Sarbanes-Oxley's 4th Birthday: Is Anyone Celebrating?

To be sure, the four-year-old legislation has been a problem child for IT executives at public companies. Among other hurdles, they’ve been required to understand a slew of new acronyms: HIPAA, GLB, MFID, and NERC – most of which translate to a higher workload.

And it’s been expensive. Firms “have been given a challenge, a compliance imperative with a deadline, and it’s cost companies a lot of money,” says Forrester analyst Paul Hamerman.

A lot of money and a lot of headaches. Over the last decade, the rapid pace of change in the data center means that IT professionals often run heterogeneous environments – a jumble of PCs and servers with different operating systems. This jungle thatch of systems can make dealing with SOX compliance issues still more difficult.

Some companies have considered drastic measures in response to SOX. According to a recent study by Foley & Lardner, 21% of the firms surveyed have considered going private to avoid the burden of Sarbanes-Oxley. Moreover, “That number has stayed consistent over the four years of the survey,” notes Tom Hartman, the study’s director.

If you want to read postings by unhappy executives, take a look at the forum on the Securities and Exchange Commission web site. The SEC invites feedback from companies who are feeling the pain of compliance with SOX’s Section 404. Wrote one senior manager: “Section 404 has been taken to an unreasonable extreme, with the cost to shareholders well beyond what was originally intended…”

How SOX Has Benefited IT

However, despite the grumbling, some industry observers – call them sunny-side up optimists – see the silver lining in the cloud of SOX compliance.

Forrester’s Hamerman, though he fully understands the heavy costs, notes that firms have seen gains as they’ve dealt with SOX.

“Companies have looked at this legislation and done some good work to get their control environments in order,” he says. Companies have taken a hard look at their accounting systems, sometimes realizing that their financial management processes – including those of the IT division – were either redundant or not integrated with each other. Some of these systems have now been streamlined, he says.

In some cases, a company’s IT department and its executive staff have been forced to communicate more closely, creating a more effective overall team. At the very least, accounting departments have learned to understand IT departments.

One unintended benefit: the lowly help desk, once seen as merely a necessary cost of doing business, has taken on greater importance. Firms are realizing that an efficient service desk eases some of the sticky logistics of SOX compliance. Somewhere, there’s a help desk geek who’s being treated with a dash more respect by upper management.

As companies have undergone two or three compliance cycles, they’ve found business efficiencies they otherwise wouldn’t have. “Their controls are more standardized and better understood,” Hamerman says.

“There have been a lot of deficiencies that were documented and disclosed as a result of this process, so it has to be doing some good because companies have had to remediate those control efficiencies.” Additionally, plenty of problems were found and addressed before they became reportable issues.

Supporting Hamerman’s statement is a study by Ernst and Young, which found that 87% of responding companies anticipate value simply through the enhanced accountability and ownership of controls promoted by Section 404.

As the years go by, the burden of Sarbanes-Oxley grows less onerous – sort of. “I think the first round was a lot tougher than what we’re seeing in this second and third compliance cycles,” Hamerman says. “Because the first time they had to go out and identify and document a lot of the controls. The control environment wasn’t that well documented – if documented at all.”

“As they’ve gone through this, they’ve accumulated a lot of knowledge, and it’s just made the process easier, and there’s been some evidence that the cost of the compliance effort has gone down because they haven’t had to hire as many external consultants and things like that.”