IT Spending Mandated By Sarbanes-Oxley Act Still To Come

Business execs may have breathed a sigh of relief when they crossed the first hurdle of the Sarbanes-Oxley Act last fall, but the hard work--and IT spending--has yet to come.

Spending is expected to hit $2.5 billion for public companies striving to reach compliance with the regulation, according to a report from AMR Research. The act is aimed at improving transparency and accuracy in financial accounting and reporting in the wake of such corporate scandals as Enron and WorldCom.

Much fanfare was made last year as CEOs and CFOs personally signed off on SEC filings to assure investors the information contained within was accurate, in accordance with the early requirements of Sarbanes-Oxley. Yet new requirements lie ahead. Auditors will need to certify all internal controls and processes, including IT, for fiscal year-end 2003 filings, starting in the fourth calendar quarter of this year. And later, companies will need to perform real-time disclosure of any events that could possibly affect performance, though there has yet to be a date put on that compliance requirement.

Either way, 85% of the 60 companies surveyed in an online poll say that the upcoming rules will require changes in the IT and application infrastructures that support the business, while 61% expect business processes to change, though nearly 80% are unsure of what exactly the changes will be. In determining how to address compliance issues, 68% of companies are involving the IT department in the discussion, which fits with AMR's position that cross-organizational teams need to be involved in the compliance process.

Nearly 77% of companies will spend more on IT, business-process change, corporate governance, or consulting this year as a direct result of compliance with the act, the report says, with the spending levels directly tied to a companies' risk and exposure, rather than its size. Most companies will spend an average of 0.03% of total revenue on compliance-related activities in the next 12 months, but conglomerates with widely different and independent business units have budgeted for up to 0.2% of total revenue. For a $5 billion company, that equates to as much as $10 million in incremental spending.

Smart CIOs have been planning ahead, as 52% of public companies are already working to implement compliance plans, many by using enterprise resource planning systems or enterprise performance management tools to get them ahead of the regulators and to improve their own visibility into business operations. But vendors haven't yet come up with a robust compliance solution, though AMR analysts Lindsey Sodano and John Hagerty say that packages will begin to sprout up toward the end of this quarter.

In the end, there's a long road ahead. Says one survey respondent, "Sarbanes-Oxley is like Y2K, but without an end."