Planning Out Your Compliance Moves

Without a doubt, companies are spending terrific sums of money to gain compliance with the Sarbanes-Oxley Act of 2002 (SOx). What's the best way to deal with all of this?
Without a doubt, companies are spending terrific sums of money to gain compliance with the Sarbanes-Oxley Act of 2002 (SOx). However, organizations must realize that SOx isn't a one-time event like Y2K.

Compliance issues will be with us indefinitely and in order to retain the achievements made thus far and be able to make further in-roads both in terms of regulatory compliance and IT process improvement, budgets must be allocated to ensure that these activities can be sustained.

The Investment Thus Far

First off, the Sarbanes-Oxley Act was passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations. The legislation deals with security regulations, such as disclosure rules, auditor regulations and increased corporate responsibility for fraud.

Financial Executives International, a financial trade association with 15,000 members, did a survey this past July of 224 of those members with sales of more than $2.5 billion. The study shows that to deal with Sarbanes-Oxley, large firms will spend $3.14 million on average or approximately 0.126 percent of sales. The SEC puts the bill at $4 billion for all firms.

Bear in mind that different groups have different projections, but most seem to have a common theme -- the cost projections are increasing. At the same time, the trade press has plenty of articles about system implementation freezes in the fourth quarter, and projects being cancelled in order for IT to work on SOx.

All these messages are telling us two things: First, large sums of hard cash are being spent on labor, tools and training to get ready for the end of year one. Second, there are very real economic opportunity costs that are being incurred, as well.

In other words, there are finite resources in any organization and SOx is being done at the expense of something else not being done. Upon reflection of these two elements, organizations that have varying degrees of resource constraints need to seriously consider if they can sustain their compliance efforts next year.

Granted, the resources required for SOx compliance will change, but how will they change?

A Warning

By saying that the money spent on SOx compliance is an investment is being done on purpose.

Monies were outlaid to ensure that the organization's risks were mitigated and that proper controls are in place to ensure, at a minimum, the integrity of the financial reports. Failure to budget sufficient funds for future efforts risks the viability of past work going forward and could cause the organization to suffer fines, public embarrassment, real fraud, and mistakes that could have been prevented. At the very least, companies could suffer the needless additional expense of recreating work that was already done and then lost due to poor planning and insufficient funding.

Considerations for Year 2...

We can quickly draw up a list of items that need to be considered for budgeting purposes. Not all of these areas will apply and the intent of the list is to generate discussion about what does need to be considered. Areas to review include:

  • Policies and Procedures -- All the documentation generated will need to be maintained. This takes time and can incur considerable labor and economic costs. This may necessitate a reallocation and/or increase in headcount;
  • New/Changed Processes -- These could result in the requirements of additional resources. Impacted areas include labor, hardware, software, consulting, etc.;
  • Audits -- Once the new policies and procedures go into effect, there must be audits to ensure compliance, as well as to assess whether or not changes need to be made;
  • Consulting -- Bear in mind that auditors can not design the processes they audit. If your organization needs assistance in implementing and/or refining controls, you will need to budget sufficient funds to do so;
  • Training -- An expectation of any solid control framework is that the training necessary to maintain the framework takes place. At the same time, there must be a sufficient emphasis on training to ensure that risks and opportunities are identified, understood and mitigated; and
  • Tools -- Additional investments may be needed in the areas of hardware and software in order to keep up with the environment and improve efficiencies.


    If you have a control map that outlines the various detail controls, consider creating a matrix with the controls as rows and a list of the functional areas as columns. In each intersecting cell, record the various outlays needed. The intent of the thought process is to ensure that sufficient funds are identified for discussion during the budgetary process.

    Funding is a vital element of sustaining a control environment. Without adequate funds, there will continue to be elevated thrashing of resources between projects, projects not being completed, etc. It is critical that management review requirements and plan accordingly to ensure that compliance is sustained.

  • 0 Comments (click to add your comment)
    Comment and Contribute


    (Maximum characters: 1200). You have characters left.