If you own shares in a publicly traded company or you are a technology professional in one, chances are that you’re already well-acquainted with the Sarbanes-Oxley Act (SOX), which was passed by Congress as a response to the pervasive corporate fraud of the 1990s involving well-known companies like Adelphia, Enron, Tyco and Worldcom.
Sarbanes-Oxley was designed to combat rampant corporate fraud; to restore investor and public confidence in American capitol markets; and to promote sound accounting practices while it policed insider trading and ensured the integrity of market research. The provisions in Sarbanes Oxley are not entirely new, and many already exist in an amalgam of existing federal and state laws and for corporate executives, accountants and technology professionals.
For many corporate IT departments, SOX at first glance loomed as a second “Y2K” effort that would delay other important projects and suck the life out of the technology budget. This article explores how much Sarbanes Oxley compliance has cost companies, how much Sarbanes Oxley has been enforced, how SOX has affected corporate IT, and whether its ultimate impact could be a beneficial one.
The hard dollar cost of SOX compliance
A 2005 Financial Executives International survey of 217 publicly traded companies showed that companies spent an average of $4.36 million to comply with Section 404 of Sarbanes Oxley. A second 2005 survey of 90 Big Four accounting firm clients found that companies spent an average of $7.8 million on compliance, or about 0.10 of their revenue. Understandably, companies have been concerned that SOX compliance is diverting money from maximizing shareholder value–and corporate technology departments are looking at project load backups, brought about by the effort expended to facilitate the massive reporting requirements mandated by Sarbanes-Oxley.
On the flip side, the dangers of not complying with Sarbanes Oxley, in combination with improper accounting practices, is far costlier.
Since Sarbanes Oxley’s enactment in 2002, federal prosecutors have filed criminal charges on 14 major corporate fraud scandals (this data is current through July of 2004). The charges are tied to 69 separate but related prosecutions. Two-thirds of the cases resulted in convictions. In nine of the major corporate frauds, 152 CEOs or other high executives were criminally charged. In 14 of the investigations, CFOs or other high ranking financial officers were charged.
Unfortunate as it might be, this prosecution has helped to restore investor confidence in the capital markets as investors now believe that they have solid law enforcement that they can depend on. Within corporate technology departments, there has also been an opportunity to complete data and reporting projects that had been sitting in the wings for quite some time, due to other pressing priorities.
It is good that these reporting projects are finally coming off the IT backlogs, since they always took second, third or even fourth place to technology implementations that were able to immediately pay off in increased corporate sales or a competitive advantage in the marketplace. For IT managers, however, a “reverse” question has surfaced: has all of this time spent working on reporting and data organization detracted from critically competitive technology projects and budget allocations?
New governance models for IT
Beyond a doubt, there has been budgetary fallout from Sarbanes Oxley work in IT. However, unlike the Y2K effort, there is increasing evidence that Sarbanes Oxley has delivered some unexpected by-products to technology organizations that are making them stronger and more efficient.
The most beneficial area for corporate IT is the area of governance. In a nutshell, IT governance is a collection of policies, processes and procedures that define how corporate technology and technology workers operate. These guidelines govern the management of change, problem management and trouble-shooting, management of service levels, and consistency of IT operations from facility to facility.
Several different IT governance standards exist today. The IT Infrastructure Library (ITIL) is well supported in Europe, and is growing in popularity in North America. The Control Objectives for Information and Related Technology framework (CoBiT) is also being studied and adopted by organizations. CoBiT addresses technology planning and organization, acquisition and implementation, delivery and support, and monitoring.
Many organizations that have adopted ITIL and/or CoBiT have claimed significant returns on investment (ROI) from their IT operations.
As an example, Tech Republic, an online community and information resource for IT professionals, cited Proctor & Gamble, which has reduced IT operations costs six to 8 percent annually and reduced technology staff between 15-20 percent for a savings of more than $500 million over four years. In an interview with Tech Republic, Morton Cohen, Proctor & Gamble’s manager of global service management, commented, “When IT processes are done by 5,000 people consistently across one company, service management can deliver tremendous savings.”
Of course, if you are an IT professional “on the lines,” no one likes to see staff reductions unless it results in job reassignments that keep people working. For the most part, it has — and the operational savings that are going hand in hand with the “get tough” compliance measures of Sarbanes Oxley, have produced attractive results for both shareholders and companies.
New impact on consulting resources
There is one other corner that needs to be covered in the Sarbanes Oxley story for IT: outside consulting. SOX compliance has focused the spotlight on consulting firms, as well as on internal accounting, auditing and IT functions.
According to Sen. Paul Sarbanes in the New York Times, a major goal of SOX was “to get auditors to start being auditors again.” To do this, SOX prohibited auditors from engaging in business ancillary to accounting.
The repercussions internally and externally have been significant. On the inside of corporations, where there have often been strong alliances between accounting and IT, there is now more segregation of duties than before.
On the outside of organizations, where accounting firms traditionally also bid on IT projects, there has been less activity in the IT area — which has opened up the field for more consultancies that focus exclusively on IT. Neither trend is necessarily bad for IT. Internally, IT gains autonomy and more recognition for its contributions and core competencies. Externally, there are now more consultancy choices available – with a dedicated focus on IT.
Debates on Sarbanes Oxley are likely to continue, but unlike Y2K SOX has the chance to deliver some long-lasting and positive results to organizations, especially now that the initial rounds of SOX spending are over.
The emerging field of IT governance, fueled by Sarbanes Oxley and other forces, is likely to have far-reaching effects on IT that in the long run, can make IT stronger. These contributions are in the areas of policies, uniform operations and uniform service levels — which IT and its internal and external customers will all profit from.
Credit: August 2006 issue of Enterprise Networks & Servers