The ROI of SOX: SOX compliance investments can boost your bottom line.

• Author: Putrus, Robert
• Position: SOXCONTROLS

While Sarbanes-Oxley compliance costs can vary depending on a company's revenue, operational reach and ownership structure, many businesses have experienced a multifold return on investment, ranging from the introduction of new initiatives to the implementation of improved business processes.

Businesses can boost their bottom line if they approach SOX compliance as an opportunity to improve the business' management, as well as to reduce the costs of operations and internal audits.

SOX COMPLIANCE

In general, SOX compliance investments can be classified into one or more of the following:

* Information Technology--investments in infrastructure, such as networks, system management and software;

* Business Controls--investments in enterprise resource planning, supply chain management, customer relationship management, etc.; and

* Company Policy and Management--management decisions regarding the centralization or decentralization of the business' processes; mapping management accountability into processes; and improvements to corporate governance.

This article focuses on the quantification of SOX compliance benefits and the ROI of IT and business controls initiatives, the combination of which can provide controls to prevent fraud, misuse or loss of financial data transaction; enable speedy detection if and when such problems occur; and allow preventative action to be taken to limit and mitigate the effects of the problems.

IT CONTROLS

There are four basic general controls within the IT initiative as stated by Control Objectives for Information and related Technology:

IT planning and governance--includes information systems strategic plan; the IT risk management process; compliance and regulatory management; and IT policies, procedures and standards.

Computer systems management and operations--controls over the definition, acquisition, installation, configuration, integration and maintenance of the IT infrastructure. This will include service level management; management of third-party services; system availability; problem and incident management; and facilities management.

Program or application development and change controls--controls over the acquisition and implementation of new applications and the maintenance of existing applications. The risks are controlled through the development and compliance to system development and quality assurance methodology. The methodology provides guidelines for the system design and implementation...