Click to see: Illustration by Brian Gaidry for The SOX tax

There's a forum on the Securities and Exchange Commission Web site where a company can comment on its experiences implementing the control provisions required by Section 404 of the Sarbanes-Oxley Act. Dozens of executives have filed comments - many of which describe unreasonably onerous, expensive compliance efforts.

"Based on our own experiences and the experiences of our peers, we believe that the effort and costs to comply with the standard have been extraordinary," said Paul Zeller, vice president and CFO of Imation in Oakdale, Minn., in a statement. "We have incurred approximately $1 million in external costs and substantially more in internal costs, such that total SOX costs approximate 5% of our 2004 operating income."

Qualcomm shares two years of SOX experience
Blue Rhino tackles SOX with tools on hand
Congoleum lays solid foundation for SOX compliance

William Krepick, CEO of Macrovision in Santa Clara, describes spending $1.1 million to hire outside consultants and $1.2 million to pay incremental audit costs to its public accounting firm during a two-year period that ended last March. In addition, the company has spent thousands of hours to implement Section 404, which has diverted attention from other company projects, according to Krepick.

Click to see: The high cost on compliance

"These distractions have resulted in delays in our investments in new projects and new technologies that would otherwise make our company more profitable and more competitive, which we believe our stockholders would rather have us focus on than creating massive amounts of paperwork to document SOX 404 compliance," Krepick comments.

Since the passage of SOX in 2002, companies have complained about the legislation designed to help restore investor confidence in the wake of accounting scandals at Enron and WorldCom. The source of many complaints is Section 404, which requires companies to attest to the effectiveness of internal controls to safeguard systems and processes related to financial reporting.

Under the SEC's two-tier approach, the largest public companies had to begin complying following their first fiscal year that ended after Nov. 15, 2004. The SEC extended the deadline for smaller public companies until July 2007, following a backlash from companies that said the requirements are too onerous.

Money for nothing

Meanwhile, analysts have tried to come up with guidelines on how much it costs a company to comply with SOX. The rule of thumb has been an average of $1 million in SOX expenses for every $1 billion in revenue.

Those numbers have held fairly firm over the last couple of years, on average, but there's a lot of variation among companies when it comes to the effort and expense required to comply, says John Hagerty, an analyst at AMR Research.

"A lot of it has to do with how a company is organized," Hagerty says. "If a company is very centrally managed, then they do it once and it applies to everybody. If a company is decentralized, there's a very good chance they have to repeat the same process in every location."

Whitepapers

• The Trend from UNIX to Linux in SAP(r) Data Centers
• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology

View more SECURITY whitepapers

Webcasts

• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports