The Issue: Like it or not, compliance with federal regulations contained in the Sarbanes-Oxley Act (SOA) is not going away. In fact, companies are stepping up their response and planning significant spending in 2004. Based on detailed survey results with more than 70 companies, AMR Research estimates that next year’s SOA spending will be $5.5B, with more than half--nearly $3B--in hard expenditures that could affect companies’ bottom-line performance.
Spending patterns shift from soft to hard expenditure
For 2003, companies reported that they spent slightly more than anticipated for SOA compliance work, but the overwhelming majority (up to 90%) of that money was in people-related costs--mostly internal people’s time and some hiring of external advisors. For 2004, companies report their spending will become more targeted as compliance planning activities move to the execution phase.
We anticipate the budget breakdown will be as follows:
- Internal labor/headcount--44%
- Outsourced services (advisors and consultants)--33%
- Technology--19%
- Other--4%
Interestingly, 30% of firms we spoke with indicate that they do not plan to have a discrete budget for SOA compliance in 2004. When asked how they plan to pay for expenses related to compliance, responses ranged from deferral of existing projects to an open checkbook approach--spend what you need to spend.
Spending increases are directly tied to changes in approach and scope
Approaches to SOA have shifted significantly in the past six months. Where more than half of companies originally viewed Section 404 requirements as involving only financial processes, now 79% consider that compliance mandates must include finance, operations, and IT processes. Firms chalk this up to the influence of external advisors--in most cases, risk management and internal audit practices of the Big Four audit firms. As the approach broadened, so naturally did the scope of the projects. Two-thirds of companies now report scope has significantly increased during this time; none said it was any easier than originally thought.
Organization and systems complexity will drive each company’s compliance cost
In the past, we tried to give companies a rule of thumb to plan for SOA spending. For 2003, we estimated it was a million in compliance expense for each billion in revenue. But this rule was a broad generalization, and could not be backed up with hard evidence. Interviews with hundreds of companies over the past six months point to management and systems complexity as the ultimate source behind specific company compliance costs. The less centralized and standardized a company is, the more they should plan to spend on compliance. We plan to quantify this more concretely in future research.
Money will be spent sooner rather than later
Three out of four companies plan to have initial Section 404--Documentation of Controls and Processes work completed by midyear 2004. This will allow firms with a calendar year-end up to six months to test and refine their control environment in preparation for management assertion and auditor attestation at the end of the fiscal year. This timing indicates more of the spending (up to 60%) will occur by June 2004 to accommodate the planned end date.
Some organizations are also expecting to update their compliance environment with new software products to manage and enforce the defined regimen, specifically those that have chosen auditor-supplied tools for their initial Section 404 work. This is a leading indicator that some technology and consulting spending will occur later in 2004 as companies gear up for Sarbanes-Oxley Year 2 and beyond.
Recommendations:
- Plan for SOA expenditures. Use the information presented here to help guide your budget process for this high-profile project. In a continuingly tight funding environment, it’s best to earmark the money up front rather than live with potential heartburn by trying to squeeze in essential work at a later point in time.
- Standardization can help reduce overall cost of compliance. Weigh the cost of standardization against compliance expense before assuming that you must standardize to comply. It may not be worth the time, effort, and most importantly, the risk now.
- Once the work plan is set, manage further scope creep. Determine what is absolutely required for the first round of assertion/attestation work, and defer any other activities until later phases. Remember, Sarbanes-Oxley compliance has only just begun.