Enterprise Applications - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Enterprise Applications


Sarbanes-Oxley: In Search of Payback



 By: Stan Gibson
2005-08-08
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Enterprise Applications story.


  Table of Contents:
  1. Sarbanes-Oxley: In Search of Payback
  2. ' A Pattern Emerges'

Rate This Article:
Poor Best
Sarbanes-Oxley: In Search of Payback
( Page 1 of 2 )

Case Study: As large companies conclude the first year of Sarbanes-Oxley compliance, many seek in vain a return on investment on larger-than-expected outlays.

With year one of the Sarbanes-Oxley Act compliance drawing to a close, many companies are reeling from initial costs and wondering how to contain expenses in the future, even as they seek to glean business benefits from their often-massive compliance projects. This reality contrasts with the urgings of some vendors and consultants, who, in the wake of the acts passage three years ago, exhorted companies to go above and beyond mere compliance with SarbOx regulations in an effort to return business value on their investments.

Although some companies reportedly are heeding that advice, many others are finding that when it comes to SarbOx compliance, less is more. And, most say, its way too early to talk about getting a positive ROI (return on investment) from SarbOx compliance expenditures. Right now, the best practice is keeping costs within bounds and scavenging for nickel-and-dime efficiencies where they present themselves.

"I dont think were getting a quantifiable return. Were improving the business incrementally, but its not clear were getting ROI from it," said Aldo Moreno, senior vice president and CIO of Herbalife International of America Inc., a nutrition company in Los Angeles. "All the benefits arent going to outweigh the costs," Moreno said, noting that $500,000 of his IT budget has been dedicated to compliance tasks.

"Companies probably spent five times more than they had to. They probably fell across the finish line ... and now they are cleaning up the mess," said Richard Lanza, president of Cash Recovery Partners LLC, an auditing consultancy in Lake Hopatcong, N.J. Even so, Herbalife has seen business improvements, Moreno said. "Its made our organization better. But has it paid for itself? I dont see it," Moreno said. "If you have an organization thats running fairly smoothly and you add office overhead, its just added cost with minimal return."

Resource Library:

A recent survey shows that the benefits envisioned by enterprises for complying with SarbOx may never materialize. Click here to read more.

Still, some consultancies say they can deliver value beyond compliance. "You can get a return from a well-conceived tuneup of the process," said Rob Neumann, managing director and general counsel for Burwood Group Inc., a Chicago solutions provider. "Organizations that brought in Big 4 auditors, without having anyone internally focus on the controls, didnt get anything out of it. But those who treated it as a re-engineering project got a return." Neumann said that typical benefits are less system downtime, quicker response time, better help desk response and better use of required controls.

Al Decker, executive director of Electronic Data Systems Corp.s security and privacy services, in Cary, N.C., said he resolved several problems and generated savings at EDS client companies. "Companies found that when they did an analysis of their business process, there were redundancies and inefficiencies," Decker said. "There was no reason for different units to communicate, so they never did. One company had 50 points of security administration. By implementing an identity and access management system, those points were pulled into one unit."

Some companies, often in highly regulated industries, are getting more bang than others for their SarbOx buck. Tracy DeWald, chief compliance officer at Ameritrade Holding Corp., in Omaha, Neb., said his company had excellent internal auditing in place before SarbOx was enacted and had been conforming since 2001 to the framework of COSO (The Committee of Sponsoring Organizations of the Treadway Commission), on which SarbOx requirements are based. "The cost and effort upfront was not as great as it might be for some other companies," said DeWald. "We didnt have to hire consultants or people to come in. But we developed new processes and brought in new technologies."

Ameritrade first streamlined its processes, and then an internal audit team used Risk Navigator software from Paisley Consulting to automate them as well as to make them comply with NASD (National Association of Securities Dealers) guidelines. "Were getting a lot of benefits to meet new laws," said DeWald. "Were avoiding multiple spends on multiple tools." DeWald said the "$200,000 to $300,000" Ameritrade has spent on Risk Navigator will pay back in perhaps two years.

But even with modest outlays and the use of one tool for two different compliance requirements, Ameritrades return on outlays, beyond compliance itself, is elusive. "The ROI is a little squishy. Have we shown any savings or revenue? Thats a good question," said DeWald.

Like DeWald, Jennifer Bayuk, chief information security officer at New York-based Bear Stearns & Co. Inc., found that running a tight ship all along has stood her company in good stead to meet the SarbOx test. "Its always been our philosophy that Sarbanes-Oxley is good for IT management," Bayuk said. "We started out compliant. All we had to do was document our processes in a different way."

Bayuk said she can see how companies that had no controls could re-engineer significantly and get an ROI, but Bear Stearns has mainly incurred expense, albeit modest, in making things presentable to an independent observer. "As we were compliant ahead of time, it has not given us that much benefit," Bayuk said. "It has given our auditors benefit."

Next Page: A pattern emerges.





  Reader Comments: Sarbanes-Oxley: In Search of Payback
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Enterprise Applications Articles          >>> More By Stan Gibson
 


x}r㶲s\@♵M푦d[kŶ,xMT(S$I~u~|.dxjlFwh6#I"nZΘ\̦dwꚃ>}K$wB}NUQV C7((bP<HwO7n[cQ0R᳙*,Q  jG 0-Pk< Z5754ql/ne0S-ڎIQ>)VNմH>ڴQ$)q@P.w@~Th \2ITߦuB)~{Te膡;? CL#izGQu ͟a;/ !XC~D42]hj:TA`Uƞfo KF3r[ˆL*- DƑ4If@sd#̒JK^`:tm3G^A]õ]&ZΑR݌ept=PzOMҳB($g >?$Q IgKaW+)K+0ϟ~b[tIp\΋2 ˆ= :ԍ۱|$ !j!9a&ԃ C(p}=\'BL|:jp,Eӝfؖq[th(V*Z]QKru_):E}`[¥;}k47?;W)EsvU !GA m+h[I#ZIۇ_w{>~j>r > N7Rߘ 0QR&jt8M3QI 1q`,{/B ^qW-hZIAvina[E4b™EU}dN"?[ڗu&u}Y6f0ZiCA+Wt?#;ˠrqszr|qӹ4C+D_x0ND=cfM5 ,eg5@M)u1tGv!fBM)oz@U@ZZ~nW$9Uٛ"O;zL\RD1Al8{Ä&Q9/4l=j\G.כEsLt];3yя1-+}7Oۭ ]u/{]tZڰ*>cq4U`N-! 8ǵ:on:j~b:6@r }U95jb(7ZdL,5,{Lt차Y8`;}JwϧԴfPwH<: ƠM/G˥yf1@ Ln<` pw>-Fv93{Q {>0iCkJQD4 l"`&q3)к`&oa10 Fdx7t( ,/G`^@48`$8ʼl E!1Y@Xȁ{`sĭ;ݲeǀԜ:;r)Ea1C!O)))?]HPw9DJ B!B60H#`P ar T:ʦBICvnV{T[h!+K@fkfd(2{~4 cfB 'fXr`Y \d+|i)lb Ԩ6؛ri:|:ioB{4 0uq=YIZ-jLcF0pq>{BO-nbԤ/<3_O#kۖs7M ?T 9u# \ē r}ͺX 4ؐ9|&B77:7O)wj@aix*2#wT4tr~#Jݼ~h;h{q#%MAw =E梳xOuX nURub$l*=´Z)!d[l00^Ԣ.,P|U$"!lsiɴC /0|MȆТ~چxTSku  XTM._`cdҶXMj9 X7ld tAFA͔`@E6Ll7TW)թz@4}&.H{{L'!C|<^RfR&nTt @Iu5uY烆7@ƍ/k%|c*9tǩg1읶]%ϥ_(̧6e+h{LsCm0 G "~\EMR^ zhTW+JIU?I?ހH{A2leh,rGmAu؊;$ Eiy Y$p}r)"©5r!| jjx0A,#ןũ¨0vQԻewPy? 1ce[;pObA L>FSmcB_M;$!O_'%Ex>7ᚉ 1ǁ$o+:|!#HM~H \RZr>j +"X8:T:4ݦ|6W݂:lCd5f>O{C{c>4YE j,E@z"RKz-ZUU+òZp}&xϸoG|L '=ܧVaSƖ]4FX\HX]-'LGO}RIS4dP.Q9ufj[EpdEN]tCy!+pDZ\POx]\Ac+>,uO##cYe:@<ݐ늦 uzVE@ G{Cx ؽNHUҚ n:+@%lr ?֊N[SG3?@ŕQ 643Sb_@7T_/=4xEs‡1xኣ54f;NVGO6Jh)VXW!RW dęe~g׆gQyq̤͋|5y @mvgfӏ=_`t mAؙY#7cuitMeb`l "Z`|iY`&c1 s*? |l3pٳ `Mɗb_߯XcJGx}3O>Ǥ|o*,n1}a%ŜQu1Gci}[Uה*eƬɲ7(Ъ6#i(-e..1)Q(&v}8_&IPeQZv+Ձ%΀LdV֪EzXz,)uzh &RrME7uȋ­7:VP'#I?Q*~JeP嵤:i1RʵRM()CoED\vOJ9^M lYKqXAK{p6= -2j=uR/ʖ K%4e%3E/-9@غG72DH#59 us)d}=^Wy-GwD's9A DH·,W!yۭ ǧͦAk3d4)(3u\#axK#VWDH[h`I3 NNs>\zXj,8Eψa5J4ZvjΒ#s}}YLXPH:>X!aPHR ~tIwu\bϻ$BL0F_Th)4juKxv>^8S;slo}AFJN^vZ-g[M7S+t,#?]/8ʊ'=?U.N:|"=Br^'18;=)I"21xg|oAZd~j_eԉ9%2 \(G6-~=`rvGP2)bz&IZ[Ũ ݖ>`<5s:)Oz.Op|Ni+'i^VӲQ6T$4%44QLNC]B+dC7g һj]nNpVHto6Psa뾱IБYc=ty8#-[^:ݷ͆2?̆{Jǻoc Ǯv';w};wq*ApC<-,l't:D(jE[cgwC9Ȫ̅S.{R؉_Nލ8zi @7Yu (f^yaҒ919onR;-4zC >AcIU~(TRεo]VZtC.qB1Vd/)&%ϓy L OK 1l,ۥ{H?vBĬxBw<덧tw̷kD>dOc@/mc|S`ldaзZ)3)$Ι2Jփ6÷Fp7. Ϧf_ O%FJ ,Q`mZ،9!/hvpmU4b[y"N0) W_M7⎍zkQ$g N7V_N7\PGNk@bP "[;jl5uW%' O\.4I?xⵆԕ$#W V.9zm^R+IΣًPj3b'PBO'@mD|iTJ> Idxa[HQ1T= LFzN0I8 ^4O\Hg`_SJWd!bގ$r%6%)&^!\.B { (+*+*_ 85>^꿻,v$ooL7,rnLOyvcRjOF2ϲq/Ux>"1,%` /DXwmns[PERRٔJ/CWzJ]raH hpH O0ZaH pc 4[a*[FYBX_}a܏ $oQ3\C =R.6 {4ܸVUMRj2WeG uqMܐ\RbMi,c-\kNy5앖F:RQik'=jO k#_YuX5TxU\~`{-}r )_QJ;c Bma$jF+}I&`ov_|+|u"x>~s}s}s}s}y]^Q}޻ \XNf co] M%^>ba~ tIܞ脵'=گ^oaljZk䋑 X77!'h/ "W|iߠIST6.2Ki`ݢ G _rm+HrmE)p@x@=0=Oxg|!y z 25_ʆXz)N\2"3R }1Byx8_[q!"A$ D®G_zri'Q\ Fw1R/a|t6Uwӝ \b< J.I%1п =hsT:5~C qE4lutIf81OMS#BzycMonWC{\b. GjW`I+;jEDĶzPl־ZCc@}Nn[^6e)0ěAM8n"h>?zYAOrsDkURx____KkZ"wO얮ϩ ]JTrG q=6t`+H@"'2}m뾾t JCzqQ*5c,d v=nd%E Ө_lRlV\S{K&Zڇg3mkl FlG4&qkv:Bx,Tz}'S w= O9A`HN7ȑa#vFmUluMhǢ:_щ 'ww٧[5tgt3;֠Rozr++0!c J"UOWOD'ӣԖӕ&'7\1 s4¨ݠtZ}B>CWKes^{7مŽvL$wP(Gv07}K[lzŽ p=AYæ)"(hhF]}<6,XA\ۦB75NsIO(aVRsWF%3{ J 4+vAX^qM3&IX~4#uT_RS7\-, ᗤČU9DNE0H ,]Q|4. dR9Bmʹ<8?ԣzQ8gfSYh9 FcjFIj5e_].8N?P/sZX,:ȒqWeL<^^A֋+ iMoN"rRIoA$zTG "JR]`,ysMN#VyI2t}jhTʹJd i\TϡVR*jZ?";М򓈋:(m^aηUKphY\- Fv3%)D$R$ 󽽴WԄn$DX#'Μ8 0ۉJ J?3RmFΝN/sD: c߅%ger0̊ۊRo4J۹aYJ %'Gr;c{±\f,:1aTJ o J}J0'7ZSTP6ejJGh-P" 5&et,20^+@ZBB(YYv'o.'>qUov/>QHՕݷod]C6<vw|w-]249#:&iyK _]БߔjmO*oIgOn4}X Pm̼DGRlPxy&md.4qYm5;5 hŘіI ,sĐ?8,D1# q}n꜓M﷯{aȐP_[{/}..o4G>zQ|0/5$.+Ja ScQ:,|m1a)Yu`6zK?#ᜭ#!K%A HS-5훟/{ʾR0F$u2C:΀ Z 7hiED#RhbGDcOs? uǤ')45aAx$d Dps} dlSLj( sc3"|- H|^RexcP5ȧn犉1Js\-"@e#DqES|XP8S?pk2꥖hH0lfp"(3G]ă0>]S0lOT'ACj S+Ĕ g)u 9 :jeOLg>򳉡{t S2S´v"D^^?').yci 8^yNt_Z| oX22%{xbRWkJ%zu_3ʰLXU+/=?e#7̪g2Qq~JV!J`xFA dq;ZGL€؍X\ݹw>v.Wם~yjcA\_e _T Q9l]28SΘksYx9%y:w_27/PН'Q韯XCĸҫSeLLNN۽OֆS^CVՉx]by5sλmzVx9:&}hj4=V0.8SL^}'vԼU:v<)))-VNyʻ9'@vN1.?C?|:Yguy:9CL2ϽB^Ng(ծy3?E">"@\9_^E^ ?唟AYN?9P~S{3 ?9s w3]7g]?/WW9qr_\O{99kuG௏9 ?~rC(+&࿛KuAy+GZWqz~?29)G9Rk_y+-iN>質9;f7_ʡsTh3*Я#Ud|dnldҹ:R; ]q-=-{[˺rn@ ȣks^楣< ⅇW4zWydSrb{e?VRRw;]Cڤ\|r{]W喛O'ik(#s<2g.g}=* u=3cTHD1KAB0_xt9ͧ,O5'H_jêxĿ+N©gݞ>}n>f@xʘݧӚ>78v|/yd֪K+#B%Axa_ 5y?'O؃o ҾlZ36J쓭? }MF`MTB$pf;w_aa/xIc8kjzG"t9Hùvkm ]w Ɵn ؑ)xT-kZYoZԪw俓kv5,{Dç*R'Ӏe`_)&K<3  .M3^e&Mȡ0CX)fงLk"1<t c6DycA֚w3/Mu?*{_ۉ #Hbf@pb'[{z58ÛwY0`FfbЦ!sF؂%Dİ-#E1N>@#M"xя,E~f&g- ĠG8ОWoC1<:5<X!ꞠW KDr&߼=kF T*A`ğq?1Qk`QerÄc6O 5U"yOlB;Ц@ò"9<'${'V ̋#V}5'"0;c L3a'Hw么p4$1q6`:}|f`->Xv;iݭXKLc5c"ۊƨ^Ƨ"U?Ƅ*1@Ccd>Ck +#͙P|7X&07:%;o8ۉXq23Ox=/gr<5=yC0 OH f8[20tgG|ם.HĭXˆwfho RO^!N fB~../!Kwz_HT6`$72fe&ꚿul71H-t{z$[Y=!fI139L]8G |X|$Qd/I';-#%0uoqcOig@dXV䁝gAg|bO-xXe7{,Hs܇Д2{q_hrV@2#cq}(!3F0Qxs4J(KESXn 傾]'rF+3/nn.3@3p6+|IDN]ylo()u+6*نWTZvAxƻ (`+/];g]Ͷ9"QWgrT~{J}*P=eٚS;] v",dq/+0b^K=qb"U:.~9I_T~3)B4wY|7(68|%O' Ͽa7K:}`S so#gT uCإa󠶓S݌,ɿl9 ˜2J1Д8ٶ2#OA3r Z-[ @ Op8{g!(ĉ0?HˍtdϳAsl+6-  `zMF6iژDR*l'f , ~kfv࿜Qh~.r$c<[_Eڵ묁Ft ] D hymx:< ׁ]" b C>`mR>ǔ ]'[:3й?-Rwe[͌o8_X ( LwENpshفGkXƸ[[* Iy>p;Щ0Tu.vrm'nJQXƪi#¶u4mщ&o;މo^93Qa[O_uwϏp`2o|NN7p2$Ӿ82mpCdkZ (DqU XLâwITR6!;կ88-qlw [#K&t> 'Ɣ ϰ"- xsWmxDx^]"?P߯JQlw^^٠#^"g`)aH|rZ$?aHbU3zwzО3q-C'[?{s\9,Cclʲcv9aRr[&0VW_AkLe]TtCBYEL`;X+ N*t&vж?gՇl&~&THYl{ۺнTnzZyƋ{_El>ODNű<<Kf}')VS,_X1_<|:L+O 70 +RSR|>o/܉S,{ٗN[<|;XͳͳäEK;O(Uƥp?XR|=^'`gh-/=jD*(K- Q{}΂`RXIC"ӳL~s Wia<[Wy&F{˳̆UZ*$էr0y$~XXqg\d¦[hxb7&{bes"'