Paul Sarbanes and Michael Oxley have left Congress, but
they’re never far from the thoughts of CIOs responsible
for making their companies’ financial systems produce
accurate data. Everyone’s favorite kvetch is the high
cost to comply with the Sarbanes-Oxley Act of 2002, but now
chief information officers are, in some ways, better off.
MORE ON Sarbanes-Oxley
Compliance: The Sarbox
IT Gets Micromanaged Under
CFOs: Sarbanes-Oxley Costs
For the past five years, CIOs have dealt with being
micromanaged by colleagues
outside of IT and suspected a conspiracy by CFOs to undermine them.
They’ve been inundated by vendors with fabulous claims
of compliance-in-a-box and have listened to former Federal
Reserve chairman Alan Greenspan decry Sarbanes-Oxley as a
“nightmare” that should be rewritten.
But looking back, the rules that Sarbanes, a former Senate
Democrat from Maryland, and Oxley, a former Republican
representative from Ohio, wrote to make U.S. companies more
accountable for their financial data also have lifted the
career trajectories of some CIOs, says Lee Dittmar, a principal
at Deloitte Consulting who oversees enterprise governance.
Yes, Dittmar says, Sarbanes-Oxley burdened technology
departments by forcing, for example, more detailed reporting
about how software projects affect a company’s financial
data. IT also has to work side by side with internal and
external auditors, as well as with the finance group, to
identify how their companies handle accounting data
electronically and manually, then tighten those processes to
prevent fraud. “It has been painful,” he says. For
many companies, documenting, testing and maintaining financial
controls to the extent required by the legislation was a major
change from past practice, he says.
But because technology enables the production of nearly all
of the financial information under scrutiny, he says, now
senior executives see that “what happens in IT is
As companies have struggled to understand and then follow
Sarbanes-Oxley, CIOs have had the chance to talk with senior
executives specifically about how IT affects the business, says
Patty Azzarello, a CIO careers consultant in Palo Alto, Calif.
“This conversation in many cases opened the door for CIOs
to get more airtime in budget and planning discussions, which
is vital if they want to have an impact on corporate
The cost of complying with Sarbanes-Oxley depends on how
complex your company is—multiple lines of business?
global offices?—and how badly financial data was
monitored historically. But generally, the amount of money
spent per year on adhering to the regulations has been
declining, according to a recent survey from Financial
Executives International (FEI), a professional association in
Florham Park, N.J.
Total average cost for a company to comply with Section
404—which governs internal controls—was $2.9
million last year, down 23% from 2005, FEI found.
At American International Group (AIG), the cost of complying
with Sarbanes-Oxley is a perpetual discussion, says Anders
Land, vice president of Internal Control in the comptroller’s
unit at the $113 billion New York insurance company.
But, Land estimates, AIG spends 30 percent to 40 percent
less now per year than it did in 2003, when it embarked on
compliance, because creating and maintaining clean controls of
financial data is becoming embedded in people’s everyday
When companies started Sarbanes-Oxley work five years ago,
they hired external consultants and auditors to do it for them.
But now that procedures are in place, companies are embedding
at least some of that work into the jobs of their own people,
“Instead of having a defined number of consultants
doing the project, it becomes 10 percent of an internal
employee’s work,” he says. So it’s now harder
to say what’s a Sarbanes-Oxley cost and what isn’t,
he says. “That’s positive. It means the performance
of good, effective controls is part of company culture, and
that’s the whole purpose of the law.”
Tom Basilo has little sympathy for executives unhappy with
Sarbanes-Oxley costs. Basilo, CEO and chairman of
WithumSmith+Brown Global Assurance, a Sarbanes-Oxley consulting
firm in Princeton, N.J., says the regulations set out to
restore public confidence in U.S. companies after the
accounting scandals at Enron, WorldCom, Tyco and others.
And it worked, he says.
“Last year, we had record investment in U.S. stock
markets and this year we’ll probably have another
record,” he says. “Good, strong companies are
staying here and doing quite well.”
To companies that complain about Sarbanes-Oxley costs,
Dittmar, at Deloitte, likes to lob a hypothetical:
“Compare the total cost of complying, all-in, and the
total compensation of the CEOs complaining about the cost of
complying,” he says. “Which is bigger?”
CIO compensation doesn’t compare to the
multimillion-dollar packages that chief executives get. But
some top technology leaders at the biggest U.S. companies also
receive hefty stock and options awards.
Ditmar’s advice: “Stop complaining, because
[without Sarbanes-Oxley] your options wouldn’t be worth
anything because your company wouldn’t be worth