The Focus on SOX 404
Section 404 mandates that firms listed on U.S. stock markets provide annual disclosures and quarterly updates to shareholders on the effectiveness of internal controls over financial reporting processes. The huge organizational effort required to comply with this rule brought SOX 404 to the forefront of the compliance agenda of North American financial services firms in 2003. Compliance with this section will continue to dominate compliance priorities in 2004.
Despite the attention devoted to SOX 404, financial services were hesitant to purchase external applications designed for SOX 404 compliance in 2003. Many financial institutions are planning to rely on the controls documentation solutions supplied by their consultants to meet the deadline for SOX 404 by November 2004. Others firms developed a SOX 404 solution in-house instead of purchasing an external solution. The primary reason cited for electing to develop the solution in-house: employees can do a better job with development of a SOX 404 tool that fits a firm's unique processes.
Automating SOX 404 Workflow in 2005
Given this prevailing attitude, Financial Insights estimates that North American financial services firms spent less than $30 million on external solutions for SOX 404 compliance in 2003. We estimate that this number will double in 2004. While firms are clearly taking a "just get it done" attitude with regard to SOX 404, we believe that this attitude will change over the next couple of years. Financial firms will begin automating compliance processes after going through their first SOX 404 reviews, and they will look to more robust external solutions to help them accomplish this. At this time, they will seek a more flexible solution that can expand to include additional fields or control types, and they will recognize the need for a scalable enterprise solution that can support workflow for hundreds or even thousands of employees every quarter. Spending by North American financial institutions on solutions that can automate SOX 404 processes will grow strongly, at 40 percemt annually, over the next five years, to reach $300 million by 2008.
Sarbanes-Oxley Compliance, More Than Just 404
But what about other sections of Sarbanes-Oxley? Section 302 requires senior executives to certify that reported financial and non financial information is accurate and complete. And what about related SEC rules that will require accelerated and additional disclosure for 10-Ks, 10-Qs and 8-Ks? Clearly, there is more to compliance than just SOX 404. Sarbanes-Oxley Act rules imply that the executive office must have visibility into the details underlying reported financial information and must know in real time of any changes to business performance. This requirement will fuel new investments in performance management applications that enable detailed and dynamic monitoring of a firm's financial performance. Investments in performance management solutions are not new to financial services firms. Finance groups in financial institutions have been purchasing such solutions over the last several years to improve financial management processes. Compliance has been a leading driver for purchases driven by the corporate office at a few large financial institutions.
Financial Insights estimates that North American financial institutions spent over $100 million on enterprise performance management solutions in the U.S. and Canada in 2003. This number will grow to $174 million in 2004 and will reach $450 million 2008.
Beyond Sarbanes-Oxley, Comprehensive Compliance
Given the similarities in the applications and infrastructure components required to comply with new regulations impacting financial services firms, including the PATRIOT Act and Basel II, we estimate that a key long-term trend in the market for compliance solutions will be application and infrastructure integration.
On the infrastructure side, we foresee that the data infrastructure supporting compliance activities will become more and more integrated through data warehouses or through applications that can connect to disparate sources. On the application side, we are already seeing firms invest in solutions that meet both anti-money laundering requirements prescribed by the PATRIOT Act as well as SEC and Sarbanes-Oxley-related requirements to monitor for internal fraud and for compliance breaches with securities laws. Investments in such AML/Surveillance solutions have been particularly strong among securities firms.
Specific to Sarbanes-Oxley compliance, we estimate that SOX 404 solutions will become more and more integrated with enterprise performance management applications to facilitate the regulatory reporting process.
Integration will take time. Technologically, it is already here today and IT vendors have been ready with partnerships and attractive solutions. Culturally and organizationally, it is not. Financial services firms have much internal work to do before they can begin to combine disparate compliance processes. Until this time, investments in IT for compliance will continue to remain focused on specific regulations.