Like it or not, the costs of compliance with Sarbanes-Oxley (SOX)—the federal act that tightened corporate governance, disclosure, and financial accounting rules—are not going away any time soon. And while SOX puts the onus for compliance mainly on corporate and financial management, it will be the supply chain managers who are called upon to help put in place many of the accountability controls and manage the related costs.

Just how costly is SOX compliance expected to be? A detailed AMR survey of more than 70 companies conducted in the fourth quarter of 2003 found that this year's SOX spending would be $5.5 billion. More than half of that amount—nearly $3 billion—are hard expenditures that could impact companies' bottom-line performance. (Exhibit 1 gives the spending breakdown.)

Many companies entered the SOX maelstrom thinking that the bulk of their compliance spending would be a one-time expense. Unfortunately, that does not appear to be the case. The results of a later survey we conducted in May of this year reveal that the spending continues. In fact, more than one-third of the respondents said that spending for the current year is higher than anticipated. Based on this latest survey update, we now expect SOX spending to top $6 billion this year

For many, SOX compliance has been a moving target. Nearly two-thirds of those companies we surveyed reported that compliance efforts actually increased as 2003 progressed. Why? Outside auditors and advisors had counseled clients on how, in their opinion, they needed to approach the mandates of Section 404 of the act—Documentation of Internal Controls and Business Processes. Over time, those opinions became more conservative—meaning that they became more detailed and expensive and encompass more processes. Four out of five companies surveyed viewed SOX compliance as covering a broad range of financial, operational (including supply chain), and IT-based business processes and not just the financial processes and controls they envisioned earlier in the year.

As a result of these developments, AMR estimates that spending on technology to support SOX and other compliance requirements will grow by nearly 1000 percent between 2003 and 2004 (see Exhibit 2).

As spending increases, we see SOX compliance moving from a tactical (finance-driven) to a strategic (enterprise-based) concern. And as this happens, more constituencies—in particular, IT and the CIO—are becoming increasingly vocal about how to create a repeatable and sustainable compliance regimen.

Survey responses indicate that a solid majority of companies want and expect business improvement to result from Sarbanes-Oxley compliance spending. If they are spending money to comply, they want some return on investment. Companies view the expected business improvements resulting from SOX compliance spending as modest. Yet they are quite clear about what they want to see happen:

• Better alignment between all business policies and related controls.
• Improved capability to manage risks in the business.
• Heightened awareness of compliance as part of every business initiative, including supply chain programs.
• Improved governance of IT functions core to business operations.
• Improved accountability across the entire organization.
• Improved financial decision making.
• Better visibility into performance at business-unit levels.
• Improved ability to react to changes in market conditions.

When it came to spending on SOX compliance, many companies thought that they had already made all the decisions they needed to make; now it was just a matter of executing the mandated activities. But more and more companies are starting to ask, "How do we make compliance efforts repeatable, sustainable, and cost-effective into Year Two of Sarbanes-Oxley and beyond?" As reality sinks in and thinking matures on how best to manage this new set of requirements, we're seeing companies revisit SOX compliance with an eye toward long-term manageability, even across multiple compliance initiatives.

Although we can't fully estimate aggregate planned spending at this time, all indications are that 2005 IT-related compliance budgets will continue to grow. Among those companies surveyed, 68 percent expect budgets to increase year over year and 19 percent plan on level spending in this category. Our first-blush estimates indicate that IT compliance budgets will rise at least another 10 percent in 2005.

As business executives march toward looming compliance deadlines, SOX will remain on top of their minds into 2005. First-wave companies (those with fiscal year-ends after June 2004) are now delivering their initial Section 404 documentation to auditors to support their assertion that critical controls are in place and effective.

Yet as SOX moves forward, it has not escaped controversy. In the May 27, 2004 Wall Street Journal, John Thain, CEO of the New York Stock Exchange, questioned whether the costs of Sarbanes-Oxley are too high and could inhibit long-term growth in the U.S. capital markets. There's no doubt this issue will be debated for some time to come. But prudent companies appear to be accepting compliance as a fact of today's corporate life and are planning to increase spending to better support the business in the medium- and long-term.