View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Compliance will cost public companies an average 62 percent more than previously anticipated. The average company expects to spend $3.14 million in its first year of compliance. (Financial Executives International).
$1.24 billion and 5,396,266 man-hours will be the aggregate annual costs of implementing Section 404(a) of the Sarbanes-Oxley Act, according to the SEC's PRA burden estimates.
PWC estimates that 76% of added cost for Sarbanes-Oxley compliance will come from additional internal resources
SOX compliance costs average $16 Million per company . (Business Wire, Nov 15, 2004)
85% of public companies intend to change their IT systems as part of their efforts to comply with Sarbanes-Oxley legislation. (CIO Insight)
“ The Sarbanes-Oxley compliance impact is not just being felt by large public companies . Rather, its impact will be felt by most companies doing business in the US." (META Group)
Compliance Efforts Still Somewhat Haphazard . (Information Week, July 26, 2004)
AMR Research estimates that companies will spend $5.8 billion on meeting SOX requirements in 2005 . Despite initial thoughts that SOX spending would be a one time expenditure, 36% of companies plan to increase spending, 52% will maintain current levels and 12% will decrease SOX spending. Spend allocation will be:
42% on internal labor
29% on services
28% on technology
1% on other
“ Technology will play an increasingly significant role in the integration of SOX compliance initiatives into business processes” (AMR Research)
In the event that a firm is found to be out of compliance, this is the worst possible scenario, and maximum penalties may apply. It also has the greatest potential for reputational risk, in addition to punitive risks. Full control over the process, possibly the fastest and cheapest route for some regulations, if the appropriate infrastructure is in place. Risks Benefits
“ I Bought A Mistake” (so, sue me and I’ll sue the vendor) This option entrusts, but cannot delegate, some aspects of compliance to a third party. Typical vendor due diligence concerns are magnified based on potential exposure, including reputational risk. When a packaged solution exists, maintenance of the process should be less expensive. If the solution achieves significant market share, the defensive position of the firm is enhanced in the event of non-compliance. Keeping up to date with regulations is a very challenging task. If this application were to be built in house, the organization would have to devote a minimum of one full-time employee to this. Regulations may change frequently Vendors may also provide some best practices for maintaining compliance. And, their solutions may offer improvements (automation) over current processes. Risks Benefits
“ Nobody could do it better.” (so sue us all and shut down our industry) Collaborate & Share: If a group of leading firms collaborates to develop best practices for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone. Minimized if sharing partners have similar reputations in one's market. Peers are in the best position to develop common best practices. In the event of non-compliance, a penalty to one participant results in a penalty to all. Risks Benefits
Looking ahead, we will see focus on reducing compliance resource requirements through technology.
Public Companies have generally adopted a methodology for SOX compliance… SOX Compliance Plan (GTS) NCG Controls Framework ETIS Control Documentation & Test Plans Internal Control Testing & Remediation Auditor Attestation of Controls … .in addition to refinement of controls. Continuous Improvement
Cost of Compliance Strategy for Refinement of Controls….
Establish an overall cross-functional compliance team and a dedicated sub team managed by a director level person. The team should be supported by C-level executives and include executive from GTS, NCG, ETIS and Lob’s units.
Coordinate ETIS activities within the scope of an overall security and disaster recovery plan.
Have ETIS or NCG take final responsibility to ensure compliance with SOX. ETIS should take the lead on Lob’s data usage. ETIS is one input to the whole process.