While Sarbanes-Oxley is a front-burner issue--the deadline for compliance with section 404, dealing with financial-reporting controls, is a little more than three months away--more than a third of companies surveyed by Meta Group in a study released Monday don't have an overall budget dedicated to regulatory compliance.
Those that do plan to spend $7.2 million on average next year. Companies are tying compliance spending to specific regulations. Fifty-six percent of companies surveyed by Meta Group have allocated resources for Sarbanes-Oxley and HIPAA; 48% for the Patriot Act; 35% for Gramm-Leach-Bliley (financial modernization); 33% for Basel II (risk management for financial-services companies); and 28% for the Securities and Exchange Commission's rule 17a-4 (E-mail and IM retention).
But CIOs are having to spread their limited resources even thinner to achieve compliance, especially with Sarbanes-Oxley's section 404. The recently adopted auditing standard defines four major categories of IT control--program development, program changes, computer operations, and access to programs and data.
CIOs can't operate in a vacuum; they need to work collaboratively with CFOs, legal counsel, and other executives. Yet instead of creating a compliance playbook, many companies are taking a fly-by-the-seat-of-your-pants approach, with its attendant organizational ills. Less than a third (27%) of Meta Group survey respondents identify their company's CFO as the chief leader for compliance. But only 16% say the chief compliance officer reports to the CFO, and even fewer (14%), say the chief compliance officer reports to the CIO.
CIOs need to sell CEOs on the idea that compliance-related IT spending can boost revenue or lower costs, such as by improving business intelligence. They're looking at an uphill climb; only 12% of Meta Group respondents express an interest in leveraging compliance solutions for business-process improvement.