The push to achieve compliance with the Sarbanes-Oxley Act was a prominent, and recurring, theme throughout the IT world in 2004. While the ripple effect of Sarbanes-Oxley compliance efforts will be felt for some time, a report being issued Jan. 1 indicates that one of the more immediate results for some companies was a slowdown in IT spending as executives rethought IT project priorities.
Deadline for compliance with certain sections of the Sarbanes-Oxley Act of 2002 delayed technology projects and shifted technology priorities in the last half of 2004, according to a new report from research firm B2B Analysts Inc. The report is the result of a primarily anecdotal study of 66 public companies conducted in October and November.
Although generalizations were hard to come by, B2B president David Dobrin admits, the result of Sarbanes-Oxley compliance efforts for 40% of the companies studied has been a "braking effect" on technology spending, particularly within small businesses and companies in the financial-services industry.
One of B2B's more interesting findings is that companies believe standardizing on a particular back-office software package, rather than integrating different applications from different vendors, will help with compliance in the long term. "It's a shift in IT priorities that says it's cheaper for [a company] to have a single back-office system that works," Dobrin says. One of B2B's clients is considering the purchase of an enterprise-resource-planning system, after originally "swearing" he would never invest in one, Dobrin adds.
One CIO, of a clothing company B2B doesn't name, said in the report that with a better-integrated back-end sales system, the company would spend less time documenting all of the interfaces between that system and the rest of the company's IT environment. Still, spending on such a system had to wait until 2005 to avoid disruption to other compliance efforts already under way.
The amount of time required to document and test all areas of IT that relate to a company's financials is daunting, Dobrin says. The good news is that spending on Sarbanes-Oxley compliance is coming more out of companies' general operating budgets than out of IT budgets, he says.
Federal lawmakers wrote Sarbanes-Oxley in an effort to protect investors in publicly held companies from fraud. The law requires public companies to verify that their financial-reporting systems have the proper controls, such as ensuring that revenue is recognized correctly. As of Nov. 15, under Sarbanes-Oxley's section 404, companies had to include a statement attesting to the effectiveness of internal financial-reporting controls with their 2004 annual reports.
Companies have generally acknowledged that such financial controls require a commitment of IT resources dedicated to documenting and testing the business processes that directly contribute to a company's financial statements.
Those demands are taking a toll on IT budgets, according to several studies. A December PricewaterhouseCoopers Management Barometer Survey found that money spent to achieve Sarbanes-Oxley compliance accounts for 54% of all compliance costs by companies in the United States.
A November AMR Research survey indicated that technology spending devoted to achieving Sarbanes-Oxley compliance will grow from $1.1 billion this year to $1.6 billion next year. Sarbanes-Oxley is consuming 42% of compliance-related IT spending, and more than a third (36%) of companies plan to increase Sarbanes-Oxley spending next year. Among the biggest spending areas are document and records management, internal and external security, business-process management, and compliance-management software.
Sarbanes-Oxley requirements have changed the economics of heterogeneous IT architectures, making the management of separate applications particularly costly, B2B's report concludes. Says Dobrin, "It's simply more expensive to have best-of-breed environments because you have to document and test everything now."