A Pattern Emerges
."> Other companies found expenses far higher than anticipated. "Ive never blown a budget as bad as I did with Sarbanes-Oxley," Amy Kwan, senior director of the SarbOx program at Cisco Systems Inc., told a gathering of fellow IT executives at the Society for Information Managements annual SIMposium conference in Chicago last year. Kwan said she initially estimated 40,000 person-hours of labor for compliance but saw that total balloon to 130,000. "We wanted to get payback for the company, rather than just meet the laws requirements," said Kwan. Cisco initially targeted July 31, 2004, as its compliance deadline but caught a break when the Section 404 deadline was extended, pushing Ciscos Section 404 compliance deadline back to July 31, 2005.Although there are as many compliance tales as there are companies, broad patterns are emerging after a year or so of compliance. Typically, year one is a scramble to comply using the means at hand, including paper-based systems. In year two, companies often try to convert the procedures of year one to automated electronic processes. In year three, companies seek cruise altitude with compliance processes. It is only then that costs may fall, and savings, via greater efficiencies and eliminated redundancies, may appear. "Last year was basically a paper-based effort. This year weve consolidated things on a Web site and used document management software to be sure we were all working with the same copies of all the files," said Sam Inks, director of IT at Aerojet-General Corp., in Gainesville, Va., and an eWEEK Corporate Partner. "Automation is going to make year three easier." Richard Putz, a senior manager at management consulting and systems integrator BearingPoint Inc., of McLean, Va., backed that view. "I envision the day when the expense will be less than the benefit," Putz said. "Its like ERP [enterprise resource planning], which probably never paid for itself in the early years. But it will eventually. It will be about three years from now, for a best-practices company. For those that arent, it will be like messed-up ERP." As for SarbOx, the ultimate practice may be to "lose" less money than rivals. Inks said theres no shame in just enabling compliance. "If everybody signs on the bottom line at the end of the year and the auditors go away happy, youve done a heck of a job," Inks said. Readers respond to "Sarbanes-Oxley: In Search of Payback." Click here to read more. Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.
Greg Tranter, vice president and CIO at Allmerica Financial Corp., in Worcester, Mass., was between the extremes. "We took a middle-of-the-road approach," Tranter said. "We found pockets of opportunity to eliminate redundancies and organize our information differently. There was data we didnt even know about in different places. We didnt spend a lotbetween $500,000 and $1 million. We saved a couple hundred thousand. That tells me we had pretty good processes."