At the time of its passage in 2002, Sarbanes-Oxley (SOX), the sweeping piece of legislation meant to make publicly traded companies more accountable, rolled through Congress. The reaction to the WorldCom and Enron accounting scandals became law so quickly, in fact, that it took time for both the companies impacted and the technology industry to start to piece together their responses.
Nearly three years later, with deadlines for compliance kicking in, Sarbanes-Oxley is on the minds of many corporations. In their attempts to meet the letter of the law, which requires, among other things, that executives vouch for the accuracy of a company’s extensive written records, many are seeking help from technology.
The good news is that there are many technological solutions available. However, the flood of products meant to aid compliance is itself a maze that many corporations will want a guide to help them navigate. Even so, experts say software alone can’t answer the compliance question, with extensive policy and rules-making another necessary part of the equation.
Early Deadline Pressure
“Right now, a lot of companies are doing it the hard way and throwing a lot of consulting money and time at it,” Tom Taulli, who teaches a course on compliance at the University of California, Irvine, told the E-Commerce Times. “I think that will change once we get past some early deadlines. Then, people will start thinking of automated solutions.”
Taulli said there has been an explosion of such offerings from both established companies in the data storage and network administration areas as well as numerous startups with Sarbanes-specific compliance tools. For instance, Approva.net, which makes tools to capture compliance-related information from ERP systems, received an $8 million venture capital infusion in the past year. Approva’s CFO helped draft one of the sections of Sarbanes-Oxley.
“I think the incumbent players have the upper hand right now — people will go with who they trust,” Taulli said. “But after they get some comfort with the law, they’ll take a step back and look for the best solutions that are available to them.”
The Money Question
Of course, such solutions cost money and many information technology budgets have been kept in check in recent years. That’s created another level of tension inside enterprises. Gartner Research estimated the average mid-size to large company would invest US$2 million to comply with the first- and second-year requirements of SOX.
Also, AMR Research recently estimated that companies will spend $80 billion on compliance-related work between 2005 and 2009, with Sarbanes-Oxley just one of a range of recently passed regulations enterprises must deal with.
“There are enormous cost-cutting pressures,” Dave Russell, director of technical strategy for the IBM TotalStorage Open Software family, told the E-Commerce Times. “A lot of times, the first question we get is how can we retain more for less?”
Russell said one logical and common reaction among companies is to make plans to retain everything that crosses its network, to literally archive everything. That, however, in addition to creating enormous costs over time, also creates difficulties when it comes time to retrieve information.
IBM has positioned products in its Tivoli family of storage management tools as aids in SOX compliance. Big Blue is one of literally dozens of major enterprise software firms that have developed add-ons aimed at compliance requirements.
Russell said many of IBM’s customers turn to its services arm to help match software, hardware and policies and practices to ensure compliance, with the Tivoli family of software well positioned to manage the interaction among data storage and databases.
Analysts say software, security and storage firms are all in line to benefit by offering compliance features. Taulli said the recent purchase of StorageTek by Sun Microsystems was an example of the types of moves that might occur as firms on the network side begin to recognize the heightened importance of storage and retrieval of data.
Other major firms with compliance products include Oracle, Computer Associates and SAP. Hardware makers are eying the opportunities as well, with Hewlett-Packard launching a storage-management system that can automatically back up files needed for compliance.
Patrick Mullen, a spokesperson for Business Edge software, said companies need to start with a “framework” for best practices that includes business practices and policies, a data architecture and an approach for extracting and sharing data and means for testing the system periodically.
Flexibility and the ability to react to changes as necessary within those policies is also important. IBM’s Russell said a Canadian insurance company found out the hard way that strict rules about data disposal can be costly. The firm had a three-year retention rule. When a claim was made by a widow that the company had not paid all the benefits she was owed, the company assembled a team of IT experts who said the data proving they had done so was on the company’s data storage network.
However, between the time the claim was filed and legal proceedings began, the three-year window came and went and the data was wiped out. The company was then unable to prove it had paid and wound up paying the benefits twice — plus punitive damages. “With good policy-based management tools in place, they could have stopped the clock and saved themselves a lot of money,” he added.
Those types of subtleties — cordoning off data when a subpoena is filed for instance — will likely keep software makers refining their compliance-related offerings for years to come.
“This is really a lifesaver for the enterprise software industry,” Taulli said. “There are long-term benefits for the sector in this law that weren’t necessarily intended or even recognized at first.”