The SOX tax

Many companies find initial costs were high, but they decline in subsequent years.

1 2 3 4 Page 3
Page 3 of 4

Illustration by Brian Gaidry for The SOX tax

There's a forum on the Securities and Exchange Commission Web site where a company can comment on its experiences implementing the control provisions required by Section 404 of the Sarbanes-Oxley Act. Dozens of executives have filed comments - many of which describe unreasonably onerous, expensive compliance efforts.

"Based on our own experiences and the experiences of our peers, we believe that the effort and costs to comply with the standard have been extraordinary," said Paul Zeller, vice president and CFO of Imation in Oakdale, Minn., in a statement. "We have incurred approximately $1 million in external costs and substantially more in internal costs, such that total SOX costs approximate 5% of our 2004 operating income."

Qualcomm shares two years of SOX experienceBlue Rhino tackles SOX with tools on hand

Congoleum lays solid foundation for SOX compliance

William Krepick, CEO of Macrovision in Santa Clara, describes spending $1.1 million to hire outside consultants and $1.2 million to pay incremental audit costs to its public accounting firm during a two-year period that ended last March. In addition, the company has spent thousands of hours to implement Section 404, which has diverted attention from other company projects, according to Krepick.

The high cost on compliance

"These distractions have resulted in delays in our investments in new projects and new technologies that would otherwise make our company more profitable and more competitive, which we believe our stockholders would rather have us focus on than creating massive amounts of paperwork to document SOX 404 compliance," Krepick comments.

Since the passage of SOX in 2002, companies have complained about the legislation designed to help restore investor confidence in the wake of accounting scandals at Enron and WorldCom. The source of many complaints is Section 404, which requires companies to attest to the effectiveness of internal controls to safeguard systems and processes related to financial reporting.

Under the SEC's two-tier approach, the largest public companies had to begin complying following their first fiscal year that ended after Nov. 15, 2004. The SEC extended the deadline for smaller public companies until July 2007, following a backlash from companies that said the requirements are too onerous.

Money for nothing

Meanwhile, analysts have tried to come up with guidelines on how much it costs a company to comply with SOX. The rule of thumb has been an average of $1 million in SOX expenses for every $1 billion in revenue.

Those numbers have held fairly firm over the last couple of years, on average, but there's a lot of variation among companies when it comes to the effort and expense required to comply, says John Hagerty, an analyst at AMR Research.

"A lot of it has to do with how a company is organized," Hagerty says. "If a company is very centrally managed, then they do it once and it applies to everybody. If a company is decentralized, there's a very good chance they have to repeat the same process in every location."

Collectively, companies spent $2.5 billion on SOX compliance in 2003, $5.5 billion in 2004 and $6.1 billion in 2005, according to AMR. The firm estimates spending will reach $6 billion this year, divided among expenses for internal labor (39%), technology (32%) and external consulting (29%).

Where the money comes from can be tough to track. Some may come from a company's general operating budget, other money from IT, financial and auditing department budgets. "The budget is really spread in a lot of different places," Hagerty says.

What's clear is that compliance efforts will consume a significant portion of IT resources. The majority of CIOs expect 10% or more of their 2006 IT budget to be dedicated to SOX-based compliance, according to Gartner research.

Often that means IT projects without a compliance payoff get relegated to the back burner. "Twenty-seven percent of CIOs are saying that they're getting dedicated funding for compliance for 2006, 22% say they don't know where the money is going to come from and the rest are getting the money by deferring other projects, that sort of thing," says French Caldwell, a research vice president at Gartner.

The good news is that as public companies accumulate SOX experience, the price tag for compliance is expected to decrease gradually. "It is getting cheaper. We're seeing an increase in IT budgets [dedicated to SOX projects], but that's more than being offset by the decrease in what companies are going to be paying consultants and auditors," Caldwell says.

Shopping for software

First cut is the deepest

Mark Guth, manager of IT networks at Nicor Gas in Naperville, Ill., estimates SOX compliance accounted for about 2% of operational expenses in the IT department in 2005. That's down from the year before, when the company that distributes natural gas began its SOX efforts in earnest.

"What we discovered is that there's a very high entry cost to comply," Guth says. "Once we adopted procedures and made it part of our normal monthly and quarterly routines, we dropped the manpower requirements by almost 90%."

In 2004, Nicor's IT department spent about 8,500 hours to set up, test and work through compliance issues. "In 2005 it took us only about 900 man-hours to execute all those tests, compile the results and be at the same level of compliance that we were in 2004. In fact, we were better off in 2005 from a compliance standpoint," Guth says.

One tool that helped is ArcSight Enterprise Security Management, which collects and analyzes security data from such devices as firewalls, routers, switches and servers. Nicor uses it to correlate relevant security information and assess vulnerabilities, in particular with respect to system-access requests.

The ArcSight software isn't solely responsible for the 90% drop in manpower, but it has helped Nicor to spot potential security issues more quickly and correct them before they multiply and require more resources to handle, Guth says. "We've been able to clean up our security event log to the point where we feel much more confident about what's traveling around the network and where we stand with respect to compliance."

Micros Systems of Columbia, Md., also found compliance costs fell after the first year. Micros' tab for complying with SOX was in the range of $3 million to $4 million in 2004. For 2005, Micros shaved off at least one-third of those costs, says Carmen Requena, an internal auditor at the company, which makes software for restaurants, hotels, casinos and retailers. "A lot of extra effort had to be put in the first year," she says.

To help with the effort, Micros deployed software from OpenPages, which helps manage internal controls documentation and certification processes across all of Micros' 60 worldwide divisions.

The company also reduced professional services expenses by establishing an internal SOX audit team and merging the group with Micros' internal financial auditing department, Requena says. Everyone is smarter about SOX requirements in general, so the auditors - internal and external - are more in sync about what types of controls need to be in place and tested.

"Last year was almost like an ongoing, continual audit," Requena says. "There was always someone asking for something." This year will go more smoothly, because internal and external auditors are clearer about what they're looking for, she says.

Productivity takes a hit

For IT, the SOX burden isn't just about diverting staff and funds to compliance-related projects. In some cases, compliance takes a serious toll on IT productivity.

Archer Daniels Midland Investor Services (ADMIS), a Chicago financial-services company, is a subsidiary of the $35 billion agricultural processor, ADM.

While parent company ADM coordinates all SOX compliance efforts for the entire business, ADMIS operates its own IT systems and is responsible for executing the compliance provisions required. "In the past it's been a huge advantage, because we are a smaller shop, and we could move faster and quicker and bring things into a production mode a lot quicker than a huge shop, because we're more flexible," says Sam Helmich, vice president of technology at ADMIS. "Well, we've lost that productivity."

Because of the processes ADMIS had to put in place for SOX, Helmich's 15-person staff spends a lot more time doing paperwork, waiting for approvals and handing off projects - to avoid creating a segregation-of-duties conflict - instead of seeing them through to completion. "It's a time drain," Helmich says. "Because of SOX, my team's productivity has dropped 20%."

Segregation-of-duties issues also drove up spending on IT gear at ADMIS. Helmich has to provide separate systems for development and testing that aren't tied to production systems. "I can't have developers running on the same system. Even though they were segregated and couldn't affect production data, I couldn't have them even accessing the same system," he says.

That meant spending about $500,000 to upgrade the firm's IBM AS/400 systems last year. "I ended up buying a machine that's three or four times more powerful than what I really would have needed so that I could create LPARs - virtual logical machines - so that there's total segregation between development, testing and production environments," Helmich says.

Helmich also had to buy more Intel servers for his development environments. Having more boxes and more complex gear to manage adds to the SOX tally. "It takes more systems management time to handle more systems and keep everything segregated," he says. "It's a trickle-down effect."

One bright spot is that Helmich has found ways to satisfy some requirements using software he already had.

To keep track of help desk tickets and work orders, ADMIS has been using Team 2, a task-management application from software maker Alexsys, since 1998. Helmich found he can manipulate the software's rules engine to create some of the process controls and audit trails he needs for SOX compliance.

For example, ADMIS is using Team 2 to track requests for software development and programming projects. The software creates an electronic trail that starts with a work request and runs through the project design, testing, implementation and postrollout phases. "We're using it as a project management workflow tool," Helmich says.

There are a few more processes Helmich plans to automate with the Team software. It's just a matter of finding the time, he says.

Segregation anxiety

Some companies have created new positions inside IT to deal with compliance challenges.

Security software maker McAfee hired Mark Homs to handle security and compliance issues related to the company's SAP system. "I deal with the internal audit people, the Sarbanes-Oxley committee, CFO, CIO, end users and anyone in between," says Homs, whose title is SAP security manager.

Before joining McAfee, Homs led SAP security at a Northrop Grumman division, worked as a consultant and did a brief stint with a vendor of SOX-related software. His expertise lies in the intricacies of SAP configuration and the design of sustainable security schemas for ERP systems - a key asset in today's SOX world. "Sarbanes-Oxley helped advance what I do," Homs says.

SAP applications are extremely flexible, and controls are complex. Choosing the best way to configure security settings isn't intuitive, Homs says. "Some of the ways you can achieve the controls are maintainable, and some are not. That's where a lot of companies have had problems."

When Homs came on board at McAfee, he helped rewrite its SAP security framework and bought software from Approva to help manage and strengthen the company's business controls. The vendor's BizRights platform helps McAfee spot and remediate risky configuration settings, policy violations and role conflicts, for example.

Without a tool such as Approva, getting to the root of an issue takes a lot of work. For example, if the accounting department wants to restrict access to a particular transaction, Approva makes it easy, Homs says. "Approva can show me who has access to this transaction. But it won't stop there. It will say, 'This is who has access to the transaction, this is how they get it, this is what authorization value gives it to them.' That saves me just countless hours of research."

SAP doesn't provide that kind of reporting natively. The information is out there, but it's not easy to correlate, Homs says. Approva does the correlation automatically, which justifies the investment in the software, Homs says. But putting an exact number on the return is difficult. He estimates by automating a lot of functions with BizRights - such as user provisioning, compliance monitoring and workflow - McAfee avoids having to retain about one-half of a staff member.

"Just the ability to make sure previous issues don't creep back into systems is really important, because then we don't have to refix things," Homs says. "There's definitely a return on investment."

Financial-services firm Harris also has found an ROI with its purchase of software from LogicalApps.

Darlene Mac Cormac knew segregation of duties was an area she would have to address. Mac Cormac is vice president of procurement and strategic sourcing at Harris in Chicago, which is part of the publicly traded BMO Financial Group.

The companies' existing review process was manual and incredibly time consuming. With all the steps required, it took Harris about two months to go through its annual segregation-of-duties review, Mac Cormac says. "It was just a waste of senior people's time."

A few months ago, Harris went live with LogicalApps' software, which embeds controls for enforcing regulatory mandates and business policies within the firm's Oracle ERP applications. The controls help manage user access privileges, for example, while dashboards and reporting features alert managers to potential red flags. "Now when we do these audits we're not doing them manually, once a year, for at a point in time," Mac Cormac says.

In addition, Harris has been able to close hidden gaps before they were exploited. "No matter how thorough a job we thought we were doing, we knew we weren't catching everything, and that was blatant the first time we ran the LogicalApps tool sets," Mac Cormac says. "When they came out with the reports, I was floored at some of things that people could do. We'd just never realized because we'd never dug that deep."

One big payoff is in manual time saved. "It paid for itself in the reduction in time for doing our regular routine audits," Mac Cormac says. In addition, the software's configurability has helped conserve development resources. "So any monies that we would have spent customizing the Oracle applications, or the Oracle forms, to do some of the things we wanted, we're able to do it with these tools."

Look on the bright side

SOX compliance has created a lot of work for companies. But in the three-plus years since it was signed into law, there are plenty of examples where SOX has had a positive affect on the accuracy and security of companies' financial reporting processes.

Micros has used its SOX efforts to streamline company processes. The scrutiny SOX puts on internal processes affords an opportunity to spot inefficiencies in business processes and make recommendations for improving those processes, Micros' Requena says. "We've made quite a few effective recommendations."

Another potential bonus for SOX-governed companies is the opportunity to find money to do projects that have been on IT wish lists for some time. The budget for SOX in many companies is unlimited, McAfee's Homs says. "Whatever it takes, make it happen. I never saw that in all of my career for anything," he says.

Learn more about this topic

SOX education: How to enter the field 03/20/06


U.S. gov't department details IT audit plans for 2006


Tips toward surviving a SOX audit 11/28/05


Risk management, controls key to SOX 05/02/05


Compliance: Thinking outside the Sarbox


1 2 3 4 Page 3
Page 3 of 4
Now read: Getting grounded in IoT