IT the key to cutting SOX costs

The Sarbanes Oxley Act (SOX) has already celebrated its third birthday. And like many three-year-olds it can still create lots of mess - and plenty of sleepless nights - for the companies that fall under its power.

IT departments have had to deal with a fair amount of the teething problems. SOX demands a single version of the truth from companies in terms of the financial figures they deliver. But with the complex systems they have built up, one plus one doesn't always equal two, which means many companies have been scrambling to get their systems straight.

Companies have to prove they have strong controls in place. These controls can cover a range of situations - such as not sending more stock to a customer that has reached its credit limit. This could be done manually, by pouring over spreadsheets every week, or could be built in automatically.

It has also meant staff changes. More than half of IT managers surveyed by Accenture said they have made staffing changes to support compliance and will continue to demand extra staffing over the next one to three years.

One area companies have had to be alive to is data integrity issues, said Les Stone, partner in Accenture's finance and performance management practice.

Stone said: "What we found was that IT became a critical part of this process. Some of the key things they had to look at were things like restart and recovery procedures, security, user authentication and data integrity."

There is a big price tag on all this work: Accenture calculates that SOX costs $1m per $1bn of revenue. The good news is that second and third year compliance costs could be 30 to 40 per cent lower than first year costs, if companies did the work right the first time round.

But for organisations that have simply put manual fixes in place there will still be work to do, he said.

For many companies the next step is to automate as much as they can of the compliance work. Research from PricewaterhouseCoopers found that company chiefs are now looking to trim the cost of compliance. It found that "tighter scoping of required actions" is the number one area where they hope to shave off some cost, with automating controls another target.

Bur Stone said the market for compliance tools is very immature. "These tools are designed to work inside the four walls of an ERP system," he said. "The issue is that most companies aren't on a single platform so IT is heavily involved in maintaining controls and tools for all the legacy systems and checking all the interfaces are passing data in a consistent manner."

And even if SOX doesn't directly impact you yet, some UK companies are now concerned that European legislators may introduce SOX-style regulations next, according to Peter Jones, chairman for Basda (Business Application Software Developers Association) IT & SOX Working Party. "That's a big fear," he said.

Jones, also a project manager at Lawson Software, said some companies in the UK not formally covered by SOX are complying with it anyway because they think that it is good business practice to do so.

After all, as Accenture's Stone points out, even though the SOX Act is relatively young, the fundamentals of SOX have been around for years: "There is compliance everywhere. At the end of the day this is one more piece of compliance. What companies are being asked to do in terms of internal controls is nothing new."