Sarb-Ox adds to cost, length of IT projects

Computerworld - As publicly traded companies are forced to document their internal controls to comply with the Sarbanes-Oxley Act, some are seeing a trickle-down effect: longer and more costly IT projects.
That's because project teams now have to conduct more thorough quality-assurance assessments and testing throughout project life cycles to document IT controls, according to IT managers and analysts who were interviewed last week.
"I've spent the past four or five years trying to streamline our project methodologies, but SOX has added that all back," said the vice president of IT at a telecommunications company. The executive, who requested anonymity, cited the need for additional sign-offs during different phases of projects along with other required controls-related checklists.
As a result, "business sponsors are complaining because it's adding a considerable amount of time to projects," she noted.
After helping finance departments meet the initial set of Sarbanes-Oxley requirements, IT staffs are entering a second stage of compliance work, said Cathy Hotka, principal at Cathy Hotka & Associates, a retail IT consultancy in Washington. Now they have to ensure that effective project management controls are in place, she said.
Getting to that next level of quality control without lengthening projects or making them more costly "will be a struggle for everyone," said Hotka.
"We came into this knowing that SOX was going to be a pain in the butt," said a CIO at a large insurance company who also requested anonymity. The insurer's IT department has taken a couple of steps to prevent the Sarbanes-Oxley requirements from having a negative effect on its IT project costs and cycle times, he said.
First, in January the CIO ordered a two-week delay of all software installations, including internally developed software and upgrades of off-the-shelf applications such as its PeopleSoft financial systems. The move was made so the upgrades wouldn't affect the company's year-end financial close, the CIO said.
In addition, the IT department is factoring controls requirements that are related to Sarbanes-Oxley into all of its project plans. "In the project planning stage, one of the questions we now ask is, 'Will this system have an effect on our financial systems or financial operations?'" the CIO said. Any impact on financial systems is factored into the design and testing of those systems, he added.
Longer Projects
Jim Morse, program office manager at Meijer Inc., a Grand Rapids, Mich.-based retailer, estimated that Sarbanes-Oxley-related quality-assurance testing and other controls documentation being done for new IT projects will likely lengthen projects for affected companies by 10% to 15%.
Asa privately held company, Meijer isn't bound by law to comply with the full Sarbanes-Oxley Act, although the company is validating some of its internal controls for Visa U.S.A. Inc. and Mastercard International Inc., said Morse.
John Hagerty, an analyst at Boston-based AMR Research Inc., noted that many of AMR's clients have said that Sarbanes-Oxley's biggest impact on IT project requirements involves change control. This includes ensuring that all systems changes are thoroughly tested and put into production effectively.
"No one likes oversight if they think it's overkill," said Hagerty. But now, all parts of a company's business, including accounting and IT, are subject to additional oversight in order to drive better governance, he added.

Read more about legislation/regulation in Computerworld's Legislation/Regulation Knowledge Center.