"My mantra is that Sarbanes-Oxley compliance is not a financial exercise but a cultural exercise," said Cox, chief accounting officer at BMC Software Inc. in Houston. "If we go through the process of compliance and don't achieve any efficiency for the company, then it won't be doing us any good."
Specifically, Cox expects the rigorous auditing and automation of internal controls to expose flawed business practices. "We hope to uncover inefficient processes that can help us save money over time," Cox said.
Sarbanes-Oxley prescribes stringent requirements for financial accounting and corporate governance. Considered by some to be the toughest business law in decades, it requires CEOs to personally validate financial statements and other information or face severe penalties, including fines or even jail time.
Companies must also establish internal controls on data -- how information is stored, retrieved and protected -- and verify them each year through an independent audit.
Yearly audit fees make up one of the biggest costs to businesses, increasing by 35% in 2004 alone, according to Florham Park, N.J.-based Financial Executives International.
In fact, data integrity is at the heart of a rash of recent legislation aimed squarely at corporate America. The Health Insurance Portability and Accountability
Meeting the different compliance standards forces U.S. companies to change how they transact business, and the problem is especially nettlesome if their enterprise extends overseas. Companies with U.S. headquarters must ensure that any foreign outposts they have meet the federal standards. But compliance by overseas vendors or business partners is even more complicated, especially for the punitive Sarbanes-Oxley Act.
"Whether or not your suppliers are compliant with the same requirements you are, really is up to them," said Peter Gerr, an analyst with Enterprise Strategy Group of Milford, Mass. "There is no international governance [organization] and no way to enforce a regulation that includes multiple organizations in a supply chain."
None, that is, save the incentive that U.S. regulators provide. HIPAA rules, for instance, require U.S. health care companies to verify that any overseas vendor handling their sensitive patient data enact the same rigid controls on how information is shared, retrieved and protected. That includes data processing warehouses in India and other offshore locations.
"It's important to know in advance that your rights under service agreements are enforceable in a meaningful way," should vendor or business partners not meet the requirements, said Scott Nathan, an attorney who specializes in data privacy.
At the same time, U.S. companies cannot plead ignorance of how their overseas vendors manage important data. "It's not going to be sufficient to say, 'I outsource that so I'm not responsible,'" said Barry Lurie, a vice president and managing partner with Unisys. "You need to make sure that the information you get back from third-party vendors has appropriate data controls, especially if it's incorporated in your financials or rolled up in a balance sheet."
Tougher accounting and corporate governance also is costing companies time and money. On average, U.S. companies devote 3.3% of their IT budgets to planned compliance initiatives, according to Gartner Inc., of Stamford, Conn. "Since CIOs' budgets have gone up only 1.4% this year, that's almost 2% they have to eat out of discretionary funds," said French Caldwell, a vice president and research director at Gartner.
Companies that expect business benefits from compliance are spending more on training than those who don't, according to a recent Gartner survey. The money is spent training workers who handle sensitive data about the new standards and teaching them why compliance is important. "Spending money on training helps people understand your business processes better, which is really important when auditors start asking them questions," Caldwell said.
To cope with the heightened regulatory climate, Unisys' Lurie said that more companies are pouring money and resources into compliance teams or appointing an executive-level chief compliance officer. He warns that companies should not view compliance as a one-time event. Devising better business processes is important, but companies also need to "ensure that their people are using them."
This was first published in September 2004