- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
The tab for regulatory compliance continues to climb - and along with it, demand for IT projects to bolster security, storage and reporting capabilities.
U.S. companies will spend $15.5 billion on compliance-related activities this year, according to research published last week by AMR Research. A large chunk of the spending is designated for public companies' projects related to the Sarbanes-Oxley (SOX) Act of 2002. SOX spending will grow 11% from $5.5 billion last year to $6.1 billion this year, AMR says. Other budget-consuming initiatives include compliance with the Health Insurance Portability and Accountability Act (HIPAA), Food and Drug Administration regulations, and the Basel II international banking accord.
In particular, SOX has put a spotlight on compliance initiatives since it affects a broader swath of companies than some of the industry- or geographic-specific regulations, says John Hagerty, vice president of research at AMR Research. Additionally, it's getting budget priority over other regulatory projects because its deadlines are imminent. "Those with the shortest deadlines move to the top of the queue," he says.
Passed in the wake of accounting scandals at companies such as Enron and WorldCom, SOX is designed to deter fraud and add transparency to public companies' financial reporting procedures. Among the more onerous of the legislation's requirements is Section 404, which calls for companies and their auditors to formally attest to the existence and adequateness of internal controls over financial reporting systems.
Establishing, testing and documenting such controls is a time-consuming effort that not only has financial departments scrambling but involves nearly every aspect of IT.
The toughest part of SOX compliance is the scrutiny it places on the IT department, says James Olson, CIO at Waterbury Hospital in Connecticut. SOX has increased the number and comprehensiveness of IT-related audits, he says. "It used to be that a 100-watt bulb would be turned toward IS once a year. Now we have a searchlight looking at us."
Prior to the legislation, auditors examined the hospital's patient accounting system. Today, audits extend to multiple applications, including accounting, payroll, materials management and decision support systems.
Auditors today look not only at backup, data center security and password administration but also division of labor within the department, Olson says. "They have increased what they are auditing and [now look into] the formality of the policies, procedures and processes supporting the department," he says.
What makes SOX tough is that there's no one-size-fits-all checklist for compliance, adds James Kritcher, vice president of IT at White Electronic Designs. "From an IT perspective, the actions that a company will need to take depend on what is discovered in the internal controls inspection. IT leaders need to work closely with the Sarbanes-Oxley auditors to make sure that they know what their companies' weaknesses are."
Rss FeedRss Feed
The Leader in Network Knowledge
Comment