Big companies turn to packaged Sarb-Ox apps

Many take off-the-shelf approach, citing cost, time and IT resource constraints

Most large companies that have begun addressing the first leg of Sarbanes-Oxley compliance are buying packaged software to document and track their financial controls instead of developing such systems in-house, corporate executives and analysts said last week.

Several IT and business managers who are addressing the Section 404 requirements of the Sarbanes-Oxley Act said their buy-vs.-build assessments showed that it would be faster and less expensive to buy off-the-shelf software and have the vendor customize and maintain it for them.

For instance, Regis Corp., a Minneapolis-based company that operates 9,700 hair salons in North America and Europe, spent about $100,000 to buy Movaris Inc.'s Certainty compliance tool. Regis officials briefly considered developing a Section 404 tracking system internally, said Kyle Didier, the company's vice president of finance. "But we decided the risks would be greater and the costs would be twice as much, if not more," he said.

Didier added that the company's decision to use the Movaris software to test its financial controls was also based on IT staffing constraints that would have forced executives to reallocate resources away from projects that are more important from a business standpoint.

Juniper Networks Inc. in Sunnyvale, Calif., also opted for the Movaris tool. "I think it probably would have been more expensive to build our own system in the long run," said Juniper CIO Kim Perdikou, although she didn't disclose specific cost estimates. "Our business is building routers, not applications. If we can buy it, we'll do that first."

John Hagerty, an analyst at AMR Research Inc., said it costs $100,000 to $150,000 on average to license a Section 404 compliance-tracking tool. The cost of internally developing a comparable system would amount to a few hundred thousand dollars or more at most companies with annual revenues that exceed $1 billion, he said.

Kim Perdikou, CIO at Juniper Networks Inc.
Kim Perdikou, CIO at Juniper Networks Inc.
That estimate doesn't include the cost of maintaining homegrown technology. "At the end of the day, you have to maintain it yourself as opposed to having a vendor who will continue to support it with any new compliance or regulatory support that might be needed," Hagerty said.

Ready or Not

Some companies have found that financial software they already have in place is up to the task of meeting Section 404 compliance requirements.

Regal Entertainment Group, a Knoxville, Tenn.-based operator of movie theatres, uses an existing installation of Global Software Inc.'s Spreadsheet Server application and other off-the-shelf software to document its internal controls. "I don't have any fear that I'm pulling old data or data that's been manipulated somewhere," said David Ownby, Regal's senior vice president of finance.

"Building a compliance-tracking system from scratch is likely to be more expensive than combining a few existing tools that firms often already own - like an enterprise content management system and a business intelligence tool," said Jennifer Chew, an analyst at Forrester Research Inc.

That reasoning played into Emcor Group Inc.'s decision to develop a Sarbanes-Oxley compliance application on top of an existing Notes system. Executives at Norwalk, Conn.-based Emcor have said that strategy will keep the company's costs below the six-figure levels cited by AMR's Hagerty (see story).

Hagerty noted that in addition to dealing with cost issues, many companies are still struggling to formulate Sarbanes-Oxley compliance strategies -- a factor that also encourages them to buy instead of build. "The problem that most users face is they don't know what they don't know, so they look to a packaged vendor to give them a framework to work with," Hagerty said.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon