The High Cost of Compliance

By Chris Egizi

(Back to article)

In the push to meet initial compliance deadlines many corporations focused on implementing the minimum technology systems needed to achieve a passing grade. But compliance is an ongoing process that goes well beyond testing and evaluation of internal controls to ensuring security and system integrity as well as managing changes.

Thus, we now see many companies focusing their 2005 technology efforts on enhancing or implementing systems to ensure sustained compliance in the years to come.

Perhaps the best evidence of this is a recent AMR Research survey, which found that companies expect to spend $5.8 billion to meet SOX requirements in 2005. And while technology spending represents just 28% of the overall budget, it's increasing by the largest percentage -- up 43% from $1.13 billion in 2004 to $1.62 billion in 2005.

In fact, AMR found that many companies are now planning to invest in technology to ensure they can sustain compliance. Thirty-six percent plan to increase spending, while 52% plan to maintain current levels.

When it comes to sustained compliance, automation is the key.

By automating previously manual processes, such as certification and sub-certification processes, the right technology can strengthen ongoing compliance efforts. The right technology also can improve the speed, accuracy and visibility of internal controls monitoring.

And, for most companies at least, according to a survey in the November 2004 issue of Business Finance, the right technology will come in the form of ERP applications, which were cited by 37% as their first choice of software systems to support internal controls testing and monitoring efforts. In second place, with 33%, were custom solutions.

But, before systems can be implemented or enhanced, however, many CIOs are finding it necessary to increase their IT staffs to accommodate the increase in SOX-related projects.

In fact, a January 2005 survey by CIO Magazine found that 76% of respondents described their current environment as inadequately staffed, and 49% said they are currently hiring or will hire within the first quarter of this year.

The skills cited as most in demand also fit within the Sarbanes-Oxley framework, with application development coming in highest at 50%, followed by project management at 45%.

To manage needs in the interim, 27% of respondents indicated they would practice selective outsourcing, while seven percent said they would bring in contingency staffing.

Those findings are borne out by the recent increase in demand (both permanent and temporary) we've seen from our own client companies for IT professionals with ERP experience at all levels. Other high-demand positions related to SOX include system architects, business systems analysts, and anyone with financial systems experience including collections, accounts payable/receivable, billing, etc.

But it's not just technical expertise CIOs are seeking. They want IT pros who are high-energy and able to work well within the existing culture. Further, they are seeking broader non-technical skills and experience such as business process knowledge, fiscal knowledge and responsibility, risk management, communication skills, business skills, vendor management and procurement, industry-specific knowledge, interpersonal skills, management experience, team building and analytical skills -- all of which fit within the new role Sarbanes-Oxley has created for IT within the overall business infrastructure.

In summary, while Sarbanes-Oxley was originally aimed at the financial side of the corporate house, it has quickly become apparent that compliance with Section 404 has permanently changed the make-up of the IT environment, both in terms of the technical skills needed to manage ongoing compliance and the non-technical skills needed to ensure IT and finance can work jointly to meet SOX requirements for the long-term.

Chris Egizi is vice president, Technology Consulting Services with Kforce Technology Staffing, a division of Kforce, Inc. He can be reached via email at cegizi@kforce.com. Eric Preusse, search director, Boston F&A and Technology with Kforce, contributed to this article and can be reached via email at epreusse@kforce.com.