Compliance backlash: 'Get mad or get even'

On the first anniversary of one of the most controversial sections of Sarbanes-Oxley legislation, many companies are only now starting to take stock of the huge amounts they spent on compliance – and many are starting to wonder whether it was money well spent.

Section 404 of the Sarbanes-Oxley Act (SOX), which came into effect on 15 November 2004, stipulates that companies trading publicly in the US must have policies and controls in place to secure, document and process information dealing with their financial results and all transactions.

The penalties for failing to do so include jail time for senior execs and large fines.

And fear of such sanctions drove huge corporate spending, drawing comparisons with Y2K. But now many organisations are coming to terms with the fact much of that compliance budget was misspent and must decide whether to get angry about it or get it right.

Speaking on a compliance round table at CA World in Las Vegas, serial entrepreneur Steve Papermaster suggested many companies over-spent in the belief that throwing money at the problem might at least ensure all the right boxes were ticked.

He said: "Until now the focus has been on getting the job done and the question of how to get it done efficiently was being put off until another day. Now that day is coming."

Papermaster said he encountered companies who were spending more on compliance-related technology than their entire IT budget for several years.

Jim Burns, a partner at Deloitte and Touche, told silicon.com he believes such budgets were inflated by a propensity among technology vendors, sensing a gold rush, to slap stickers on all their products offering them as part of a compliance solution.

But he added that many CIOs will also have used compliance to get sign off from fearful CFOs and CEOs on other projects – further pushing the budget skywards. He said many of these facts may now start coming to light.

Burns said: "A lot of money was spent on SOX. And a lot of questions are now being asked about the value it delivered."

He added that the technology being billed as a compliance solution "is still very young" and still falling short of the mark, suggesting there will almost certainly have been some very costly mistakes made in buying IT 12 months ago.

Pat Gnazzo, compliance officer at CA, told silicon.com: "When you have salespeople out there selling compliance products and a CIO not seeing the issue from the perspective of a compliance officer, and telling them not to buy some of that garbage, then that's where you get the problem."

However, Burns said while vendor integrity and some political machinations at board level may have played a part they are merely part of a more problematic state of affairs whereby companies were ignorant of their business processes and their own requirements.

Earlier this year Jay Heiser, research vice president at Gartner, told silicon.com he expects to see "a SOX backlash" but Burns said few companies who understand the importance of compliance will begrudge effective spend in the area of risk.

He told delegates: "When we talk about risk the emphasis is on the downside but the exciting thing about risk is the return, the pay-off."

CA's Gnazzo is confident the situation will improve and companies will be able to rein in their compliance spend.

Gnazzo said: "Will the time come when Sarbanes-Oxley gets less expensive? Absolutely," adding that larger companies will be able to see what spend was necessary and what constituted wastage.

He added: "The bigger companies will be able to do that and the smaller companies will learn from them."