As many as 90% of public companies are still trying to put compliance efforts in place, Gartner analyst Lane Leskela says. According to a new GartnerG2 survey, 85% of respondents don't have an official budget for compliance, and only 21% have completed more than three-quarters of their compliance efforts. Vendors are introducing products to help, but people who have already been through the process say it takes time.
Regis Corp., which operates 10,000 hair salons under various brand names, is on track to comply with Sarbanes-Oxley's section 404, which requires public companies and their auditors to attest to the effectiveness of internal controls for financial reporting. Companies must do this by the time their 2004 fiscal year ends, so Regis must comply by June. Companies whose fiscal years end in December have until the end of next year to comply.
Regis began its effort more than a year ago, says Jeff Savage, senior director of financial reporting. It has completed process flow charts, identified and fixed gaps in controls, prepared a controls matrix, and developed a quarterly test plan. It's using compliance software from Movaris Corp. Companies need to have their systems ready six months ahead of their compliance date or they could find themselves in big trouble, Savage says.
Zions Bancorporation, a financial institution with $28 billion in assets, combined its Sarbanes-Oxley compliance effort with another big compliance project, Basel II, a set of international risk-based capital guidelines due to take effect in 2006, says David Stone, senior VP of risk management. Both require risk mitigation, controls assessment, and management oversight, he says. "It didn't make sense to attack each problem separately, so we combined them." The approach puts Zions on track to complete its Sarbanes-Oxley compliance by year's end.
Companies that haven't started their compliance efforts could be in trouble, Stone says. The Securities and Exchange Commission is unlikely to take their word that they're in compliance. "The free ride is over," he says. "People are sick of blindly putting faith into financial statements."
Businesses tend to view Sarbanes-Oxley compliance as either a financial reporting problem or an IT problem, when in fact it's both, Gartner's Leskela says. To ensure that internal controls are working, financial management and auditors need to drill down deeper into transaction-level data. IT, for its part, needs to make this data accessible to financial management.
Two enterprise-resource-planning system vendors recently introduced compliance add-ons to their financial-reporting systems. PeopleSoft Inc.'s Internal Controls Enforcer provides monitoring and diagnostic tools. SAP's Compliance Management, developed with PricewaterhouseCoopers, helps executives document and model processes and controls, track remediation efforts, and report to management.
Companies will need to spend $1 million on compliance this year for every $1 billion in revenue they take in, and double that amount next year, says Kraig Haberer, director of financials products marketing at SAP. Most of these costs will go for outside consulting, auditing, and internal personnel. A relatively tiny share--10% to 20%--will go for new software.