As the deadlines for the various Sarbanes-Oxley (SOX) Act regulations come due, the need for SOX compliance is becoming a reality. While the SEC provided some respite by extending the deadline to July 15, 2005, for companies (with equity market caps under $75 million) to demonstrate compliance, most enterprises are still challenged to implement the required changes in reporting, storage and transaction tracking necessary to meet new internal controls provisions. Companies with market caps in excess of $75 million have until their first fiscal year ending after November 15, 2004.

Specifically, the amendment calls for public companies to include a specially mandated report within their standard annual reports. This new report articulates how the company is enforcing internal control over financial reporting and accounting. But wait ... there is more. In addition to internal controls for financial reporting and accounting, the SOX regulations further stipulate information and records management procedures. This makes the management of enterprise content a key part of compliance. Along with new definitions of what content and data must be labeled as a "record" (and therefore be treated as such), the lifecycle, access, storage and dissemination of information must comply with numerous SOX requirements. In short, business executives are faced with a broad redefinition of what "financial information" actually is. A good assumption is that any part of a business operation that impacts financial outcome is likely to be covered by SOX reporting requirements.

Reaching beyond the information and data itself, the SOX ruling also specifies the type of hard disk or optical storage that should be used. Clearly the provisions touching the management of information have a profound impact on an enterprise's storage capacity needs. Not only must more data be stored, but it must be accessible immediately (hours rather than days). And it is not sufficient to simply have rapid access to information and reports; enterprises must also be able to prove the authenticity of any and all aspects of operation that impact their financial outcome.

It isn't surprising that the SEC extended the deadlines for compliance with these provisions. Companies who had not planned to make new IT investments suddenly must do so in order to avoid stiff penalties. This brings us to ROI. How do you measure or even define the economic return from investments in technology needed for SOX compliance?

The Positives of Avoidance

To begin, ROI is generated from IT investments that help you comply with SOX when you don't have to pay penalties. The money you are avoiding paying in regulatory, non-compliance fines is where the economic impact can be measured. However, this is easier said than done.

The financial penalties of SOX non-compliance vary widely, making it difficult to assess just how much money you are saving by being in compliance. On top of this, with regulations as far-reaching as SOX there will always be some degree of risk that somewhere in your organization, some piece of information is not being managed properly. To assess the ROI then, you must both calculate the size of the penalties avoided and the risk that you will be found non-compliant.

Investments in technology that aid SOX compliance help you save some amount of money that you might otherwise have to pay.

The Ripple Effect

Being found in non-compliance of SOX can have other negative affects on your business - beyond the levying of fines (or imprisonment if you are found willfully fraudulent). In addition to the governance and transparency requirements of the Act described above, SOX also creates new categories of infringement that include willful destruction of documents, management retaliation against whistle blowers and fraudulently influencing a company's auditors. Some two years after SOX was enacted, cases are just now reaching the courts. Where there are courts, there are lawyers; and where there are lawyers, there are always hefty legal bills.

Companies that are found to be in non-compliance with SOX will also lose millions or more in revenues as consumers shun their products, and partners get as far away as possible. Further financial damage will be wreaked as shareholder value drops due to the reaction of the capital markets. Compounding this, such companies will also face material increases in their cost of capital, not to mention less access to capital. Large companies that trade debt through bond issues will face a tough foe in the financial markets.

Suddenly assessing the ROI of "compliance technology" seems like a daunting task. Not only is the value "soft" in that it is probability based, but there are many, many other immeasureables that contribute to the financial consequences of non-compliance. Nevertheless, given the scale of the economic impact of non-compliance, one intuitively senses that investment in compliance technology is wise - and you don't need an ROI analysis to tell you that.

The Upside

However, avoiding financial disaster is not the only economic benefit from such IT investments and the enforcement of internal controls. Not to be missed are the potentially material benefits that result when your company is run well. One of the side effects of SOX is that in forcing companies to be accountable for their financial results, there are also numerous efficiencies that can be realized from the resultant increase in transparency. Instituting controls can, for example, help a company to find areas where revenues were being siphoned off (deliberately or otherwise), providing whole new incremental income. Other companies spending millions annually on paper-based processes may find that the imaging and storage systems necessary for SOX compliance can reduce costs in amounts far greater than the solution investment.

Maybe the expense of meeting SOX stipulations will turn out to be stimulation for bottom line growth through better-run companies. Even with all the costly onerous requirements of SOX, it just might be a driver that leads to increased shareholder value.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access