Companies cry 'uncle' as compliance deadlines near

"My mantra is that Sarbanes-Oxley compliance is not a financial exercise but a cultural exercise," said Cox, chief accounting officer at BMC Software Inc. in Houston. "If we go through the process of compliance and don't achieve any efficiency for the company, then it won't be doing us any good."

Specifically, Cox expects the rigorous auditing and automation of internal controls to expose flawed business practices. "We hope to uncover inefficient processes that can help us save money over time," Cox said.

Sarbanes-Oxley prescribes stringent requirements for financial accounting and corporate governance. Considered by some to be the toughest business law in decades, it requires CEOs to personally validate financial statements and other information or face severe penalties, including fines or even jail time.

Companies must also establish internal controls on data -- how information is stored, retrieved and protected -- and verify them each year through an independent audit.

Yearly audit fees make up one of the biggest costs to businesses, increasing by 35% in 2004 alone, according to Florham Park, N.J.-based Financial Executives International.

In fact, data integrity is at the heart of a rash of recent legislation aimed squarely at corporate America. The Health Insurance Portability and Accountability Act (HIPAA) requires health care companies to follow specific standards to safeguard and secure sensitive patient data. Another law, the Gramm-Leach-Bliley Act, controls how financial companies handle private information of individuals.

Meeting the different compliance standards forces U.S. companies to change how they transact business, and the problem is especially nettlesome if their enterprise extends overseas. Companies with U.S. headquarters must ensure that any foreign outposts th

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT The Information Architect Achieving ROI with Web services Novell a model open source citizen IPv6 gets celebrated but not deployed SAN consolidation reduces costs, boosts performance Oracle's rose-colored grid vision Do employees relate to relationship tools? Planning for Windows Server 2003 The business case for service-oriented architecture Is now the time for an e-mail migration? Linux on the mainframe -- is it right for you?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ey have meet the federal standards. But compliance by overseas vendors or business partners is even more complicated, especially for the punitive Sarbanes-Oxley Act.

"Whether or not your suppliers are compliant with the same requirements you are, really is up to them," said Peter Gerr, an analyst with Enterprise Strategy Group of Milford, Mass. "There is no international governance [organization] and no way to enforce a regulation that includes multiple organizations in a supply chain."

None, that is, save the incentive that U.S. regulators provide. HIPAA rules, for instance, require U.S. health care companies to verify that any overseas vendor handling their sensitive patient data enact the same rigid controls on how information is shared, retrieved and protected. That includes data processing warehouses in India and other offshore locations.

"It's important to know in advance that your rights under service agreements are enforceable in a meaningful way," should vendor or business partners not meet the requirements, said Scott Nathan, an attorney who specializes in data privacy.

At the same time, U.S. companies cannot plead ignorance of how their overseas vendors manage important data. "It's not going to be sufficient to say, 'I outsource that so I'm not responsible,'" said Barry Lurie, a vice president and managing partner with Unisys. "You need to make sure that the information you get back from third-party vendors has appropriate data controls, especially if it's incorporated in your financials or rolled up in a balance sheet."

Tougher accounting and corporate governance also is costing companies time and money. On average, U.S. companies devote 3.3% of their IT budgets to planned compliance initiatives, according to Gartner Inc., of Stamford, Conn. "Since CIOs' budgets have gone up only 1.4% this year, that's almost 2% they have to eat out of discretionary funds," said French Caldwell, a vice president and research director at Gartner.

Companies that expect business benefits from compliance are spending more on training than those who don't, according to a recent Gartner survey. The money is spent training workers who handle sensitive data about the new standards and teaching them why compliance is important. "Spending money on training helps people understand your business processes better, which is really important when auditors start asking them questions," Caldwell said.

To cope with the heightened regulatory climate, Unisys' Lurie said that more companies are pouring money and resources into compliance teams or appointing an executive-level chief compliance officer. He warns that companies should not view compliance as a one-time event. Devising better business processes is important, but companies also need to "ensure that their people are using them."

Rate this Tip To rate tips, you must be a member of SearchSOA.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.