Organizations must look beyond just tactical Sarbanes-Oxley (SOX) compliance and focus strategically on leveraging SOX investments, according to META Group, Inc. Most U.S.-based organizations are in various stages of SOX projects as they approach the deadline for compliance to Section 404. META Group has identified six phases a SOX project must be managed through with IT playing a strategic role. The IT organization needs to be included as a supporter of enterprise internal control projects and must understand the maturity level or stage of the SOX project in order to help.

META Group estimates 10 percent of SOX-affected firms are at the "exploration" (Level 0) stage. Twenty-five percent of affected firms are at "building awareness" (Level 1), which is where the enterprise SOX project is being defined and resources are being identified to manage the Section 404 process. The greatest percentage (40 percent) are at "project initiation" (Level 2) with their SOX initiatives, which is where the formal enterprise SOX project begins. Twenty percent of firms are at "project execution" (Level 3) and are actively involved in executing their internal control projects, given the rolling compliance date (through June 2005). Only 5 percent of firms are at "perform assessment/review results" (Level 4), working on identifying business processes. Finally, probably very few firms are at "optimization" (Level 5) and, for most, this will begin after the initial Section 404 compliance date (June 2004 and ongoing).

"Seventy-one percent of companies polled in a recent META Group survey believe they will meet SOX by their required deadlines," said John Van Decker, vice president with META Group's Technology Research Services. "Firms are moving further along the SOX maturity curve and are considering business application projects to address deficiencies in the financial control processes."

Spending on SOX is primarily focused on Section 404, and the auditing and compliance service providers are the initial beneficiaries. Spending for business applications will ramp up in 3Q04 as firms complete their Section 404 projects and address weaknesses, according to META Group. In addition to driving increased business for audit/risk service firms, SOX compliance efforts will prove a boon to IT product and service vendors.

"SOX requires that firms have documented and compliant internal controls around financial management processes," said Van Decker. "SOX has a major impact on IT, including support for business applications and IT governance."

Many firms will utilize SOX as a means of improving business efficiency, going beyond what is merely required to comply. Forty-nine percent of firms polled believe SOX is a necessary cost of doing business, and 39 percent say SOX will eventually make them more competitive.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access