What Price SOX?

The problem is that the SOX regulations don't specify the exact requirements of IT systems and data, so companies must rely on independent auditors to advise them on what must be done to comply. The auditors don't know IT well enough to define what will be required, and the IT people don't know what the auditors will ask them to do. Hence, no one knows what SOX compliance will cost from company to company, or whether there are standard steps to reach that goal.

Till now, many organizations have been using a rule of thumb that says a company should plan to spend about $1 million on SOX compliance for every $1 billion in annual revenue. But in its study of SEC filings, A.R.C. Morgan found that companies in the $1 billion revenue range are already spending more than $2 million on IT consulting and other outside services. And that's just the part that's easy to quantify--if you add internal resource spending and growing auditor fees, the figure is likely to be more than $3 million, A.R.C. Morgan says.

What can you do to control SOX compliance costs? Planning is essential. Many companies have hired outside professionals because they fell behind on deadlines or because they didn't see the need for in-house expertise until too late. Also, be aware that you can use local auditors to evaluate systems and data in the regions where your organization operates; according to A.R.C. Morgan, many companies have spent too much money flying auditors from the Big Four to their sites around the globe.

Meantime, enterprises must push their SOX auditors to develop some compliance standards that can be used across the board. Right now, the auditors are driving the ship, and nobody's sure exactly where it's going.