Few Firms Executing Sarbanes-Oxley Initiatives

Minority of enterprises viewing compliance as opportunity to improve business efficiency, become more competitive, META finds

Stamford, CT  December 16, 2003  Fewer than one-third of enterprises currently are actively executing projects to ensure Sarbanes-Oxley (SOX) compliance projects as they approach the deadline for compliance to Section 404, while the greatest number of companies are just initiating their SOX projects, according to research from technology consultancy META Group.

Most U.S.-based organizations are in various stages of Sarbanes-Oxley (SOX) compliance projects as they approach the deadline for compliance to Section 404, META found, but a minority of enterprises are looking beyond just tactical compliance and focusing strategically on leveraging SOX investments.

Meanwhile, the consultancy has found that more than half of business service providers and IT vendors in a survey have been disappointed by  or have failed to see any substantial sales movement resulting from  companies' need to become SOX compliant.

The Six Phases of Compliance

META has identified six phases through which a SOX project must be managed, with information technology (IT) playing a strategic role. The IT organization needs to be included as a supporter of enterprise internal control projects and must understand the maturity level or stage of the SOX project in order to help, the consultancy asserted.

Ten percent of SOX-affected firms are at the "exploration" (Level 0) stage, according to META's estimates, while 25 percent of affected firms are at "building awareness" (Level 1), which is where the enterprise SOX project is being defined and resources are being identified to manage the Section 404 process.

The greatest percentage (40 percent) of enterprises are at "project initiation" (Level 2) with their SOX initiatives, which is where the formal enterprise SOX project begins, and a further 25 percent of firms are at "project execution" (Level 3) and are actively involved in executing their internal control projects, given the rolling compliance date (through June 2005).

Only 5 percent of firms are at "perform assessment/review results" (Level 4), working on identifying business processes. Finally, META believes that very few firms are at "optimization" (Level 5), and for most, this will begin after the initial Section 404 compliance date (June 2004 and ongoing).

"Seventy-one percent of companies polled in a recent META Group survey believe they will meet SOX by their required deadlines," said John Van Decker, vice president with META Group's Technology Research Services. "Firms are moving further along the SOX maturity curve and are considering business application projects to address deficiencies in the financial control processes."

Spending on SOX is primarily focused on Section 404, and the auditing and compliance service providers are the initial beneficiaries. Spending for business applications will ramp up in 3Q04 as firms complete their Section 404 projects and address weaknesses, according to META Group. In addition to driving increased business for audit/risk service firms, SOX compliance efforts will prove a boon to IT product and service vendors.

"SOX requires that firms have documented and compliant internal controls around financial management processes," said Van Decker. "SOX has a major impact on IT, including support for business applications and IT governance."

Many firms will utilize SOX as a means of improving business efficiency, going beyond what is merely required to comply, according to META. Forty-nine percent of firms polled believe SOX is a necessary cost of doing business, and 39 percent said SOX would eventually make them more competitive.

SOX Sales Slow So Far

Separately, META reported that a poll has shown that 57 percent of business service providers and IT vendors surveyed have been disappointed by  or have failed to see any substantial sales movement resulting from  companies' need to become SOX compliant.

Although 97 percent of providers polled view ongoing SOX compliance as a future business driver, sales to date have been lower than anticipated. Currently, companies are directing SOX compliance investments toward internal resources, such as analyzing regulations and documenting processes, or toward external auditors and risk management consultancies. META Group estimated that the internal analysis and documentation efforts account for an average of 75 percent of the total SOX compliance investment to date.

"Organizations are making significant investments to gain and evidence SOX compliance, but so far they have not been with the largest constituency of pro-Sarbanes-Oxley businesses  IT product vendors," said Stan Lepeak, vice president with META Group's Technology Research Services. "It's important that the IT product vendors who are chasing the SOX rainbow take the time to develop solutions that are truly tied to compliance stipulations and requirements, not just warmed over IT solutions in a loose SOX wrapper."

Although IT product investments will increase in 2004, META Group believes that, for most companies, SOX compliance is a business process issue and that it is not predominantly tied to investing in more IT applications and systems.

For more information on Sarbanes-Oxley, read Parts 1 and 2 of the recent SDCExec.com series on Contract Management: Five Myths of Contract Management, and Contract Management: Improving Corporate Governance.

Other recent SDCExec.com articles on Sarbanes-Oxley:

• Sarbanes-Oxley: The Next Y2K?


• Survey Reveals New Findings on Sarbanes-Oxley Compliance


• Most Companies Working on Sarbanes-Oxley


• Survey: Most Companies Have Not Budgeted for Sarbanes-Oxley Compliance