Leading companies are proving that money spent on governance is a good investment in their business.

Tallies of corporate governance expenditures post-Sarbanes-Oxley are trickling in, and -- surprise, surprise -- companies are paying more for compliance-related technology, staffing and external service providers, and for their boards of directors, than they paid last year. But some businesses are weaving a silver lining into the fabric of compliance initiatives by using their rising investment to achieve process and efficiency returns that surpass the obligatory goal of meeting governance standards. EMC Corp. used the process documentation resulting from its compliance efforts to help plan a new strategy to better meet customer needs. And Owens Corning transformed its Section 404 project into a formal process-improvement initiative that is identifying best practices and standardizing finance processes in 115 manufacturing plants worldwide.

The majority of public companies seem to be postponing necessary compliance activities right up until Section 404 deadlines begin taking effect at the end of November. But it's not too late to generate extra returns on this required investment. To do so, finance executives must get a handle on their organization's current and future governance spending.

The Price of Being Public

The cost of being public for a $1 billion company increased 130 percent between the inception of the Sarbanes-Oxley Act and the end of 2003, according to a May 2004 study by Chicago law firm Foley & Lardner LLP. The study, which is based on input from senior executives and board members at 115 public companies, emphasizes that the recent cost increases associated with corporate governance are not, for the most part, one-time financial events. Governance spending continues to rise.

Of all the new expenses that have cropped up since the passage of Sarbanes-Oxley in July 2002, Section 404 compliance has siphoned the most money from corporate coffers. "I'd say it accounts for more than 50 percent of overall corporate governance -- and it's probably a lot higher," notes Anne Swaller, practice director of Sarbanes-Oxley services for Parson Consulting in New York City. She says the majority of Section 404 compliance costs revolve around process and controls documentation and controls testing. "The demonstration of internal controls is likely to lead to standardizing the format -- physically, what the piece of paper our internal controls are written on looks like," says Bob Knapp, senior vice president and CFO of Siemens Financial Services Inc., the commercial finance and leasing division of Siemens AG, in Iselin, N.J. "That is a project." Knapp adds that because documenting, testing and upgrading controls represent ongoing work, he doesn't expect the cost hikes to disappear after his company's first 404 deadline.

Staffing increases probably occupy the second-largest governance cost bucket. Knapp points out that many companies have added staff as a result of Sarbanes-Oxley and other regulatory changes. The majority of those increases have helped bulk up internal audit departments and midlevel accounting expertise, but a new senior-level position is also boosting payrolls. "I've been surprised at how many Fortune 500 companies now have chief governance officers," notes Bob Fitzgerald, president of business performance management (BPM) software provider Cartesis Inc. in Norwalk, Conn. "That title immediately gained credibility."

Pamela Wright, vice president of product marketing for finance and accounting with staffing firm Kforce Inc. in Tampa, Fla., reports that 30 percent to 40 percent of the companies she works with have chief governance officers or chief compliance officers. These higher-level hires attract larger compensation packages than internal auditors; they also require more time and input from the executive team during the recruiting process.

In addition, audit fees have increased significantly in the past two years. According to the Foley & Lardner study, they rose by an average of 23 percent from 2002 to 2003. Many companies, particularly small to midsize enterprises, have absorbed even higher jumps. Callidus Software, a $72 million software provider in San Jose, Calif., that went public in November, is spending substantial amounts to ensure that its governance practices are up to snuff. Vice president of finance and CFO Ron Fior expects the company's external audit fees to match its spending on payroll for everyone on the corporate finance staff with the exception only of himself. Callidus hired one professional services firm to help document internal controls and plans to hire another firm to test the controls before external auditors conduct their testing as part of the year-end audit.

Other major drivers of rising governance spending include external legal fees, director fees, directors and officers (D&O) insurance premiums, and purchases of compliance-specific software or upgrades to finance and accounting systems that need stronger internal controls.

Bonuses of Tech Spending

Tim Welu, CEO of Paisley Consulting in Cokato, Minn., anticipates a shift in the factors that most impact spending increases once companies have completed their first 404 audits. Internal staffing and training costs have been the largest expenses during the past two years, but "technology will be a larger percentage of [governance] costs in 2005 and 2006," he says. "Technology and the consultants and labor associated with it will be the larger cost going forward," he emphasizes. "That covers buying new technology as well as consolidating and integrating existing systems."

The good news is that "simplifying the IT structure will reduce compliance costs in the future," Welu predicts. "So there is an ROI. By investing in consolidation and integration now, companies will save in the long run." That sentiment is heartily echoed by both software providers and finance executives whose companies appear to be ahead of the compliance curve.

Fitzgerald sees public-company CFOs beginning to move beyond 404 issues to focus on ways to optimize compliance processes. "They're starting to look for ways to use technology as leverage to gain some ROI," he notes. Fitzgerald points out that the monitoring of compliance metrics is a natural extension of BPM software systems.

SAP product marketing manager Philip Say, in Palo Alto, Calif., says that Sarbanes-Oxley-inspired internal-controls reviews have led many companies to prune the complexity of their IT architecture. "If it was very costly for them to achieve Sarbanes-Oxley compliance because they have a heterogeneous systems environment, they've decided to replace many legacy systems or get on a more homogeneous IT platform," he reports.

An IBM Business Consulting Services survey of 90 CFOs and finance executives at large U.S. companies, published in February, supports Fitzgerald's and Say's points. The study reveals that, along with risk and compliance management, IT issues such as data integrity, compliance dashboards, data security and BPM rank as companies' top improvement priorities identified as a result of Sarbanes-Oxley compliance efforts.

Overlooked Costs and Benefits

A commonly overlooked expense that many companies will scramble to respond to as Section 404 deadlines near is the cost of remediation. "The cost of fixing what you find is almost never included in the initial plan," says Ken Leslie, director of assurance services for public accounting firm Plante & Moran in Southfield, Mich. The problem is prevalent regardless of whether companies handle 404 compliance internally or in conjunction with an external service provider. "We point out to clients that the time and costs associated with remediation can be painful," Leslie says.

Other expenses may be ignored because they are difficult to quantify. The Foley & Lardner study, for example, finds that governance-related activities cost large public companies an average of $2.5 million per year in lost productivity. That figure includes lost earnings resulting from finance executives' focus on governance rather than on growth. "Much more of my time, and any CFO's time, is spent with audit committees and on testing to make sure we've met the compliance standards," says Knapp. "This will be taking up more of our time because we have to be darn sure we can demonstrate this, not only to our public accountants but to our investors as well."

At the same time, some benefits associated with the new governance demands are equally difficult to measure. "What is the ROI of keeping your CFO and CEO out of jail?" asks Glenn Davis, a partner and corporate governance services practice leader with J.H. Cohn LLP in Roseland, N.J. "I think that's worth a lot of money."

Davis believes that stronger internal controls also translate to reductions in order, billing and collections mistakes; higher marks from ratings agencies; and improved employee morale. "People like working for a company where the CEO espouses a strong sense of integrity and strong ethics," he says. "What would it cost to recruit and train replacements for three to five midlevel executives who decided to move elsewhere because of concerns about recurring problems? Good corporate governance makes good business sense."

At Hopkinton, Mass.-based EMC Corp., that connection is clear. As its Sarbanes-Oxley compliance efforts came to fruition, the information storage and management company realized it needed to modify the way in which it takes and fulfills orders to meet the unique needs of a new customer segment it wanted to pursue. The team in charge of the compliance project offered a solution that made vice president and chief accounting officer Mark Link proud.

"They said, 'Look, we have the documented process from our Sarbanes-Oxley work right here. Here's how we can adjust the process to meet our needs, and here are the internal-controls ramifications that we need to address as a result,' " Link explains. The solution demonstrated that the company's internal-controls document was a useful management tool. That was not an accident; EMC designed the template for its internal-controls document very carefully. Link says the company wanted the document to be easily understood by all employees and by external audiences, such as auditors.

Not Too Late for ROI

As EMC has demonstrated, savvy governance spending today can pay off down the road. "If you view these changes as investments rather than as expenditures, there are long-term benefits available," notes Leslie, who recommends taking an enterprise view of each compliance activity and looking at the costs and benefits over a longer period of time than, say, the initial deadline for Section 404 work. Swaller agrees. "Many companies would benefit from shifting the way they think about the cost of corporate governance from a mandatory charge to an investment in their business," she says.

Although companies that actively espouse the governance-as-an-investment philosophy seem few and far between, the results of the February IBM survey, along with a handful of corporate examples, offer reason for hope. Thirty-seven percent of finance executives who responded to the IBM survey indicated that their company's philosophy is represented by the statement "Compliance initiatives will result in minimal improvements to our business processes." However, almost as many respondents (36 percent) said that their company's approach is best captured by the statement "We view compliance as a genuine driver of change and plan to leverage this opportunity to improve our processes." The latter phrase clearly describes the way in which Toledo, Ohio-based Owens Corning invests its governance dollars.

That company's initial risk assessment in early 2003 revealed that its controls were already adequate. All it needed to do was document and test them by its original 404 deadline of Dec. 31, 2003. When the SEC delayed the deadline (the first time), Owens Corning decided to raise the value of the documentation and testing work it was required to undertake.

The company transferred responsibility for its Section 404 efforts from an accounting-compliance executive to Kent Wegener, who, until the end of June, was Owens Corning's director of corporate finance Six Sigma. His job was to develop process excellence, through Six Sigma and other methodologies, in the corporate finance function. "Our CFO decided to turn the effort into an improvement project," Wegener explains. "One of our key philosophies was that the more we can standardize our controls, the more we can leverage the major SAP investment we've already made as a company."

Wegener and his team deconstructed the company's income statement, balance sheet and disclosures into 16 business cycles (e.g., the order-to-cash cycle) and appointed a permanent project manager to design a "desired state of internal controls" -- i.e., best practices -- for Owens Corning for each of these sets of businesses processes. "That's when we visited all 115 manufacturing facilities around the world and said, 'This appears the most efficient, most effective control for this particular category. If you don't have a better one, we want you to change so that all 115 plants are applying the same controls,' " Wegener recalls. "We found the best solution to satisfy a specific control objective and required that solution to be spread throughout the company."

In select cases, a particular facility's unique systems required alternative internal controls. These were submitted to the business cycle "owners," approved and incorporated into the company's documentation. Wegener says three mantras guided the cycle owners: standardization, centralization and consistency. He also notes that Owens Corning elected to delay implementation of some of the best practices it uncovered due to the scope of the efforts those changes will require. However, all of the best practices will be implemented over the next two years.

Wegener says the regulatory and governance environment helped Owens Corning's internal-controls project get off the ground. "You don't necessarily need a bold champion to convince people to invest in the process-improvement project when it is attached to compliance efforts," he explains.

Companies that have not yet leveraged their governance investments to achieve process improvements still have time to act in year two -- but they should move soon. "I definitely don't think it's too late," Wegener says. "But I think if you wait until year three, four or five, then you have to have a different reason for doing it. You would say, 'OK, we've been compliant for three years in a row; what's the reason for us changing now?' "