The 173-word Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) will cause publicly held midmarket companies to spend an average of $1.5 million in the first year to comply, according to a survey by consulting firm CRA International. One study estimated business's total costs of Section 404 to be $6 billion in spending on storage alone. And the costs fall disproportionately on smaller firms. The Small Business Association found that small companies spend nearly 50% more on regulatory compliance per person than large companies.
The Wikipedia online encyclopedia defines ''gold rush'' as "a period of feverish migration … into the area of a dramatic discovery of commercial quantities of gold." By that definition, compliance is the gold rush of the first part of the 21st century.
Tech companies have jumped into the breech to sell you solutions to your compliance problems. Type compliance at Bitpipe.com and get a list of 335 advisory white papers, many of which are SOX-related, from a who's-who of the top vendors in the industry. One company offers a self-administered test that is supposed to tell you in five minutes how vulnerable you are to regulatory compliance failures. Google's search results page on compliance can't accommodate all the ads from tech firms.
Network vendors will tell you that compliance is a network reliability and security problem. Information security vendors say you should get your identity management act together. Storage companies say you need more disk space.
And the audit companies, whose shoddy work created the need for Section 404 in the first place, are only too eager now to sell you their solutions for prices beginning in the low six figures.
I don't mean to imply that vendors don't have useful tools to help you get compliant. But the IT industry sees technology as a hammer and every problem as a nail. There's no mention of software or hardware in Section 404. In fact, most experts agree that the last thing you should do is go out and buy technology. You need to get your processes and objectives in place first.
Start by understanding the requirements of Section 404. SearchSMB.com has an excellent IT Management Guide on Compliance, aimed at small and midsized companies. SearchCIO.com has an informative Executive Guide to SOX. The IT Compliance Institute is a rich source of news and advice on the topic. Compliance Pipeline has good content just for IT professionals.
Then get a committee together. If you're the CIO, you'd better be on it because your neck is on the line. Now may be the time to bring in a consultant but devote your time to analyzing what the law actually requires and where your shortfalls are. And while you're at it, identify any other compliance problems you need to address. Gartner just issued a report saying it can cost 10 times as much to address various compliance issues piecemeal as it does to tackle them at once.
When it comes to technology, the key is setting priorities. Once you know what you have to fix, then go back and start reading those white papers. Consult documents from several vendors so that the competing marketing messages cancel each other out.
Focus on fixing your processes. The best email archiving software in the world won't work if your employees are using instant messaging. Consult colleagues at other companies who are further along in their compliance efforts and find out where the gotchas are.
Document your shortfalls and the steps you plan to take to address them. They'll come in handy if the regulators come knocking. Then, and only then, seek technology solutions from vendors. But don't let marketing messages define your compliance priorities.
Paul Gillin is a technology writer and consultant and former editor-in-chief of TechTarget. His website is www.gillin.com.