Sarbanes-Oxley costs not being tracked

Many companies have no idea how much money they are spending on corporate
compliance, research shows.

A survey conducted by the Information Security Forum (ISF) shows that work on
Sarbanes-Oxley is diverting spending away from addressing other security

According to ISF consultant, Andy Jones, many firms are simply racing to
become compliant with the legislation without keeping a proper track on how much
money they are spending.

‘I think there is an element of [over-enthusiasm], particularly in year one
of the process. The chief finance officers are personally liable if compliance
isn’t reached, so they’re telling their people “get it done”,’ he said.

Jones says the survey shows a very high level of executive commitment for

‘Eighty three per cent of those working on compliance say they are happy with
support from management, which perhaps isn’t surprising given the penalties
associated with it,’ he said.

Of the firms that did know what compliance is costing, the ISF says some have
spent over $10m (£5.7m) upgrading records management systems and associated

Jones says the expense associated with compliance is coming from the need to
look at entire organisations.

‘The obligation is to understand the controls that are needed across the
company, rather than looking at project areas. Another part of it is testing,
with Sarbannes-Oxley you have to prove everything has been tested,’ he said.

‘For organisations whose business is not primarily financial, the diversion
of information security attention from other risk areas to Sarbanes-Oxley
compliance may lead to important business risks being neglected.’

Related reading