Compliance issues will be with us indefinitely and in order to retain the achievements made thus far and be able to make further in-roads both in terms of regulatory compliance and IT process improvement, budgets must be allocated to ensure that these activities can be sustained.
The Investment Thus Far
First off, the Sarbanes-Oxley Act was passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations. The legislation deals with security regulations, such as disclosure rules, auditor regulations and increased corporate responsibility for fraud.
Financial Executives International, a financial trade association with 15,000 members, did a survey this past July of 224 of those members with sales of more than $2.5 billion. The study shows that to deal with Sarbanes-Oxley, large firms will spend $3.14 million on average or approximately 0.126 percent of sales. The SEC puts the bill at $4 billion for all firms.
Bear in mind that different groups have different projections, but most seem to have a common theme -- the cost projections are increasing. At the same time, the trade press has plenty of articles about system implementation freezes in the fourth quarter, and projects being cancelled in order for IT to work on SOx.
All these messages are telling us two things: First, large sums of hard cash are being spent on labor, tools and training to get ready for the end of year one. Second, there are very real economic opportunity costs that are being incurred, as well.
In other words, there are finite resources in any organization and SOx is being done at the expense of something else not being done. Upon reflection of these two elements, organizations that have varying degrees of resource constraints need to seriously consider if they can sustain their compliance efforts next year.
Granted, the resources required for SOx compliance will change, but how will they change?
By saying that the money spent on SOx compliance is an investment is being done on purpose.
Monies were outlaid to ensure that the organization's risks were mitigated and that proper controls are in place to ensure, at a minimum, the integrity of the financial reports. Failure to budget sufficient funds for future efforts risks the viability of past work going forward and could cause the organization to suffer fines, public embarrassment, real fraud, and mistakes that could have been prevented. At the very least, companies could suffer the needless additional expense of recreating work that was already done and then lost due to poor planning and insufficient funding.
Considerations for Year 2...
We can quickly draw up a list of items that need to be considered for budgeting purposes. Not all of these areas will apply and the intent of the list is to generate discussion about what does need to be considered. Areas to review include:
If you have a control map that outlines the various detail controls, consider creating a matrix with the controls as rows and a list of the functional areas as columns. In each intersecting cell, record the various outlays needed. The intent of the thought process is to ensure that sufficient funds are identified for discussion during the budgetary process.
Funding is a vital element of sustaining a control environment. Without adequate funds, there will continue to be elevated thrashing of resources between projects, projects not being completed, etc. It is critical that management review requirements and plan accordingly to ensure that compliance is sustained.