You'll Have to Spend to Attain Sarbanes-Oxley Compliance

By Christian Bartsch
Based on Gartner Research Results

Large and midsize enterprises will spend $2 million through 2005 to become compliant with Sarbanes-Oxley legislation. Smart enterprises will use that money to build the beginnings of a compliance platform. Understand how to go about building a strategic compliance platform to meet ever-increasing and shifting regulatory demands.

What You Need to Know

Public companies with more than a billion dollars of revenue can expect to spend $2 million to become compliant with the basics of the Sarbanes-Oxley Act. IT directors should request at least 20 percent of the overall Sarbanes-Oxley budget in 2004.

Strategic Planning Assumptions
Fortune 1000 firms will allocate at least $2 million for Sarbanes-Oxley compliance through 2005 (0.9 probability).
Audit firms will capture 50 percent to 75 percent of corporate spending on Sarbanes-Oxley between September 2003 and July 2004 (0.8 probability).
Enterprises that don’t have internal process controls documentation for Sarbanes-Oxley compliance complete by YE03 will miss the July 2004 deadline for full compliance (0.8 probability).
Enterprises that choose one-off solutions to each regulatory challenge that they face will spend 10 times more on compliance projects than their counterparts that take action in advance (0.9 probability).

There are six categories of spending that will be required for compliance to the U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act):

1. Additional auditing fees — Expect auditing fees to rise 35 percent to 50 percent.
2. Personnel costs — Hiring compliance officers and replacing financial personnel who must now devote all or part of their time to serving on internal audit or disclosure committees.
3. Additional insurance costs for board members and other personal and group liability — One survey estimated that the insurance costs for a listed company would double.
4. Internal process documentation, implementation or process remediation — Expect to spend at least $1 million. This can be considered a midsize application development effort for which there will be a one-off cost in internal or external spending, or a combination of both.
5. Training — Some of your training budget will be spent with auditors, focusing on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (see Note 1). The rest will be internal training on established or new controls processes.
   

Notes on COSO

COSO is a voluntary private sector initiative dedicated to improving financial reporting in companies. It has made a series of recommendations to improve financial reporting, the most significant of which are the COSO Risk Management Framework and the Internal Control — Integrated Framework. These documents are being used by auditors to define standards for enterprises to aspire to when doing financial compliance work.

System enhancements or new system purchase? System documentation is the least amount of effort that you will have to expend. Some remedial training may also be necessary. New system implementation, especially e-mail or records management, will be necessary in 50 percent to 75 percent of enterprises in the first year.

At this point, it is difficult to give precise estimates of the cost of Sarbanes-Oxley compliance, but enterprises with more than $1 billion in revenue will spend an average of $2 million between now and the deadline of 2004. Gartner research on this topic is ongoing. Our original estimates were based on the six categories we list here. Subsequent reading of Sarbanes-Oxley spending surveys have yielded data to show that enterprises are spending less than $10,000 at the low end to more than $4 million on the high end.

The average for a Global 2000 company or one with revenue of more than $1 billion is in keeping with our estimate of $2 million. Fortune 1000 firms should allocate at least $2 million for Sarbanes-Oxley compliance through 2005. Initially, much of this spending will be on audit firms, which will capture 50 percent to 75 percent of corporate spending on Sarbanes-Oxley between now and July 2004 (0.8 probability).

This spending will change as shown in Figure 1.

Initially, spending will be heavily weighted toward external advice, especially from auditors.

This phase is already well under way or complete in most enterprises. Another component of this spending phase is purchasing additional insurance for board members and hiring new personnel, such as compliance officers.

The spending focus will shift to documenting internal processes, training or retraining those involved in the compliance processes and process remediation. We expect that this phase should be complete, at the latest, by 1Q of 2004. The final phase of spending will be focused on purchasing new software or making changes to systems already in place, and testing those changes against the process controls.

Figure 1

Sarbanes-Oxley Compliance Costs

Source: Gartner Research (September 2003)

You will go through three phases of Sarbanes-Oxley compliance exercises. During the first phase, collect information on current systems and control structures, and ask the following questions in great detail:

• How do your project methodologies deal with change?
• Who is accountable?
• What are the control activities?
• Are the control activities documented?
• How will we demonstrate ongoing compliance?

This is a job for internal task forces, which should include finance, IS departments, internal auditors, compliance specialists, security specialists and legal counsel. This phase is also the most important one in which to involve external audit firms to supply benchmarks, interpretation, frameworks and education, especially on the COSO framework. This phase should already be well under way or complete. Companies that don’t have the internal process controls documentation for Sarbanes-Oxley compliance complete by 4Q of 2003 will miss the deadline (0.8 probability). At this point, it is best to hire external consultants to help you understand the regulations. This advice can be easily obtained from your auditors, who run courses on the COSO framework and its IT implications.

In the second phase we question existing gaps and how can they be filled.

Compare your company to the IT-relevant portion of the COSO and other benchmarks/frameworks, evaluate any vendor offerings that are relevant to your organization and define the gap requirements. Look to industry peers, consultancies, audit firms, IT vendors and independent advisory firms that are not selling specific products for advice and counsel.

Phase three is the remediation and implementation phase, which will commence for most companies in 4Q03 or 1Q04. During this phase, which is the most specific for IT, you should:

1. Sketch strategic architecture
2. Buy and implement point solutions
3. Document requirements process for corporate performance management
4. Beware of firms that sell advice and software, or that recommend systems that they also implement.

Specific IT Spending Advice

How much will compliance cost and how long will it take? It is difficult to know precisely, because companies begin in such different places. The important variables are:

• How well audit processes are documented at the present time
• How well-equipped the company is with the requisite technologies that can be adapted to solve the problem

In a recent survey by Gartner to which 75 companies responded, estimated Sarbanes-Oxley spending in 2004 will vary widely, from $15,000 to $4 million. Most respondents reported that they did not have an official budget for Sarbanes-Oxley compliance. When asked how the money is being spent, the respondents reported that 30 percent is being spent on auditing, 25 percent on consulting and 25 percent on personnel. The remaining 20 percent was not accounted for, but this is the portion of the budget that will be allocated to software.

Enterprises with established document, records and process management systems will need to spend money on additional licenses and application development. Those lacking process and document control software will need to purchase some by YE05. Internal costs to document current processes and fill the gaps, define user requirements for applications and purchase additional outside expertise will dwarf the actual cost of software licenses.

IS organization directors should be aware of these competing and shifting priorities. We recommend that IT budgets comprise 20 percent of funds budgeted for Sarbanes-Oxley compliance. This will cover the cost of purchase or development of applications. We expect the spending to take place during the next two years, with software purchases being deferred until late in the process (some spending will not take place until near or after the initial July 2004 deadlines). IS organizations should be involved in the budgeting process from the beginning and make the finance department aware of any technology gaps.

It is a challenge to balance tactical demand against strategic goals, and to service short-term business needs while not creating future infrastructure integration problems and deeper application silos. Various solutions are being implemented by enterprises in an effort to manage e-mail data. Operational problems tend to focus on tactical solutions, while the more-strategic solutions apply to business problems. However, none of the solutions is complete, partly because infrastructures and business are constantly evolving. In many cases, it may be necessary to adopt a "quick and dirty"’ solution to meet deadlines. Avoid committing too much time, effort or data to it. Many systems that were supposed to be stopgaps in many areas are still in place, consuming time and resources and standing in the way of a coherent architectural strategy.

Compliance architectures support corporate performance management. Corporate performance management includes processes used to manage performance (such as strategy formulation, budgeting and forecasting), the methodologies that may drive some of the processes (such as the Balanced Scorecard or value-based management), and the metrics used to measure performance against strategic and operational performance goals, as well as the needed technologies, such as business intelligence and business process management. There is no single or correct combination of processes, methodologies and metrics.

Corporate performance management suites are fairly narrow in scope — they mainly focus on budgeting, planning, consolidation and scorecarding. During the next two years, they will increase their scope beyond finance, allowing users to choose from a range of processes and methodologies that work together in an integrated manner using a combination of user-defined and predefined metrics. Other application types will also play a role, significantly in content and process management, along with collaboration tools.

Keep the strategic compliance platform in mind to help you target spending to meet ever-increasing and shifting regulatory demands. Enterprises that choose one-off solutions to each regulatory challenge that they face will spend 10 times more on compliance projects than their counterparts that take action in advance (0.9 probability).

Key Issue to be dicussed in future Articles:

How will the legal and regulatory framework evolve to reflect the economy's and society's dependence on IT?