Sarbanes-Oxley Act compliance projects are requiring the formation of internal steering committees, the involvement of multiple departments and the deployment of new applications. However, one of the largest costs of compliance, especially for companies just beginning the process, is the hiring of outside consultants to provide professional services.
Boston-based AMR Research Inc. predicts that public companies will spend $1.8 billion this year on professional services related to their Sarbanes-Oxley compliance efforts.
U.S. companies facing the first compliance deadlines in November are turning to Big Four professional consultancies, the consulting groups of top computer companies, startup companies and software vendors partners. These organizations provide various services to companies for assessing impact, reviewing and documenting internal controls, and establishing a control environment for compliance with Section 404 of the act. And this is all taking place before new technology is purchased.
Like most financial institutions, Huntington National Bank, in Columbus, Ohio, had an existing relationship with KPMG LLP. So when the bank evaluated about 20 services companies for support of its Sarbanes-Oxley compliance project, KPMG was a logical choice.
"We had known the [KPMG] principals involved for several years," said John Benninger, senior vice president of risk management and corporate governance at Huntington National. "They had helped us set up our enterprise risk management process and our audit risk management process, which they helped us mold with our enterprise risk management documentation. So that was kind of a plus on their side."
KPMG was involved early in the compliance process, as Huntington formed an internal committee to map a plan of action for complying with the act. A KPMG consultant sat on the committee, along with representatives from the banks internal auditing, corporate finance, IS and corporate accounting departments.
That committee divided the bank into different lines of business and assessed the impact the acts requirements would have on those lines.
KPMG played an even larger role in the documentation phase of Huntingtons Sarbanes-Oxley compliance project, designing templates for documenting controls using IBMs Lotus Workplace for Business Controls and Reporting software.
Benninger said services were a "major piece" of the banks Sarbanes-Oxley compliance project, accounting for about a third of the total costs involved.
Using outside services was key to McData Corp.s compliance efforts as well. The company turned to Protiviti Inc. to develop its controls matrices and manage its testing process. McData built a controls repository in Documentum Inc.s Sarbanes-Oxley solution, then had Documentum services partner iPath Solutions Inc. integrate the Documentum and Protiviti technologies. McData also documented its processes using a workflow template built by iPath.
"Compliance work is not our core competency, and its not going to generate revenue," said Mark Swanholm, director of Internet and productivity applications at McData, of Broomfield, Colo. "We wanted to understand the spirit of Sarbanes-Oxley without spending excessive amounts of time on the process."
IBMs Business Consulting Services group offers Sarbanes-Oxley consulting services at nearly every phase, including project management, resource augmentation for documentation and remediation.
But Susanne Ruschka-Taylor, partner and Americas leader for business risk management at IBMs BCS group, said the divisions main focus is on helping clients with long-term improvement and transformation of business processes and technology architecture, which she said most clients will embark on once theyve reached initial compliance with the act.
"We focus on not just improving business processes but on the overall technology architecture. I think thats where clients really have to do the heavy lifting," said Ruschka-Taylor in Toronto.