C-Level Executives Seen More Likely to Outsource SOX Compliance Efforts

Organizations unclear about major changes influenced by Sarbanes-Oxley compliance procedures, META study finds

Organizations unclear about major changes influenced by Sarbanes-Oxley compliance procedures, META study finds

Stamford, CT  August 19, 2004  C-suite executives are significantly more likely than line-of-business managers to increase outsourced functions as a result of Sarbanes-Oxley (SOX) compliance efforts, according to a new study of enterprise compliance strategies released by technology consultancy META Group.

The study, "Organizational Trends in Sarbanes-Oxley and Regulatory Compliance Issues," also found that information technology (IT) professionals are more likely to believe that compliance will not impact outsourcing decisions.

For the report, META Group performed a market research study of those with knowledge of decisions about the selection and implementation of compliance solutions and services for their organizations. The study is based on a random sample of nearly 300 executive, finance and IT decision makers and influencers. For the study, META defined line-of-business managers as vice presidents, directors, managers and business staff.

Organizations are confused and disjointed regarding the objectives, necessity, focus, direction and strategy of compliance initiatives, according to META. Most enterprise stakeholders polled do not expect to see major changes to business and IT processes as a result of compliance procedures.

META Group analysts said that these findings suggest that organizations generally lack an understanding of the scope and necessity of required compliance initiatives.

"Companies must address the fundamental confusion surrounding the impact of compliance on the organization," said John Van Decker, vice president with META Group's Enterprise Application Strategies service. "The effects of SOX will be felt across the board, especially within the IT function. Organizations need to understand and prepare for compliance measures that will influence everything from reporting, to auditing, to supply chain management."

META Group analysts pointed to the expected impact of compliance measures on outsourcing as the study's most telling example of how ill-informed organizations are about the pervasive effects of SOX. Only 55 percent of respondents surveyed believe that compliance measures will change their use of external business or outsourcing services. Of that group, only 9 percent characterized the expected changes as "major."

Moreover, survey responses were mixed regarding the nature of the changes expected. Twenty-one percent of those surveyed indicated that they are more likely to outsource functions as a result of compliance with SOX regulations, while a slightly smaller group (19 percent) expects to outsource less. Seventeen percent of those polled do not expect compliance to have any effect on outsourced work, while a full quarter (25 percent) indicated that they had no way of calculating the impact.

META Group analysts stressed the importance of understanding the impact of compliance mandates on outsourcing, given the significant new obstacles posed.

"Organizations are just as responsible for ensuring the compliance of outsourced IT systems and processes as they are for those systems maintained internally," said Van Decker. "This accountability will present a challenge to organizations, since they must assess whether their outsourcers' controls are compliant and adequately documented. Companies cannot do this without first understanding the fundamental impact compliance measures will have on all business processes, particularly outsourcing."

META Group is working with various IT organizations to provide recommendations about outsourcing initiatives and SOX compliance. For companies seeking to ensure regulatory compliance among internal and external programs, these recommendations include gaining consensus among auditors, relevant business and IT units, executives and board members about how to define what constitutes an adequate control assessment for outsourced processes until regulator clarification is provided.

For more information on Sarbanes-Oxley, read Parts 1 and 2 of the recent SDCExec.com series on Contract Management: Five Myths of Contract Management, and Contract Management: Improving Corporate Governance.

Other recent SDCExec.com articles on Sarbanes-Oxley: