Three Key Lessons on How to Cut the Costs of Sarbanes-Oxley Compliance

According to research delivered at Gartner's Symposium/ITxpo 2004, there are three important lessons companies need to keep in mind to cost-effectively achieve Sarbanes-Oxley compliance.

#1 - Most companies already have technology in-house that can be leveraged for Sarbanes-Oxley compliance.

“Vendor hype suggests that a wide variety of technologies is the answer to compliance with the Sarbanes-Oxley Act, but governance and compliance are no different than most other business issues,” said Brian Wood, research director for Gartner. “A compliance architecture doesn't necessarily require new software investments and does not need to be implemented across the enterprise in a single step. Most organizations will find that they already have many of the software tools they need.”

Gartner analysts recommend that 50 percent of a company's Sarbanes-Oxley budget be allocated for implementation and remediation issues, including directors' and officers' insurance and increased consulting fees. Thirty percent of the budget should be spent for internal analysis, including redundant audits for the next three quarters. The remaining 20 percent of the budget should be spent on software upgrades and new purchases.

#2 - Companies that invest in “Quick Fix” solutions to achieve compliance will spend up to ten times more than they need to.

“Enterprises that choose one-off solutions for each regulatory challenge that they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach,” said French Caldwell, research vice president at Gartner. “Although there are times when adopting a 'quick and dirty' solution may be necessary to meet deadlines, enterprises should avoid committing too much time, effort or data to such systems.” Enterprises that purchase Sarbanes-Oxley targeted solutions in 2004 will retire or replace those systems by the end of 2005, according to Gartner.

#3 - Companies that adopt a comprehensive compliance management architecture will save 50% annually compared to companies that don't adopt such an architecture.

Gartner recommends that all of your applications than can assist with compliance be brought together in a common architecture. According to Gartner, public companies that don't have this common compliance architecture by 2006 will have to spend 50 percent more annually to achieve compliance.

By establishing a compliance architecture, enterprises will be able to reduce the cost of regulatory compliance because such an architecture “eliminate(s) requirements to hire external auditors or consultants every time a new law appears,” said Rich Mogull, research director for Gartner.

According to Mogull, “to build the most effective compliance architecture, enterprises should expand and standardize the use of BCP (Business Continuity Planning), document management systems, and BPM (Business Process Management), and should add some business intelligence and perhaps a compliance tool for reporting, as well.”

Conclusion

Gartner has stated previously, “efficient record keeping is key to complying with the legislation (Sarbanes-Oxley) and to restoring the trust of stakeholders, especially investors.” The broad lessons for cost-effective compliance apply equally well to your records management program:

• Leverage your existing technology investments first
• Avoid application-by-application point solutions
• Develop a consistent, corporate-wide records management compliance architecture

The information in this article was adapted from: “Gartner Says Enterprises Implementing Sarbanes-Oxley 'Quick Fix' Solutions in 2004 Will No Longer Use Those Systems by the End Of 2005”, Gartner press release, April 14, 2004 and Cost of Compliance with Sarbanes-Oxley Can Be Cut by 50%, Preston Gralla, Enterprise Applications Pipeline, April 02, 2004, and “The CIO's Guide to Effective Records Management,” Gartner Research Note, March 18 2003.