To be sure, the four-year-old legislation has been a problem child for IT executives at public companies. Among other hurdles, theyve been required to understand a slew of new acronyms: HIPAA, GLB, MFID, and NERC most of which translate to a higher workload.
And its been expensive. Firms have been given a challenge, a compliance imperative with a deadline, and its cost companies a lot of money, says Forrester analyst Paul Hamerman.
A lot of money and a lot of headaches. Over the last decade, the rapid pace of change in the data center means that IT professionals often run heterogeneous environments a jumble of PCs and servers with different operating systems. This jungle thatch of systems can make dealing with SOX compliance issues still more difficult.
Some companies have considered drastic measures in response to SOX. According to a recent study by Foley & Lardner, 21% of the firms surveyed have considered going private to avoid the burden of Sarbanes-Oxley. Moreover, That number has stayed consistent over the four years of the survey, notes Tom Hartman, the studys director.
If you want to read postings by unhappy executives, take a look at the forum on the Securities and Exchange Commission web site. The SEC invites feedback from companies who are feeling the pain of compliance with SOXs Section 404. Wrote one senior manager: Section 404 has been taken to an unreasonable extreme, with the cost to shareholders well beyond what was originally intended
How SOX Has Benefited IT
However, despite the grumbling, some industry observers call them sunny-side up optimists see the silver lining in the cloud of SOX compliance.
Forresters Hamerman, though he fully understands the heavy costs, notes that firms have seen gains as theyve dealt with SOX.
Companies have looked at this legislation and done some good work to get their control environments in order, he says. Companies have taken a hard look at their accounting systems, sometimes realizing that their financial management processes including those of the IT division were either redundant or not integrated with each other. Some of these systems have now been streamlined, he says.
In some cases, a companys IT department and its executive staff have been forced to communicate more closely, creating a more effective overall team. At the very least, accounting departments have learned to understand IT departments.
One unintended benefit: the lowly help desk, once seen as merely a necessary cost of doing business, has taken on greater importance. Firms are realizing that an efficient service desk eases some of the sticky logistics of SOX compliance. Somewhere, theres a help desk geek whos being treated with a dash more respect by upper management.
As companies have undergone two or three compliance cycles, theyve found business efficiencies they otherwise wouldnt have. Their controls are more standardized and better understood, Hamerman says.
There have been a lot of deficiencies that were documented and disclosed as a result of this process, so it has to be doing some good because companies have had to remediate those control efficiencies. Additionally, plenty of problems were found and addressed before they became reportable issues.
Supporting Hamermans statement is a study by Ernst and Young, which found that 87% of responding companies anticipate value simply through the enhanced accountability and ownership of controls promoted by Section 404.
As the years go by, the burden of Sarbanes-Oxley grows less onerous sort of. I think the first round was a lot tougher than what were seeing in this second and third compliance cycles, Hamerman says. Because the first time they had to go out and identify and document a lot of the controls. The control environment wasnt that well documented if documented at all.
As theyve gone through this, theyve accumulated a lot of knowledge, and its just made the process easier, and theres been some evidence that the cost of the compliance effort has gone down because they havent had to hire as many external consultants and things like that.