Frustrated about complying with the federal Sarbanes-Oxley Act?
Jean Bua can relate. As chief accounting officer at Boston-based Iron Mountain Inc., Bua spearheads the company's compliance efforts. A handful of employees, chosen for their extensive accounting experience, review each phase of the company's financial operations.
New internal controls tighten how Iron Mountain discloses financial information to the U.S. Securities and Exchange Commission. All workflow processes are exhaustively documented, then tested and retested. Automated internal audits make sure employees adhere to the new procedures.
Rather than outsource compliance efforts, Iron Mountain chose to keep things in-house. "When we needed more arms and legs, we went to individual consultants that we knew [to provide training and other services]," Bua said.
Technology helps. The company uses custom software as an "electronic repository" to monitor the entire project.
Iron Mountain is rounding the homestretch toward a Nov. 15 deadline for full compliance. Roughly 80% of the new law's stipulations have been met, Bua said. The company hired an independent auditing firm to assess internal controls and business processes before giving a thumbs-up, considered the final step toward full compliance.
Once auditors give their approval, it will mark the culmination of two years of time-consuming and costly work. Iron Mountain's finance arm "owns and runs" the compliance process, including training for 13,000 employees at numerous locations worldwide. The company expects first-year compliance costs of about $1 million, excluding audit fees.
Wearisome as the task has been, Bua said it pays dividends. The exhaustive analysis of business processes and systems gives Iron Mountain, which manages data records for more than 200,000 companies, a chance to pinpoint potential weaknesses.
"The way we look at it, having an internal control environment really promotes effective and efficient operations. You do a process one time and get it right. There's no rework," she said.
At the same time, Iron Mountain can guide its customers through the confusing maw of code created by the new regulation. "A lot of our customers are looking to us to provide them with some sort of opinion or certification that their records are safe with us," Bua said.
Think of Sarbanes-Oxley, or SOX, as standard accounting practices on steroids. Public companies with a market capitalization of $75 million or more must comply. That includes establishing internal controls on financial data and verifying them each year through an independent audit, including how information is stored, retrieved and protected.
Considered by some to be the toughest business law in decades, SOX also requires CEOs to personally validate financial statements and other information or face severe penalties, including fines and possibly jail time.
Lack of forethought appears to be a major stumbling block to SOX implementation, according to business analysts. Unlike Iron Mountain, many public companies underestimate the amount of painstaking recordkeeping required. As a result, they are scrambling to meet the deadline.
"When the regulations first came out, many companies thought they already were in compliance. Then they started doing the documentation and found out they weren't doing as well as they thought," said French Caldwell, an analyst with Gartner Inc., based in Stamford, Conn.
In fact, the level of paperwork is downright daunting. Take BMC Software Inc., which sells enterprise management applications and other products to businesses. Aside from protecting fungible financial data on its balance sheet, the company must also document each step along the sales chain, from the time salespeople close a deal to the time customer account balances are reconciled.
"This is a process of taking what's in people's heads -- what they do every day in their jobs -- and putting it down on paper so it can be tested," said John Cox, BMC's chief financial officer.
About 15 employees manage BMC's compliance full time, in addition to other accounting and auditing duties. Training at the company's different global offices falls to the director of business controls, a newly created position.
BMC is bracing for compliance costs in the "multimillions of dollars," including software licenses, consulting fees and first-year audit fees. Yet the company expects to eliminate duplicate computer systems and applications, many of which it inherited during acquisitions. "To the extent we're successful in getting to a common system, we'll save money by having a common process worldwide," Cox said.
Public companies with a market capitalization of $75 million of more must meet the Nov. 15 deadline. Companies whose market cap is less have until July 15, 2005.
Although SOX applies to publicly traded corporations, that doesn't mean other companies should ignore its implications. "Privately owned companies that wish to go public also may have to comply with many sections of SOX," said Peter Gerr, an analyst with Enterprise Strategy Group, of Milford, Mass.
To meet the need for ongoing SOX compliance, vendors are ramping up offerings. License revenue for SOX-related compliance applications is forecast to peak at $200 million in 2005, but begin plummeting due to market saturation in 2006, according to Forrester Research Inc. of Cambridge, Mass.
Garry Kranz is a freelance technology writer in Richmond, Va. He can be reached at email@example.com.