the Information Systems Audit and Control Association and serves on the ISSA International Ethics Committee.