Users struggle to pinpoint IT costs of Sarbanes-Oxley compliance

The ongoing nature of the required work complicates spending estimates.

Sarbanes-Oxley readiness costs can be hard for companies to pin down, partly because complying with the new financial reporting law isn't a one-time event like Y2k, several IT managers said last week.

Eastman Chemical Co. hasn't even tried to evaluate the IT costs associated with its Sarbanes-Oxley Act compliance initiative, because the work is viewed as "an ongoing effort," said Mark Montgomery, director of administrative operations support and technology systems at the Kingsport, Tenn., company.

Montgomery and other executives said Sarbanes-Oxley's requirement that companies annually document and attest to the effectiveness of their financial controls means compliance work will have to be done on a continual basis.

"A lot of people have this mind-set that it's a one-time project," said Kyle Didier, vice president of finance at Regis Corp., a Minneapolis-based operator of 9,700 hair salons in the U.S. and Europe. But Didier added that he expects Regis to test its internal financial controls as an ongoing process, using software called Certainty that was developed by Movaris Inc. in Campbell, Calif.

Regis has been working on Sarbanes-Oxley readiness for the past nine months and expects to complete the documentation and testing phase by the end of December. Didier said the company expects to spend slightly more than $100,000 on IT over the course of its compliance effort. That includes both software and manpower costs, he added.

John Van Decker, an analyst at Meta Group Inc. in Stamford, Conn., said most companies currently are focusing on Section 404 of the law, which spells out the requirement that CEOs and CFOs certify the effectiveness of the financial controls they have in place. Companies with market capitalizations of $75 million or more have to comply for fiscal years that end on or after June 15, 2004. Smaller businesses and foreign-owned companies have until April 15, 2005.

Financial Executives International, a Florham Park, N.J.-based association of corporate finance managers, surveyed its members last May on cost estimates for complying with Section 404. On average, the 83 respondents said they expect to spend $480,000 on software, consulting services and employee training in advance of the compliance deadlines.

Mark Nagelvoort, vice president and internal control manager at Hudson United Bank in Mahwah, N.J., said the subsidiary of Hudson United Bancorp expects its IT costs tied to Sarbanes-Oxley to come in at less than $500,000, though he declined to be more specific. That includes the bank's use of a software tool called SOXA Accelerator from HandySoft Global Corp. in Vienna, Va., plus expenses for 10 IT staffers who will spend between 5% and 10% of their time working on Sarbanes-Oxley readiness.

"We're saving significant dollars because we're utilizing almost all in-house personnel," Nagelvoort said. And because the banking industry is highly regulated, much of the information that Hudson United needs has already been documented for internal and external auditors, he added.

John Hagerty, an analyst at AMR Research Inc. in Boston, estimates that Fortune 1,000 companies on average will spend about $2.5 million on Sarbanes-Oxley work this year. Technology costs represent just 5% to 10% of the overall tab, Hagerty said, although that doesn't reflect the cost of IT-related staff time being dedicated to compliance efforts.

Hagerty added that it's tough to pinpoint an average IT spending figure for Sarbanes-Oxley "because it's influenced by organizational and systems complexity." For instance, a company with $5 billion in annual revenue and highly centralized business units and IT operations might spend $3 million on compliance, while a similar-sized company that's decentralized could end up spending $10 million, he said.

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon