As Monday approaches and with it the deadline for compliance with the Sarbanes-Oxley Act (SOX) of 2002, IT departments are crossing the finish line with lighter wallets, still unsure whether they've got it right or how the first round of audits will turn out.
Beginning next week, companies that have publicly owned shares of more than $75 million and that have fiscal years ending on or after Nov. 15 must comply with internal control reporting and disclosure requirements of Section 404 of SOX. Companies with less than $75 million in public shares have until July 15 to comply.
To support Section 404, companies must ensure that they have the proper documentation, retention and retrieval processes in place for the financial records of their company. They must also ensure that they have a solid audit trail to account for all decisions.
Keeping up with all this has been an expensive endeavor, with companies shelling out millions of dollars for auditing fees, extra man hours and for new software and hardware that help archive and retain records.
A user from a major bank, who wished to remain anonymous, said that hitting the November 15th deadline for compliance has been a "capital budget buster" all year. "Every available dollar we've had this year has gone on the documentation of all our data. It's been torture," he said.
Mike Casey, vice president of practice development at Contoural, a compliance and storage consulting firm in Los Altos, Calif., said that Monday is by no means the end of SOX -- it marks the beginning of a process where everyone is learning as they go. "It will take a couple months to see how this first round of audits went. But it should be interesting," said Casey.
Casey added that some of the recommendations of SOX are vague, such as providing "reasonable assurance" that records are being kept effectively. "What does 'reasonable assurance' mean?" said Casey. "The auditors know that some of the terms of SOX are vague and since they are not that familiar with IT, their recommendations aren't specific."
Such vagary has been a key source of frustration. One company executive who requested anonymity, said his firm still isn't 100% certain they haven't missed anything. "We had no guidelines and even the so-called experts knew less than us," he said.
This company is not alone. According to a report published this week by PriceWaterhouseCoopers (PWC), only 20% of companies that PWC is assisting with SOX audits are on schedule with their auditing and are certain that the appropriate controls are in place.
"Simply being ready for SOX is a big concern," said Peter Gerr, senior analyst at Enterprise Strategy Group, Milford, Mass. "If internal auditors are unable to sign off on the accuracy of their company's financial statements -- a requirement of SOX -- then it could cause worry on the part of investors."
One company, a financial institution that did not want to be named, has not found SOX to be as painstaking as many other companies. "Our experience has probably been atypical. There was an immediate top-down mandate and support for compliance," said the company's storage director. "Since the initial effort, most of our storage issues have focused on increasing backup retention and off-site rotation and accommodating more servers with as little storage growth as possible."
For Casey, Sarbanes-Oxley is really about assuring best practices in storage. "It is a way to make sure that IT is doing what it should. Many companies lost sight of that in the boom times."
Here are some noteworthy SOX statistics as Monday approaches: