After I pointed out Gartner was projecting SOX compliance may cost 15% of IT budgets in 2006, I received comments saying Gartner was way too high. AMR's projections of the SOX related software market is only in the $ 6 b a year range. So, I emailed French Caldwell, VP and Research Director, Public Policy at Gartner and one of the authors of the survey which came up with the 15% number.
French took the time to write a lengthy answer - and one very revealing of the budget games being played.
"Vinnie – Thanks for raising the question concerning the
amount of the Sarbanes- Oxley compliance spend. I know that 10 to 15 percent of the IT budget sounds high, but I did a
number of data checks to test that number and it correlates with other Gartner
data, including our Executives Program survey of CIOs.
I was shocked at first, so let me share a number of ideas
that would help this number make sense:
1 – Some survey
participants are gaming the survey. They
think Gartner will believe just about anything that creates some
sensationalism, and they want to get more money for their IT compliance budgets
– so they report artificially high numbers. Well, after cleansing the data of what looked like people gaming the
survey, the average came down a lot, but the median didn’t come down too much. What does that mean – it means that most
people still fall out evenly on both sides of a number between 10 and 15
percent. I’m still working on the final
report – but I can say for sure that based on this survey, and after cleansing
the data of the gamers and after checking it against other Gartner
surveys, the answer is somewhere between
10 and 15 percent of the 2006 IT budget is slated for compliance. I’ll firm that up in the final report.
2 – Compliance is not
just compliance anymore. This is a
very likely reason for the high numbers. Lots of spending is being relabeled as compliance. Pretty much the whole IT security budget is
directed at maintaining and improving internal controls, isn’t it, and internal
controls are relevant to compliance, aren’t they – so some people could be
including the IT security budget, or large parts of it, in compliance. Other activities, such as IT audit, may be
relabeled as compliance. A six sigma
program may be called compliance now, and on and on.
3 – There are more
people doing compliance. That’s
pretty clear. Two years ago, very few
companies outside of banking, had IT compliance managers. Now just about everyone has one it
seems. Our typical survey participant
worked for a large company, and large companies now say they have about five
full time equivalents working on compliance. Furthermore companies have not been able to get rid of all the SOX consultants
yet. It takes money to pay all these
people.
4 – Process
reengineering is being called compliance. Lots of audit deficiencies can’t be fixed by just a tweak here or
there. Some require going back and
re-whickering the process. BPR is making
a bit of a comeback as a result of trying to fix a lot of the audit
deficiencies – see number 3 above in regard to consultants – it takes money to
pay these people.
5 – A compliance tag
gets your pet project more money. This is a given. CFOs were at the
high end of that 10 to 15 percent in their estimate of how much of the IT
budget would go to compliance. So maybe,
just maybe, some CIOs might be getting more budget by labeling some projects as
compliance projects. And just possibly
some other IT managers have found that they can get higher priority by labeling
their project as part of the compliance activities of the company. Plus a lot of this is legitimate – if
something touches the financial management system, then Sarbanes-Oxley
compliance needs to be at least a consideration. One of my colleagues who covers Security
Information and Event Management technology says that every single call he has
taken from clients in the last six months was driven by compliance. Does that mean that absent SOX he would not
be getting calls – not at all, they would just be driven by some other reason.
I’m sure there are a lot of other reasons why the number is
so high, but it is clear to me, that it is legitimate, and I would attribute most
of it to redefining what is compliance, but some of it is clearly new spending for
IT compliance people, for consultants, and for compliance technology. New money in the budget targeted specifically
for compliance was reported by 27 percent of CIOs."
Thanks, French.
As they say, a billion here, a billion there and pretty soon we are talking real money. The SEC will need to issue yet another set of guidelines on how to consistently account for SOX spend.
It still begs the questions I asked in $1 billion per word:
If SOX had been in place in 2001, would it have
stopped Enron from happening? 4 years later, are we as individual or
institutional investors any smarter about complex entities like GM or
Exxon?
