The SOX ripple effect .........................................................................
Implementing any of these frameworks has a huge impact on the IT and
Finance functions within a company. Companies implementing COSO, COBIT,
or ITIL should not underestimate the training and change management impli-
cations. People in Finance will have new processes to monitor, repair, and
report on; IT employees will require new design and procedural skills; HR
departments will have to hire or train people to make these shifts. Being SOX-
compliant is not something only CEOs, CFOs, CIOs, board members, or audi-
tors have to worry about. It changes the way everyone in a company works.
Paying Up: What’s SOX Going to Cost You? ..............................................
For most organizations, the first year of SOX compliance was not easy. It was
costly and time consuming. Companies had to redesign and document their
roles and processes. Usually managed as a project, SOX compliance caused
significant disruption to business activities. Guidance from the authorities
was limited, and the auditors themselves were often unsure of what was
required. Because little SOX-compliant software was available, most initial
projects were mainly manual or spreadsheet based and painstakingly slow.
The basic goal of most companies was to get through the audit without mate-
rial weaknesses, whatever the cost. Not surprisingly, costs were significant.
SOX Costs Then ..................................................................................
KPMG, a global firm specializing in audit, tax, and advisory services, con-
ducted a survey of 90 Fortune 1000 companies covering their first year com-
pliance with SOX, which revealed that:
�Twelve percent of companies disclosed material weaknesses in their
internal controls over financial reporting.
�On average, companies spent around $1 on SOX compliance for every
$1000 of revenue.
�On average, companies remedied 271 control deficiencies in SOX during
the first year. They still had another 77 deficiencies left to address at the
end of that year.
�Two-thirds of the companies disclosing a material weakness in their
internal controls over financial reporting changed their CFOs within
three months of filing their SEC returns.
100 Part II: Diving into GRC
