IT executives at some midsized organizations have grown tired of hearing the word "compliance."
That's because the ongoing drive to get into and maintain compliance with the Sarbanes-Oxley Act is straining IT budgets, causing major projects to be put on hold, and just plain taking a whole lot of time and effort.
These harried executives do concede that, in the long term, the new technologies and methods they're implementing, as a result of regulation, will be good for business. But for now, they're fed up with things like remediation, long SOX-related meetings, and perhaps most of all, the seemingly endless process of documenting, well, processes.
"Basically, for the last three months we've done nothing [else]. It's been a grinding halt on every project," said Bob Denis, CIO of Trimble Navigation Ltd., a Sunnyvale, Calif.-based vendor of global positioning systems and related equipment. "All we're doing is keeping the lights on and the systems going and the only other priority is Sarbanes-Oxley."
Enacted in response to financial scandals at Enron and WorldCom, the Sarbanes-Oxley Act is designed to keep shareholders and the general public protected from accounting errors and fraudulent practices. The act is administered by the Securities and Exchange Commission. SOX is mandatory for most U.S. public corporations and their subsidiaries worldwide.
Section 404 of SOX, which mandates that controls be placed on corporate data and that independent auditors sign off on those protections, seems to be causing the most headaches in the IT world.
SOX is also costing companies a great deal of money. A newly released study from AMR Research Inc. finds that overall Sarbanes-Oxley compliance spending will grow to $5.8 billion in 2005. The tech portion of that will hit $1.62 billion in 2005, a 43% increase over 2004, according to the report.
"I would say that, in a nutshell, the most tedious part of Sarbanes-Oxley is change control," said Marc Masnik, IT manager at TIBCO Software, a growing maker of business integration software in Palo Alto, Calif.
In the past, Masnik explained, changing an aspect of an organization's IT infrastructure was a fairly simple matter of making sure that the adjustment was in line with the policies and procedures of the company, and getting the go-ahead from upper management.
But with the advent of Sarbanes-Oxley, any change even remotely connected to the financial systems or general ledger of a company has to be clearly justified, documented and tightly managed for potential scrutiny by auditors.
"You've got to be able to document and show exactly what, when and how you changed anything," Masnik said. "You end up with this mountain of paperwork around change control."
At Trimble, the drive to get into compliance with SOX is nearly completed. But getting to this point wasn't easy, Denis said, largely because the midsized company has a limited IT staff.
"As in most midsized companies, we are very regulated by Sarbanes-Oxley, but we do not have the personnel or the money to throw at it that the large organizations have," Denis said.
Now that Denis' compliance effort is nearly completed, what advice does he have for companies that are further behind in the process?
"The advice would almost be to move to another country," Denis quipped.
But more seriously, Denis said it's important to find the right consultants, and to budget enough time and enough money to get the job done properly. He estimates that the proper amount to budget is probably between 0.5% and 1% of a company's annual revenue.
Despite the pain of becoming compliant, the IT pros agree that the work they've done will ultimately improve their organizations. And it's important, they said, to keep that in mind throughout the compliance process.
"I think what [SOX] has really done is really firmed up the processes around changes, around rights and restrictions, and around different IT assets," said TIBCO's Masnik. "To make the process successful, the CIO and upper management really have to sell the vision that this is ultimately going to make your organization better."