by Kim S. Nash

Why, Five Years After Sarbanes-Oxley Became Law, IT Executives Are Better Off

Aug 03, 20075 mins

The law's requirements for financial auditing and regulatory compliance have made IT systems more visible to top executives and integral to core business processes.

Paul Sarbanes and Michael Oxley have left Congress, but they’re never far from the thoughts of CIOs responsible for making their companies’ financial systems produce accurate data. Everyone’s favorite kvetch is the high cost to comply with the Sarbanes-Oxley Act of 2002, but now chief information officers are, in some ways, better off.

MORE ON Sarbanes-Oxley

Compliance: The Sarbox Conspiracy

IT Gets Micromanaged Under Sarbanes-Oxley

CFOs: Sarbanes-Oxley Costs Dip

For the past five years, CIOs have dealt with being micromanaged by colleagues outside of IT and suspected a conspiracy by CFOs to undermine them. They’ve been inundated by vendors with fabulous claims of compliance-in-a-box and have listened to former Federal Reserve chairman Alan Greenspan decry Sarbanes-Oxley as a “nightmare” that should be rewritten.

But looking back, the rules that Sarbanes, a former Senate Democrat from Maryland, and Oxley, a former Republican representative from Ohio, wrote to make U.S. companies more accountable for their financial data also have lifted the career trajectories of some CIOs, says Lee Dittmar, a principal at Deloitte Consulting who oversees enterprise governance.

Yes, Dittmar says, Sarbanes-Oxley burdened technology departments by forcing, for example, more detailed reporting about how software projects affect a company’s financial data. IT also has to work side by side with internal and external auditors, as well as with the finance group, to identify how their companies handle accounting data electronically and manually, then tighten those processes to prevent fraud. “It has been painful,” he says. For many companies, documenting, testing and maintaining financial controls to the extent required by the legislation was a major change from past practice, he says.

But because technology enables the production of nearly all of the financial information under scrutiny, he says, now senior executives see that “what happens in IT is strategic.”

As companies have struggled to understand and then follow Sarbanes-Oxley, CIOs have had the chance to talk with senior executives specifically about how IT affects the business, says Patty Azzarello, a CIO careers consultant in Palo Alto, Calif. “This conversation in many cases opened the door for CIOs to get more airtime in budget and planning discussions, which is vital if they want to have an impact on corporate strategy.”

The cost of complying with Sarbanes-Oxley depends on how complex your company is—multiple lines of business? global offices?—and how badly financial data was monitored historically. But generally, the amount of money spent per year on adhering to the regulations has been declining, according to a recent survey from Financial Executives International (FEI), a professional association in Florham Park, N.J.

Total average cost for a company to comply with Section 404—which governs internal controls—was $2.9 million last year, down 23% from 2005, FEI found.

At American International Group (AIG), the cost of complying with Sarbanes-Oxley is a perpetual discussion, says Anders Land, vice president of Internal Control in the comptroller’s unit at the $113 billion New York insurance company.

But, Land estimates, AIG spends 30 percent to 40 percent less now per year than it did in 2003, when it embarked on compliance, because creating and maintaining clean controls of financial data is becoming embedded in people’s everyday work.

When companies started Sarbanes-Oxley work five years ago, they hired external consultants and auditors to do it for them. But now that procedures are in place, companies are embedding at least some of that work into the jobs of their own people, Land says.

“Instead of having a defined number of consultants doing the project, it becomes 10 percent of an internal employee’s work,” he says. So it’s now harder to say what’s a Sarbanes-Oxley cost and what isn’t, he says. “That’s positive. It means the performance of good, effective controls is part of company culture, and that’s the whole purpose of the law.”

Tom Basilo has little sympathy for executives unhappy with Sarbanes-Oxley costs. Basilo, CEO and chairman of WithumSmith+Brown Global Assurance, a Sarbanes-Oxley consulting firm in Princeton, N.J., says the regulations set out to restore public confidence in U.S. companies after the accounting scandals at Enron, WorldCom, Tyco and others.

And it worked, he says.

“Last year, we had record investment in U.S. stock markets and this year we’ll probably have another record,” he says. “Good, strong companies are staying here and doing quite well.”

To companies that complain about Sarbanes-Oxley costs, Dittmar, at Deloitte, likes to lob a hypothetical: “Compare the total cost of complying, all-in, and the total compensation of the CEOs complaining about the cost of complying,” he says. “Which is bigger?”

Of course, CIO compensation doesn’t compare to the multimillion-dollar packages that chief executives get. But some top technology leaders at the biggest U.S. companies also receive hefty stock and options awards.

Ditmar’s advice: “Stop complaining, because [without Sarbanes-Oxley] your options wouldn’t be worth anything because your company wouldn’t be worth anything.”