Study: Sarbanes-Oxley Doesn't Worry Most IT Managers

Looked upon with dread by many IT managers, the Sarbanes-Oxley Act (SOX) might, in fact, not be as onerous when they actually have to face its implementation, according to a new study.

In a survey of IT managers in its client base, the Aberdeen Group found that most IT managers plan simply to leverage their existing software tools to fill in any gaps to comply with SOX mandates. "Sarbanes-Oxley is asking companies to make sure they have documenting procedures in place," said Aberdeen's Christa Degnan in an interview. "Many companies already have them in place."

Degnan, who is research director of Supply Train Research at the consultancy, said she believes potential problems associated with the implementation of SOX have been "overhyped." She added that there is nothing inherent in SOX that needs to be understood--often good informal reporting and auditing procedures can be updated to conform to audit trails mandated by SOX.

"Some respondents indicated that SOX compliance prompted changes in their supply-management strategies and operations, but no corresponding increases in their IT budgets," she noted. A few respondents, representing about 10 percent of those polled in the survey, said SOX had no impact whatsoever on their supply-chain organizations.

Aberdeen found that two-thirds of IT managers and purchasing agents responding to its survey planned to leverage and extend their existing business systems. Of the remaining one-third, most said they planned to evaluate new business applications.What about the one-third who said SOX will have an impact on their IT and supply-chain operations? Degnan indicated that IT operations with existing inadequate compliance procedures and controls could be pressed into improving such procedures by the SOX law. "[We recommend] that enterprises look beyond basic spend compliance to focus on the total cost of ownership of supply relationships," she said.

Aberdeen found that, of the one-third considering upgrading IT operations to comply with SOX, more than 40 percent were considering beefing-up contract-management and supply-chain analytics functions. About 35 percent were looking at upgrading spending analysis and invoice reconciliation and payment. Other upgrades prompted by SOX: supplier performance measurement, employee expense reimbursement automation, inventory management, e-sourcing, and e-procurement.

Degnan and the co-author of the report, Tim Minahan, vice president of Supply Chain Research, tackled the outsourcing phenomenon in the study. "Outsourcing is a little tricky," Degnan said, noting that it's still unclear exactly to what extent outsourcing functions will have to be audited.

Degnan suggested that non-mission critical functions can be easily outsourced without much worry on the part of IT managers. She said, "Turning over non-mission critical supply- management responsibilities to a third-party specialist could be just the ticket."