Last week three SunTrust employees were fired in connection with accounting irregularities--deficiencies in the bank's method of determining loan-loss reserves--uncovered by an internal investigation. The bank restated its earnings upward for the first half of the year because of the discovered irregularities.
The investigation revealed "inadequate control procedures, insufficient documentation, and a failure to detect errors in our loan-loss calculations," SunTrust chairman and CEO Phillip Humann said in a conference call last week.
The three terminated employees, including the bank's chief credit officer, belonged to its credit-administration division. In addition, the bank's controller was reassigned to a position not related to financial reporting.
SunTrust said it's unlikely the deficiencies will be corrected by Dec. 31, which means it will be unable to state in its 2004 annual report that its internal control over financial reporting is effective, as required by the Sarbanes-Oxley Act.
Beginning Nov. 15, companies must, under Sarbanes-Oxley's section 404, include a statement attesting to the effectiveness of internal controls over financial reporting with their 2004 annual reports. That entails a heavy commitment of IT resources dedicated to documenting and testing the business processes that directly contribute to a company's financial statements.
Those demands are taking a heavy toll on IT budgets. According to a survey released last week by AMR Research, technology spending devoted to achieving Sarbanes-Oxley compliance will grow from $1.1 billion this year to $1.6 billion next year. Sarbanes-Oxley is chewing up 42% of compliance-related IT spending. More than a third (36%) of companies plan to increase Sarbanes-Oxley spending next year.
Among the biggest spending areas are document and records management, internal and external security, business-process management, and compliance-management software.