Last year, the Securities and Exchange Commission announced a one-year delay in Sarbanes-Oxley Act (SOX) compliance requirements for publicly traded companies with revenue of $75 million or less, giving CIOs a much-needed breather -- both fiscally and timewise. That's good news for most small and midsized business (SMB) IT leaders, but one question lingers: How does an IT leader manage this extra time?
SMBs fought last year's SOX deadline and won. "There was a lot of pushback from smaller companies, and the SEC has come back with a delay to make it easier for small companies to accomplish compliance," said John Hagerty, vice president at AMR Research Inc. in Boston.
One of the big reasons for the delay is budget, according to Michael Rasmussen, principal analyst, risk/compliance management at Forrester Research Inc. in Cambridge, Mass. "SOX compliance is a larger burden -- [in terms of] percentage of revenue -- for smaller companies," he said. "You have staff that's already overtaxed and fewer financial resources to draw from, so it takes longer to comply."
In fact, AMR's research finds that compliance spending has not dropped significantly, even though the compliance deadline for larger companies has come and gone. The company estimates spending in 2006 at $6 billion, only a slight decrease from $6.1 billion in 2005. "We're starting to see that SOX compliance spending has a long tail on it," he said.
On top of that, Rasmussen noted that the most commonly used framework for compliance -- put out by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission -- was built with larger companies in mind, which made it less inviting for SMBs to use.
"You need to use a control framework such as COSO, but it wasn't until just recently that COSO came out with a 'lite' version for smaller companies," he said.
Planning for the future
Many small and midsize businesses are hoping for SOX relief from the government. According to a study
Moreover, many companies are hoping to dodge the bullet completely, Hagerty said. "There is a pervading feeling that eventually SOX will be moderated [for small businesses]," he said.
Most experts advise taking a long look at the current state of compliance, as well as a little risk analysis of the possibility of SOX moderation. "It's a tricky scenario, because it looks as if changes are still being lobbied," said Jim Damoulakis, CTO at GlassHouse Technologies Inc., a consulting company in Framingham, Mass. "The decision a small company has to make is how far they should invest, because the laws could change."
Damoulakis recommends that small-business CIOs take at least the first few steps. "The challenge is that there's a limited amount of time, so it would seem to be prudent from a business standpoint to do some of the more basic things around information security and integrity," he said.
Make a plan
Most experts agree that for small businesses, a year is enough time to ensure compliance -- if the budget is there as well. The first step is a state-of-the-union-type analysis, in which CIOs take inventory of the systems and business organizations that need to be compliant.
"SOX calls for an accounting of all the records that affect shareholder equity, so you need to first figure out the people and documents that will be subject to it," said Bill Tolson, practice manager at Contoural Inc., a consulting firm in Mountain View, Calif.
Next, examine the current policy regarding data retention. "My guess is that most small companies don't have a policy in place," Tolson said. "Most companies are familiar with data-retention schedules, but that's not a policy." Tolson said that policies list more than just the retention times for each type of document. Ideally, policies should include the following:
- Company philosophy on why information must be retained.
- The job titles responsible for ensuring the retention of each particular type of document.
- Procedures to ensure retention of all types of documents, both paper and electronic.
- Controls around each of those procedures that assure compliance.
The initial inventory of people and systems should take a matter of weeks, and the policy creation will take a little longer, Tolson said. When his company is retained on such a project, they like to first look at the overall business and its underlying drivers, and use the inventory information to create a current business practices report card around data retention.
The next step is a gap analysis and a plan to get from the current state to compliance. "We like to interview employees to see what type of documents they create, where they keep them, how they use them and so on," Tolson said. "We need to figure out how employees use data because the next step is systems to do data retention."
Creating the policies and procedures for SOX compliance can take two to three months. From there, CIOs must assess the situation and decide whether to forge ahead with compliance systems or gamble that SOX laws will ease. But those who have even these basic ducks in a row will be in a better position regardless of the outcome in Washington.
"It's better to know that you have a deficiency somewhere than to be caught by surprise," Damoulakis said. "So get some solid advice as to what it is you need to do to be compliant. You want to have a plan in place to show how you are going to address them."
Carol Hildebrand is a contributing writer based in Wellesley, Mass.