Qualcomm shares two years of SOX experience

By compliance standards, Qualcomm is an early adopter. The San Diego chipmaker was among the first public companies to comply with Section 404 of the Sarbanes-Oxley Act - a full year before the close of its 2005 fiscal year and well before the legislation's deadline.

But when it comes to IT products designed to help automate the compliance process, Qualcomm prefers not to be an early adopter.

For its first round of compliance, Qualcomm relied on staff to do the documentation and testing of controls. SOX Section 404 requires companies to attest to the effectiveness of the internal controls put in place to safeguard financial reporting systems and procedures. To do so, companies need to identify their key processes and, within those processes, identify key controls and establish ways to measure the effectiveness of those controls.

When Network World spoke to Qualcomm CFO Bill Keitel last year, he said a manual start to SOX compliance was unavoidable. "There's no way a system can do all those steps. That's a very manual, intensive process," Keitel said last year. "I would venture that there's no alternative to doing it manually this first time through."

Fast forward to 2006, and Keitel says the second year of compliance is easier than the first year, since the documentation is complete (barring some inevitable modifications) and the processes for testing controls are in place. In addition, Qualcomm has been able to reevaluate what it defines as key system controls and simplify some things. "After you get through the first year, the second year is about continuing to implement," Keitel says.

However, while SOX compliance has gotten easier for Qualcomm, it remains a manual-intensive project. Keitel is ready for tools that will help automate SOX compliance, but finding the right ones hasn't been easy. Qualcomm invested in software to help with the data management requirements of SOX, but the tool the company purchased was a disappointment. "The product didn't prove to be as robust as we hoped," he says.

Keitel hasn't given up, but he's waiting for the compliance software market to mature a bit more. "We're trying to bide our time in hopes that we'll see things stabilize a bit." Among the tools on Keitel's radar is software to help aggregate compliance testing data.

As for the cost of SOX compliance, there's good news in that department. Qualcomm was able to reduce its SOX spending during its 2005 fiscal year, ended in September. "We saw some reasonable savings going into the second year," Keitel says. "The first year we spent approximately $7 million. The second year we brought that down to just under $5 million."

As he looks back on two years of SOX compliance, Keitel has mixed feelings about the legislation's impact. For example, having to comply with Section 404 sped up Qualcomm's ongoing efforts to more thoroughly document its business processes - but some of the work is overkill.

"SOX pushed us to do more of that process mapping sooner than what we had planned on," Keitel says. "Some of that was good, because it was process mapping I wanted to do anyway. But I feel like it went way beyond what we would have done on our own. That's the drawback for me."

Looking ahead, Keitel sees an opportunity for Qualcomm to reinstate some of the IT projects that got put on the back burner when SOX surfaced. "We were planning to do some system changes within Qualcomm, and the immensity of the SOX 404 process required us to delay them a bit. But we're trying to get back on that path now."

See also:

The SOX tax

Blue Rhino tackles SOX with tools on hand

Congoleum lays solid foundation for SOX compliance


Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022