Sarbanes-Oxley, HIPAA compliance spending soars, AMR finds

By Linda Tucci, Senior News Writer 27 Apr 2005 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

Sarbanes-Oxley (SOX) programs topped the list for spending, accounting for 40% or $6.2 billion of the $15.5 billion, but the corporate reform law is not the only compliance issue eating into company budgets, the study found.

Compliance spending on the Health Insurance Portability and Accountability Act (HIPAA) is expected to exceed $3.7 billion, and account for 24% of total spending. Indeed, for just over 13% of the companies surveyed by AMR, HIPAA compliance is their largest spending category. These companies will spend an average $2.2 million on HIPAA in 2005.

They haven't given us back a sold figure -- but are basing it on having two full-time consultants on staff for four or five months. Dave Thompson vice president, information technology, Muzak

The Federal Drug Administration and U.S. Securities and Exchange Commission exact their price too, each sucking up about $1 billion in 2005. The survey, conducted in the fourth quarter 2004, polled 225 companies from around the globe.

So, just where is all that money going? Most of it's being spent on people -- internal staff and external consults. AMR reports that nearly two-thirds of compliance budgets are spent on compliance-related salaries and contracts.

That will likely prove true at Muzak, the South Carolina-based provider of music programming, the type played in some elevators and malls. Dave Thompson, vice president of information technology, says the privately held company is gearing up to make its first investment in compliance in 2006. Thompson has been talking to Policy Technologies International Inc. of Rexburg, Idaho about policy management software. The big bucks will go to the outside consultants.

"We'll probably use Jefferson Wells to help with compliance," Thompson said, referring to the Milwaukee professional services provider. "They haven't given us back a sold figure but are basing it on having two full-time consultants on staff for four or five months."

Although SOX and HIPAA account for the largest compliance expenditures in 2005, record keeping and training are demanding attention. Over half the companies cited document and record-keeping requirements as a current concern; 42% cited code of conduct and training.

Very few companies say their work is done on compliance. Nearly 70% of companies plan to add to or improve their compliance plans in 2005. In terms of budgeting, 92% of those surveyed said their budgets will stay the same or increase in 2005, with 44% reporting increased spending.

One consultant, John Verver, believes that technology must step up to the plate to help companies rein in costs.

"The amount of money companies have poured into assessing Sarbanes-Oxley is not sustainable in the long run," said Verver. "We see compliance spending increasing, but increasingly being spent on areas that provide payback. I think spending on consultants and third parties will decline and will be replaced by software."

Verver is vice president of professional services for ACL Services Ltd., a Vancouver software company that got its start by working with the big accounting firms.

When Sarbanes-Oxley came along, the company's software took on a "whole new value proposition," he said. ACL has developed a suite of products that continuously monitor transactions and identify those that fail control tests -- from duplicate payments to payroll inconsistencies.

Clients include the federal government, which uses ACL products to monitor procurement spending, as well as large multi-national companies.

ACL software for a single business area costs about $200,000. A full suite of software for all business process areas would come to about $1 million, an amount Verver claims compares favorably with the 0.5% to 1% error rates.

"They were running an ERP where the system was not meant to allow duplicate payments. We implemented a system that monitored across the ERP and found they were making payments both within the US and in Mexico."

Tags: Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance strategies and best practices Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary