With year one of the Sarbanes-Oxley Act compliance drawing to a close, many companies are reeling from initial costs and wondering how to contain expenses in the future, even as they seek to glean business benefits from their often-massive compliance projects. This reality contrasts with the urgings of some vendors and consultants, who, in the wake of the acts passage three years ago, exhorted companies to go above and beyond mere compliance with SarbOx regulations in an effort to return business value on their investments.
Although some companies reportedly are heeding that advice, many others are finding that when it comes to SarbOx compliance, less is more. And, most say, its way too early to talk about getting a positive ROI (return on investment) from SarbOx compliance expenditures. Right now, the best practice is keeping costs within bounds and scavenging for nickel-and-dime efficiencies where they present themselves.
"I dont think were getting a quantifiable return. Were improving the business incrementally, but its not clear were getting ROI from it," said Aldo Moreno, senior vice president and CIO of Herbalife International of America Inc., a nutrition company in Los Angeles. "All the benefits arent going to outweigh the costs," Moreno said, noting that $500,000 of his IT budget has been dedicated to compliance tasks.
"Companies probably spent five times more than they had to. They probably fell across the finish line ... and now they are cleaning up the mess," said Richard Lanza, president of Cash Recovery Partners LLC, an auditing consultancy in Lake Hopatcong, N.J. Even so, Herbalife has seen business improvements, Moreno said. "Its made our organization better. But has it paid for itself? I dont see it," Moreno said. "If you have an organization thats running fairly smoothly and you add office overhead, its just added cost with minimal return."
Still, some consultancies say they can deliver value beyond compliance. "You can get a return from a well-conceived tuneup of the process," said Rob Neumann, managing director and general counsel for Burwood Group Inc., a Chicago solutions provider. "Organizations that brought in Big 4 auditors, without having anyone internally focus on the controls, didnt get anything out of it. But those who treated it as a re-engineering project got a return." Neumann said that typical benefits are less system downtime, quicker response time, better help desk response and better use of required controls.
Al Decker, executive director of Electronic Data Systems Corp.s security and privacy services, in Cary, N.C., said he resolved several problems and generated savings at EDS client companies. "Companies found that when they did an analysis of their business process, there were redundancies and inefficiencies," Decker said. "There was no reason for different units to communicate, so they never did. One company had 50 points of security administration. By implementing an identity and access management system, those points were pulled into one unit."
Some companies, often in highly regulated industries, are getting more bang than others for their SarbOx buck. Tracy DeWald, chief compliance officer at Ameritrade Holding Corp., in Omaha, Neb., said his company had excellent internal auditing in place before SarbOx was enacted and had been conforming since 2001 to the framework of COSO (The Committee of Sponsoring Organizations of the Treadway Commission), on which SarbOx requirements are based. "The cost and effort upfront was not as great as it might be for some other companies," said DeWald. "We didnt have to hire consultants or people to come in. But we developed new processes and brought in new technologies."
Ameritrade first streamlined its processes, and then an internal audit team used Risk Navigator software from Paisley Consulting to automate them as well as to make them comply with NASD (National Association of Securities Dealers) guidelines. "Were getting a lot of benefits to meet new laws," said DeWald. "Were avoiding multiple spends on multiple tools." DeWald said the "$200,000 to $300,000" Ameritrade has spent on Risk Navigator will pay back in perhaps two years.
But even with modest outlays and the use of one tool for two different compliance requirements, Ameritrades return on outlays, beyond compliance itself, is elusive. "The ROI is a little squishy. Have we shown any savings or revenue? Thats a good question," said DeWald.
Like DeWald, Jennifer Bayuk, chief information security officer at New York-based Bear Stearns & Co. Inc., found that running a tight ship all along has stood her company in good stead to meet the SarbOx test. "Its always been our philosophy that Sarbanes-Oxley is good for IT management," Bayuk said. "We started out compliant. All we had to do was document our processes in a different way."
Bayuk said she can see how companies that had no controls could re-engineer significantly and get an ROI, but Bear Stearns has mainly incurred expense, albeit modest, in making things presentable to an independent observer. "As we were compliant ahead of time, it has not given us that much benefit," Bayuk said. "It has given our auditors benefit."