With year one of the Sarbanes-Oxley Act compliance drawing to a close, many companies are reeling from initial costs and wondering how to contain expenses in the future, even as they seek to glean business benefits from their often-massive compliance projects. This reality contrasts with the urgings of some vendors and consultants, who, in the wake of the acts passage three years ago, exhorted companies to go above and beyond mere compliance with SarbOx regulations in an effort to return business value on their investments.
Although some companies reportedly are heeding that advice, many others are finding that when it comes to SarbOx compliance, less is more. And, most say, its way too early to talk about getting a positive ROI (return on investment) from SarbOx compliance expenditures. Right now, the best practice is keeping costs within bounds and scavenging for nickel-and-dime efficiencies where they present themselves.
“I dont think were getting a quantifiable return. Were improving the business incrementally, but its not clear were getting ROI from it,” said Aldo Moreno, senior vice president and CIO of Herbalife International of America Inc., a nutrition company in Los Angeles. “All the benefits arent going to outweigh the costs,” Moreno said, noting that $500,000 of his IT budget has been dedicated to compliance tasks.
“Companies probably spent five times more than they had to. They probably fell across the finish line … and now they are cleaning up the mess,” said Richard Lanza, president of Cash Recovery Partners LLC, an auditing consultancy in Lake Hopatcong, N.J. Even so, Herbalife has seen business improvements, Moreno said. “Its made our organization better. But has it paid for itself? I dont see it,” Moreno said. “If you have an organization thats running fairly smoothly and you add office overhead, its just added cost with minimal return.”
Still, some consultancies say they can deliver value beyond compliance. “You can get a return from a well-conceived tuneup of the process,” said Rob Neumann, managing director and general counsel for Burwood Group Inc., a Chicago solutions provider. “Organizations that brought in Big 4 auditors, without having anyone internally focus on the controls, didnt get anything out of it. But those who treated it as a re-engineering project got a return.” Neumann said that typical benefits are less system downtime, quicker response time, better help desk response and better use of required controls.
Al Decker, executive director of Electronic Data Systems Corp.s security and privacy services, in Cary, N.C., said he resolved several problems and generated savings at EDS client companies. “Companies found that when they did an analysis of their business process, there were redundancies and inefficiencies,” Decker said. “There was no reason for different units to communicate, so they never did. One company had 50 points of security administration. By implementing an identity and access management system, those points were pulled into one unit.”
Some companies, often in highly regulated industries, are getting more bang than others for their SarbOx buck. Tracy DeWald, chief compliance officer at Ameritrade Holding Corp., in Omaha, Neb., said his company had excellent internal auditing in place before SarbOx was enacted and had been conforming since 2001 to the framework of COSO (The Committee of Sponsoring Organizations of the Treadway Commission), on which SarbOx requirements are based. “The cost and effort upfront was not as great as it might be for some other companies,” said DeWald. “We didnt have to hire consultants or people to come in. But we developed new processes and brought in new technologies.”
Ameritrade first streamlined its processes, and then an internal audit team used Risk Navigator software from Paisley Consulting to automate them as well as to make them comply with NASD (National Association of Securities Dealers) guidelines. “Were getting a lot of benefits to meet new laws,” said DeWald. “Were avoiding multiple spends on multiple tools.” DeWald said the “$200,000 to $300,000” Ameritrade has spent on Risk Navigator will pay back in perhaps two years.
But even with modest outlays and the use of one tool for two different compliance requirements, Ameritrades return on outlays, beyond compliance itself, is elusive. “The ROI is a little squishy. Have we shown any savings or revenue? Thats a good question,” said DeWald.
Like DeWald, Jennifer Bayuk, chief information security officer at New York-based Bear Stearns & Co. Inc., found that running a tight ship all along has stood her company in good stead to meet the SarbOx test. “Its always been our philosophy that Sarbanes-Oxley is good for IT management,” Bayuk said. “We started out compliant. All we had to do was document our processes in a different way.”
Bayuk said she can see how companies that had no controls could re-engineer significantly and get an ROI, but Bear Stearns has mainly incurred expense, albeit modest, in making things presentable to an independent observer. “As we were compliant ahead of time, it has not given us that much benefit,” Bayuk said. “It has given our auditors benefit.”
A Pattern Emerges
Other companies found expenses far higher than anticipated. “Ive never blown a budget as bad as I did with Sarbanes-Oxley,” Amy Kwan, senior director of the SarbOx program at Cisco Systems Inc., told a gathering of fellow IT executives at the Society for Information Managements annual SIMposium conference in Chicago last year. Kwan said she initially estimated 40,000 person-hours of labor for compliance but saw that total balloon to 130,000.
“We wanted to get payback for the company, rather than just meet the laws requirements,” said Kwan. Cisco initially targeted July 31, 2004, as its compliance deadline but caught a break when the Section 404 deadline was extended, pushing Ciscos Section 404 compliance deadline back to July 31, 2005.
Greg Tranter, vice president and CIO at Allmerica Financial Corp., in Worcester, Mass., was between the extremes. “We took a middle-of-the-road approach,” Tranter said. “We found pockets of opportunity to eliminate redundancies and organize our information differently. There was data we didnt even know about in different places. We didnt spend a lot—between $500,000 and $1 million. We saved a couple hundred thousand. That tells me we had pretty good processes.”
Although there are as many compliance tales as there are companies, broad patterns are emerging after a year or so of compliance. Typically, year one is a scramble to comply using the means at hand, including paper-based systems. In year two, companies often try to convert the procedures of year one to automated electronic processes. In year three, companies seek cruise altitude with compliance processes. It is only then that costs may fall, and savings, via greater efficiencies and eliminated redundancies, may appear.
“Last year was basically a paper-based effort. This year weve consolidated things on a Web site and used document management software to be sure we were all working with the same copies of all the files,” said Sam Inks, director of IT at Aerojet-General Corp., in Gainesville, Va., and an eWEEK Corporate Partner. “Automation is going to make year three easier.”
Richard Putz, a senior manager at management consulting and systems integrator BearingPoint Inc., of McLean, Va., backed that view. “I envision the day when the expense will be less than the benefit,” Putz said. “Its like ERP [enterprise resource planning], which probably never paid for itself in the early years. But it will eventually. It will be about three years from now, for a best-practices company. For those that arent, it will be like messed-up ERP.”
As for SarbOx, the ultimate practice may be to “lose” less money than rivals. Inks said theres no shame in just enabling compliance. “If everybody signs on the bottom line at the end of the year and the auditors go away happy, youve done a heck of a job,” Inks said.