Large and midsize enterprises will spend $2 million through 2005 to become compliant with Sarbanes-Oxley legislation. Smart enterprises will use that money to build the beginnings of a compliance platform. Understand how to go about building a strategic compliance platform to meet ever-increasing and shifting regulatory demands.
What You Need to Know
Public companies with more than a billion dollars of revenue can expect to spend $2 million to become compliant with the basics of the Sarbanes-Oxley Act. IT directors should request at least 20 percent of the overall Sarbanes-Oxley budget in 2004.
Analysis
Strategic Planning Assumptions
- Fortune 1000 firms will allocate at least $2 million for Sarbanes-Oxley compliance through 2005 (0.9 probability).
Audit firms will capture 50 percent to 75 percent of corporate spending on Sarbanes-Oxley between September 2003 and July 2004 (0.8 probability). - Enterprises that don’t have internal process controls documentation for Sarbanes-Oxley compliance complete by YE03 will miss the July 2004 deadline for full compliance (0.8 probability).
- Enterprises that choose one-off solutions to each regulatory challenge that they face will spend 10 times more on compliance projects than their counterparts that take action in advance (0.9 probability).
There are six categories of spending that will be required for compliance to the U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act):
- Additional auditing fees — Expect auditing fees to rise 35 percent to 50 percent.
- Personnel costs — Hiring compliance officers and replacing financial personnel who must now devote all or part of their time to serving on internal audit or disclosure committees.
- Additional insurance costs for board members and other personal and group liability — One survey estimated that the insurance costs for a listed company would double.
- Internal process documentation, implementation or process remediation — Expect to spend at least $1 million. This can be considered a midsize application development effort for which there will be a one-off cost in internal or external spending, or a combination of both.
- Training — Some of your training budget will be spent with auditors, focusing on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (see Note 1). The rest will be internal training on established or new controls processes.
Notes on COSO
COSO is a voluntary private sector initiative dedicated to improving financial reporting in companies. It has made a series of recommendations to improve financial reporting, the most significant of which are the COSO Risk Management Framework and the Internal Control — Integrated Framework. These documents are being used by auditors to define standards for enterprises to aspire to when doing financial compliance work.
System enhancements or new system purchase? System documentation is the least amount of effort that you will have to expend. Some remedial training may also be necessary. New system implementation, especially e-mail or records management, will be necessary in 50 percent to 75 percent of enterprises in the first year.
At this point, it is difficult to give precise estimates of the cost of Sarbanes-Oxley compliance, but enterprises with more than $1 billion in revenue will spend an average of $2 million between now and the deadline of 2004. Gartner research on this topic is ongoing. Our original estimates were based on the six categories we list here. Subsequent reading of Sarbanes-Oxley spending surveys have yielded data to show that enterprises are spending less than $10,000 at the low end to more than $4 million on the high end.
The average for a Global 2000 company or one with revenue of more than $1 billion is in keeping with our estimate of $2 million. Fortune 1000 firms should allocate at least $2 million for Sarbanes-Oxley compliance through 2005. Initially, much of this spending will be on audit firms, which will capture 50 percent to 75 percent of corporate spending on Sarbanes-Oxley between now and July 2004 (0.8 probability).