News Stay informed about the latest enterprise technology news and product updates.

Users brace for SOX deadline

Preparing for Sarbanes-Oxley has left IT departments cash-strapped and still cloudy on the regulations. But this is just the beginning.

As Monday approaches and with it the deadline for compliance with the Sarbanes-Oxley Act (SOX) of 2002, IT departments...

are crossing the finish line with lighter wallets, still unsure whether they've got it right or how the first round of audits will turn out.

Beginning next week, companies that have publicly owned shares of more than $75 million and that have fiscal years ending on or after Nov. 15 must comply with internal control reporting and disclosure requirements of Section 404 of SOX. Companies with less than $75 million in public shares have until July 15 to comply.

To support Section 404, companies must ensure that they have the proper documentation, retention and retrieval processes in place for the financial records of their company. They must also ensure that they have a solid audit trail to account for all decisions.

Related articles

Crash Course: Compliance

Sarbanes-Oxley reading list

IBM package aims to capitalize on compliance fears

Banks put HP archiving appliance to the test

Keeping up with all this has been an expensive endeavor, with companies shelling out millions of dollars for auditing fees, extra man hours and for new software and hardware that help archive and retain records.

A user from a major bank, who wished to remain anonymous, said that hitting the November 15th deadline for compliance has been a "capital budget buster" all year. "Every available dollar we've had this year has gone on the documentation of all our data. It's been torture," he said.

Mike Casey, vice president of practice development at Contoural, a compliance and storage consulting firm in Los Altos, Calif., said that Monday is by no means the end of SOX -- it marks the beginning of a process where everyone is learning as they go. "It will take a couple months to see how this first round of audits went. But it should be interesting," said Casey.

Casey added that some of the recommendations of SOX are vague, such as providing "reasonable assurance" that records are being kept effectively. "What does 'reasonable assurance' mean?" said Casey. "The auditors know that some of the terms of SOX are vague and since they are not that familiar with IT, their recommendations aren't specific."

Such vagary has been a key source of frustration. One company executive who requested anonymity, said his firm still isn't 100% certain they haven't missed anything. "We had no guidelines and even the so-called experts knew less than us," he said.

This company is not alone. According to a report published this week by PriceWaterhouseCoopers (PWC), only 20% of companies that PWC is assisting with SOX audits are on schedule with their auditing and are certain that the appropriate controls are in place.

"Simply being ready for SOX is a big concern," said Peter Gerr, senior analyst at Enterprise Strategy Group, Milford, Mass. "If internal auditors are unable to sign off on the accuracy of their company's financial statements -- a requirement of SOX -- then it could cause worry on the part of investors."

One company, a financial institution that did not want to be named, has not found SOX to be as painstaking as many other companies. "Our experience has probably been atypical. There was an immediate top-down mandate and support for compliance," said the company's storage director. "Since the initial effort, most of our storage issues have focused on increasing backup retention and off-site rotation and accommodating more servers with as little storage growth as possible."

For Casey, Sarbanes-Oxley is really about assuring best practices in storage. "It is a way to make sure that IT is doing what it should. Many companies lost sight of that in the boom times."

Here are some noteworthy SOX statistics as Monday approaches:

  • A July 2004 survey by Financial Executives International (FEI) showed that, on average, the total cost of compliance is now estimated at $3.14 million for each company.
  • According to AMR Research, the total cost for companies overall to comply with Sarbanes-Oxley in 2004 is $5.5 billion.
  • Forrester Research reported that in 2004, 77% of technology executives said they will increase technology spending to support compliance.
  • Dig Deeper on Data storage compliance and regulations

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.