Sarbanes-Oxley Compliance: Meeting the Mandate, Maximizing the Outcome

How are companies managing their drive toward sustainable compliance? Business Finance assembled a panel of finance executives and technology experts to find out.

Business Finance: Compliance management software and the cost associated with utilizing it effectively will likely continue to be significant. What are some of the things that companies can do to manage spending effectively in this area?

Vani Kola, CEO & Founder, Certus: The software costs are about 15 to 20 percent -- maybe as low as 10 percent -- of overall compliance costs, from our experience so far. To me this is not a significant cost. But what companies can do with their IT structure to gain higher quality of compliance is standardize the IT infrastructure to enable users throughout the enterprise to adopt the software.

Doug Robinson, SVP/Controller, Computer Associates: As we've gone through the compliance process, I've seen the benefit of systems integration. I think companies that don't have an integrated infrastructure can gain a lot by getting the right software tools in place and integrating them, and then the work really kind of takes care of itself.

Peter Morgan, VP, Marketing, OpenPages: Regarding the point that the cost of software is about 15 to 20 percent of SOX compliance costs, we should be clear about what kind of software we're talking about. If it's Excel, which an awful lot of people have attempted to approach this with, the human costs and the outside consulting costs are going to be enormous. If you want to drive those costs down, then you're going to need a standard system that can expand to address not just financial-disclosure-related issues but all potentially significant processes, risks and controls throughout the organization.

Neetin Datar, Director, Compliance Applications, SAP: I agree that simplifying the IT structure definitely helps, as each system represents cost and risk in terms of compliance and internal control. For example, take the purchase-to-pay process. Even today, companies have four or five different systems handling the process. Smart companies are aggressively following through on a vendor-consolidation strategy to reduce the number of IT vendors. But let's keep in mind that Sarbanes-Oxley is just one of the legislative requirements. There are others that have equally sharp teeth. And there are common technology requirements across all these different requirements -- like dashboards, like business reporting, like business process automation. A common platform across an organization is crucial to achieving scalability, and reusing technology reduces costs across the board.

Scott Ramsey, Global Practice Leader, Information Security Solutions Practice, CTG: The problem is that most of the tools out there have done a very nice job on what I'll call the process side -- looking at how processes are being performed. But there is no linkage, if you will, into the overall infrastructure on the IT side that provides the support basis for those processes. What's needed is a dashboard to not only use internally but externally in order to show management and the external auditors what's [happening] on a real-time basis so that anytime a change occurs -- whether it be an M&A [merger-and-acquisition] activity, a change in infrastructure, an organizational change, or a change in process -- it comes up on the dashboard.

Tim Leech, Principal Consultant & Chief Methodology Officer, Paisley Consulting: A big cost driver is in the level-one, level-two and level-three testing of the original assessment work. Level one is the work done by management. Level two is any work done by internal audit or contracted internal audit, and level three is the work done by the external auditors. There needs to be data integration and seamless hand-off of that data so that the integration of all that quality assurance work comes together. If your external auditor is spending five days just exporting, importing and attaching files at $300 an hour, it represents a big cost.

Ramsey: External auditors are going to be doing their discovery work on a quarterly basis. They'll be asking, "What has changed since the last time I was here? What can you show me in terms of validating that change occurred or that it did not?" Then it will be up to them to decide how much testing they're going to want to do to give them a high enough level of assurance.