COLUMN

Compliance investment offers SMBs big benefits

By David Luft 29 Sep 2005 | SearchCIO.com Digg This!     StumbleUpon     Del.icio.us

Following the Enron and WorldCom scandals in 2002, the government introduced the Sarbanes-Oxley Act (SOX) and other governance laws concerning financial and reporting practices, data protection and privacy for large and small publicly held companies. However, SOX can also affect privately held companies that are planning to go public, grow in revenue or become acquired. Small and medium-sized businesses (SMBs) that do business and partner with public firms governed by SOX are often required by their larger business partners to demonstrate SOX compliance.

A 2005 study by Foley & Lardner LLP on the impact of SOX on private companies showed that SOX had already affected 87% of firms queried. And 78% had voluntarily imposed reforms on themselves, mainly because their boards of directors, auditors, customers, lenders or insurance providers insisted they do so.

SOX compliance requirements range from tighter audit controls outlined in Section 404 to mandatory certification of relevant financial reports by the CEO and CFO. Section 404 was created to ensure accurate financial reporting and fraud protection. It requires companies to report on the state of their internal controls. But Section 404's inherent ambiguity made it the most complex and expensive part of SOX, as companies resorted to manual methods to achieve compliance.

Many SMBs complained about excessive costs incurred specifically by Section 404. Foley & Lardner's study showed the cost of being public increased 33% for SMBs in 2004, with Section 404 audit fees as the leading the cost increase. The cost of Section 404 compliance is one of the main reasons the SEC recently extended the date for SMBs to comply with Section 404 to July 15, 2007.

The cost of compliance with SOX for SMBs is significant. A portion of the cost may be associated with an investment in the IT infrastructure and services, among other costs. But whether it's a public SMB complying for legal reasons or a private SMB complying with SOX to continue to do business with its publicly held partners and customers, the investment benefits also affect business operations and the bottom line.

Here are some of the business benefits to investing in SOX compliance:

Your company's financial and operational data will be available in real time to you, other decision makers and your auditors.

• Financial processes will be streamlined, reducing the chance of error in your company's financial information. This makes your business more attractive to potential customers, especially to larger companies with which you would like to do business -- and be partners with.
• You'll create a better audit trail and reduce auditing costs because data can be more easily tracked. Despite the extra effort required to create SOX-compliant processes initially, this will significantly increase the finance staff's productivity going forward.
• Your business will be far more resilient to disasters, natural and otherwise, because of improved records retention and data recovery mechanisms.
• Your company will enjoy lower fraud risks and hopefully reduced insurance premiums because security issues have been dealt with, and unauthorized data access has been made more difficult.
• Your business processes will become more efficient and your controls will work better as you standardize reports, automate manual activities, and consolidate or eliminate redundant workflows.
• Your business will be able to respond more quickly to market opportunities and challenges because of the more accurate information at your fingertips.
• You'll avoid legal and competitive liabilities associated with violating the privacy rights of customers and employees.

In the end, there are still pending changes to definitions and requirements for SMBs when it comes to SOX compliance, but as deadlines are delayed and classifications are evaluated, SMBs should look for the operational and business benefits they will realize by complying with SOX.

David Luft is senior vice president for product development for Computer Associates International Inc.'s SMB Program Office. This column originally appeared on SearchSMB.com.

Tags: Compliance strategies and best practices,  Information technology laws,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance strategies and best practices Leveraging log management for IT and business process efficiency Information security and risk management guides for CIOs Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Information technology laws Information security and risk management guides for CIOs Health care security, HIPAA compliance on deck for CIOs in Obama era Avoiding gotchas of security tools and global data privacy laws E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary