News Stay informed about the latest enterprise technology news and product updates.

Study: SOX compliance costs drop in second year

Companies following Section 404 of the Sarbanes-Oxley Act will see a decline in compliance costs in their second year. However, IT spending on SOX compliance will continue to grow.

Companies that implement compliance with Section 404 of the Sarbanes-Oxley Act will see a decline in compliance costs in their second year, a study reveals. However, overall IT spending on compliance will continue to grow.

A lot of security spending is now being defined as compliance spending.
French Caldwell,
analystGartner Inc.

Boston-based CRA International Inc. recently surveyed 124 clients of major accounting firms Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP and PricewaterhouseCoopers LLP. Of the 124 companies surveyed, 58 were large companies with more than $700 million in market value, and 66 were small companies, defined as having $75 million to $700 million in market value.

In a press conference call, CRA Group Vice President Gregory Bell said these companies will see a significant decline in total Section 404 compliances costs from the first year of implementation to the second year.

Bell said larger companies saw a steeper decline in costs than smaller companies. Smaller businesses saw costs decline 39%, from an average of $1.5 million to $900,000. Costs declined 42%, from $7.3 million to $4.3 million, for larger companies.

The decline in compliance costs is mostly attributable to reduced documentation from the first to second year, according to Bell. He said companies also realized efficiencies from "learning curve effects." As companies become more familiar with the process, compliance is easier.

In addition, a smaller number of companies said remediation efforts that would not be repeated in the second year are also a source of cost reduction.

Passed in 2002, the Sarbanes-Oxley Act was aimed at preventing the corporate accounting scandals that bankrupted giant public companies such as Enron Corp. and WorldCom Inc. Section 404 requires that a public company explain its internal controls and have those controls certified by an external auditor.

Related information:

Spending on Sarbanes-Oxley software climbs's SOX Security School

SOX boosts IT salaries

Smaller companies have complained about the high cost of compliance. In response, the Securities and Exchange Commission (SEC) appointed an advisory panel to study ways of easing those costs for smaller companies. Among its recommendations, the committee suggested that companies with a market value and revenue of less than $125 million be exempt from Section 404. The SEC has scheduled a May 10 roundtable discussion to consider the adoption of the committee's recommendations.

Although Section 404 compliance spending is projected to shrink, some experts believe compliance-related technology spending will continue to grow.

"Spending on auditors and consultants will go down, but companies using technology to reduce the amount of labor they use on compliance will spend more on technology to improve the automation of compliance," said French Caldwell, an analyst at Stamford, Conn.-based Gartner Inc.

Caldwell said his firm estimates that compliance will take up 10% to 15% of the overall IT budget in companies. He said much of this growth is due to companies redefining and re-categorizing their IT spending.

"A lot of security spending is now being defined as compliance spending. I was with a security vendor yesterday. They track what is the primary driver behind the sale of their product. In 2004 it was 50-50 compliance versus security. In 2005 it was 70-30 compliance versus security. In 2006 it is 93% compliance. And their product is the same."

Caldwell said the shifting of the compliance burden to IT could be good news for the CIO.

"A lot of CIOs are finding it makes IT more relevant to the business. But CIOs have to be aware that the percentage of deficiencies from SOX -- those that are attributable to IT -- could go up, taking the compliance burden off the financial department [and onto IT]."

Dig Deeper on SAP and GRC

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.