News Stay informed about the latest enterprise technology news and product updates.

SOX: New rules for year two

What does it cost to make SOX controls visible? What about in real time? Find out what CIOs learned from round one of SOX fun.

AMR Research analyst John Hagerty has three words of advice for executives grappling with compliance with the Sarbanes-Oxley Act: repeatable, sustainable and cost-effective.

"SOX is not going to go away like Y2K. It's here to stay," Hagerty said.

About half of the companies Hagerty deals with still view SOX compliance as just another tactical project. "SOX is a process, not a project, and you have to plan for it."

Seven steps to compliance

A SOX tear sheet: 7 new rules

The first line of attack -- making the process repeatable -- requires investing in technologies that will help automate testing of internal controls, Hagerty said. AMR Research Inc. estimates that of the $6.1 billion spent on SOX compliance in 2005, nearly two-thirds will go to internal labor and head count.

"People will always be involved in a compliance process like this, but you don't want to have it be intrusive or taking away from day-to-day work," Hagerty said.

The repeatable factor: Got LANs?

In addition to reducing employee time, automated testing of controls enables companies to stop bad things from happening as they occur, not after the fact. To do this, companies can embed testing of internal controls right into the business processes themselves, or deploy a LAN that sits outside the business process to verify controls, but the goal should be the same: continuous monitoring in real time.

"You want a constant feedback loop, so people can understand how what they just did wrong caused problems, and, as important, how they can re-train themselves to do it the right way," Hagerty said.

To make SOX compliance sustainable, the issue needs to be "front and center" in the company through the use of portals, dashboards and/or scorecards. "Executives especially like this because they can understand at a moment's notice where they have problems or gaps in controls and whether they are able to attest to the company's financials on quarterly basis." AMR estimates that making SOX visible will cost a company between $50,000 to $250,000, depending on its size and scope.

Follow the money

Finally, to not go broke, companies need to make SOX compliance cost-effective by staying the course -- a mindset that does not come naturally to the task-oriented.

"As people started to plan for their year activities, it was interesting how many thought they had to throw out what they did last year and start over. Our advice is that if you are satisfied with what you did last year -- and I would say 99 out 100 companies are -- you want to automate, not replace," Hagerty said. That gets back to investing in technology. Successful companies are spending more now to gain more in the future, looking at SOX much like a Six Sigma process, Hagerty said. "By automating the testing of some of these internal controls, you will reduce the cost of compliance by upward of 25%, and we think that is actually pretty conservative."

All these strategies essentially are based on one philosophy: Build compliance requirements and processes into the foundation of how you run you're your business. This is easier said than done. Many companies have told Hagerty they were so burnt out by their first year of SOX compliance, they gave their SOX team three months off, from January to March.

"Like anybody else who has been off a project for a couple of months, it's difficult to re-engage," he said. One of the ways companies can get around "organization fatigue," is to bring fresh people on the team, thus getting more people invested and avoiding the bullwhip effect.

At Iron Mountain, the records storage company that made news of its own this year when customer data was accidentally lost in transit, chief accounting officer Jean Bua is among those who see SOX as a positive force. "It's all about doing the right work at the right time," she said.

Year two lessons

As Iron Mountain enters year two, it has taken several steps to turn SOX compliance into a process, Bua said. "Last year this was obviously more of a project to get done. This year we have created essentially a Sarbox office, with five positions dedicated to it, including two people from within and three new hires," Bua said.

The goal is to take the controls implemented for Sarbox compliance and move them through the business, holding business people accountable at the point where the controls begin. Last year, Bua's department did much of the work themselves. "Now we're trying to integrate the controls at the business source. The company is "adding value" by automating as much of the manual processes as possible, spotting where the risks were and making sure the risks are covered. It is also monitoring the controls that were put in place late in the year to meet compliance, to make sure they continue to mature rather than function as a one shot deal.

Iron Mountain has designed a communication plan that alerts the SOX office when a key person has left or a business process changed, to ensure that compliance is maintained on a continuous basis. As a result, Bua said, the company expects to reduce its domestic SOX compliance costs by 25% in 2005 and its European operations by 50%.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.