Print this article | Return to Article | Return to CFO.com
As a new year begins, Sarbox and governance converge — and new technology takes a holiday.
Bob Violino, CFO Magazine
January 1, 2006
First the bad news: Even if you're confident that your organization has mastered Sarbanes-Oxley requirements and absorbed the worst of the costs, you still face a growing list of compliance demands that will likely consume a big chunk of your IT (and other) budgets, and continue to command major time commitments from your finance and IT staffs. If you thought 2006 would spell an end to compliance issues, think again.
But there is good news: now that Sarbox is proving to be anything but a quick hit, it is driving what may be an enduring synergy between finance and IT, propelling "IT governance" to new heights, and giving organizations new insight into their own processes. The laws that were intended to make companies more transparent to the outside world have also made them more transparent to themselves, which may usher in a new, more sophisticated level of decision-making.
A related bit of good news: there appears to be little of interest competing for IT dollars or attention. Forrester Research Inc. predicts that the current tech slowdown will continue until 2008 as companies attempt to digest what they've already purchased. Other market-watchers such as Nucleus Research believe 2006 will be dominated by such trends as continued pricing pressure on vendors, a growing disillusionment with outsourcing, and the steady adoption of technologies that help stitch together current IT and Internet infrastructures. That is, with no paradigm-shifting technology in sight, the management of existing technology will get most of the focus.
And much of that focus will center on compliance. Gartner Inc. analysts Jorge Lopez and French Caldwell say that spending on compliance initiatives is growing at twice the rate of IT spending, and in some cases the entire discretionary portion of a company's IT budget is given over to compliance efforts, leaving virtually no money available to pursue other opportunities. They argue that a race between the U.S. government and the European Commission for "regulatory parity" will make compliance projects a fact of life for most large companies between now and 2010, a trend exacerbated by activity at the local, state, and regional levels as authorities at all levels attempt to exert controls that will affect businesses in a variety of ways.
This need not inspire total paralysis, of course. Southern Co., an Atlanta-based electric utility, is evaluating a number of major technology initiatives, including the adoption of Voice over Internet Protocol networking and a new general-ledger system that would integrate with Southern's entire supply chain. And as it does so, it is singing an increasingly common refrain. "One of the key things we've learned is that you need the business people and the IT people working shoulder to shoulder to make such projects successful," says Mike Harreld, executive vice president of Southern Co. and CFO of subsidiary Southern Co. Transmission. "The IT people don't have the experience in business, and the business people don't fully understand IT."
The Role of Finance
Sarbox has certainly brought finance and IT closer together, as our annual IT Directions surveys have found, although fewer CFOs this year than last (34 percent versus 48 percent) said that was the case. It's hard to say whether that decline reflects specific frustrations with Sarbox audits or the fact that at many companies IT and finance have been working together more closely for longer than a year. Either way, many CFOs say that finance-IT cooperation is becoming increasingly important and that it goes well beyond the shared mission of compliance.
"There's so much that our company does in IT that needs to be framed within the context of finance," says Michael Blake, vice president and CFO of the IT division at Kaiser Permanente, an Oakland, California, provider of health-care services. "IT is one of the few expenses that is almost 100 percent at management's discretion, and sometimes the best lens on that is finance," which provides guidance on when the company should boost or throttle back technology spending. Blake says the finance department at Kaiser Permanente works closely with IT management to allocate resources and manage projects.
As a not-for-profit entity, Kaiser Permanente isn't subject to Sarbox 404 rules, at least not yet. Nevertheless, it's using the stick of compliance to pursue the carrot of better IT governance. "IT and finance can work together on this, and if we do it right we'll be Sarbanes-Oxley compliant just by the fact that we govern appropriately under frameworks such as CobiT [Control Objectives for Information and Related Technologies] and others," Blake says. "With the advent of compliance, all of a sudden governance is starting to take a front seat."
Indeed, when we asked CFOs about their IT priorities for 2006, the number one answer was "Maintain or improve service levels," followed closely by "Drive productivity/efficiency initiatives," reinforcing Gartner's view that companies will have less funding to investigate new technologies this year. One exception may be software that addresses compliance and IT governance, which Gartner says will become a $9 billion market worldwide by 2008. One priority at some firms will be to see how such expenditures can be leveraged to meet a variety of needs (see "Doing More with Sarbox Software" at the end of this article).
Even amid regulatory requirements, life goes on, and companies such as The Hartford Financial Services Group Inc. are trying to balance the near-term demands of Sarbox with longer-range planning. Libbie Bock, vice president and CFO of The Hartford's eBusiness & Technology group, says that the company will spend more on IT in 2006 as it tackles "many more significant projects than we have in recent years." Many of those projects will be focused on a reengineered IT infrastructure that will allow the company to make greater use of emerging industry standards and to deliver IT services to employees and external partners more efficiently.
"We are now one year into a multiyear change effort to transform our IT organization," she says, "that will aggressively improve our total cost of ownership, enhance our operating model, and improve our talent."
Part of that effort, inevitably, will be to address compliance issues — for example, the company is establishing policies on how best to classify and save data — but Bock says that while last year The Hartford was largely in a "reactionary" mode, this year it will move forward more thoughtfully as it establishes policies suitable for the long haul. As for where the company might be with its multiyear plan if there were no compliance issues to address, Bock says "the rigor required for Sarbox has better positioned us to move full speed ahead in our transformation. We invested time in 2004 investigating six general IT processes [physical access, logical access, release management, job processing, data transmissions, and data backup]. Now we can effectively leverage that base of consistent processes and policies."
Moving forward more thoughtfully is essentially what IT governance is all about, and analysts expect it to gain steam in 2006. At The Hartford, a Capital Planning & Portfolio Management group performs "benefit capture" audits as IT projects are completed to assess how well they delivered expected returns, says Bock. And the group approves all new projects by applying a consistent cost/benefit methodology so that capital is allocated based on an "apples-to-apples" comparison. But ultimately, she adds, finance plays a consultative role with IT, rather than being in a position of direct oversight.
That seems to be the way most CFOs want: our survey found that while 31 percent of CFOs believe IT should report to finance, almost twice as many (59 percent) think it shouldn't, but that the two groups should work closely on a range of strategy issues. (Only 5 percent thought that the two should collaborate only on matters of spending, while 6 percent thought they should operate independent of each other.) That issue will likely remain up for debate in 2006 as CFOs acknowledge that the relationship can be a balancing act.
"Finance has to play both an oversight and a consultative role, and play them both well," maintains Blake of Kaiser Permanente. "There are times you must have oversight and times you consult." But in an oversight role, he says, finance has to be discerning about budget decisions or risk thwarting strategic growth. For example, if the finance department issues a blanket reduction in all IT expenses, "you can start shutting down meaningful conversations that need to happen between finance and IT," says Blake.
Whatever happens, it won't entail a big increase in IT budgets. Numerous surveys indicate modest single-digit increases will be the norm. But expect companies to vary greatly in their ability to extract maximum impact from precious dollars.
Bob Violino is a freelance business and technology writer based in Massapequa Park, New York.
Searching for a Silver Lining
Doing more with Sarbox software.
Ask Tracy Schmidt, CFO at CNL Financial Group, about the many costs associated with Sarbanes-Oxley compliance, and his answer will resonate with many of his peers. "It's a high price for a questionable benefit," he says.
But as companies get past their first audits and look ahead, many are seeing a potential silver lining and believe that the IT component of Sarbox may pay off in unexpected ways. "Most companies are still trying to get comfortable with the changes brought about by Sarbox," says Forrester Research Inc. analyst Michael Rasmussen. "But a number of them — maybe 10 percent at this point — are beginning to try to leverage their Sarbox investments."
"After spending significant time, money, and effort," says Michael J. Schroeck, a partner and the global business intelligence (BI) leader for IBM Business Consulting Services, "companies have controls in place. Now they're asking how they can derive more value from their investments."
Research conducted by Deloitte & Touche found that 61 percent of CFOs plan to adopt a "beyond compliance" strategy in which compliance requirements are seen as an opportunity to improve business and gain competitive advantage, while only 17 percent intend to take a compliance-only approach.
Even the severest Sarbox critics concede that bringing their companies into compliance has yielded a number of positives. CFOs responding to the Deloitte & Touche survey listed a number of these, including streamlining operations, optimizing controls and related processes, and improving accountability through the organization. "I think most people would say that gaining a better understanding of their organization's internal controls has certainly been of benefit," says Schmidt, who had been CFO at FedEx Express before joining CNL.
Schmidt notes that prior to Sarbox, awareness of how financial processes interface with IT was often sketchy, or, as he says, "too much of a black box." As the result of compliance efforts, however, a level of understanding has been gained on both sides of the aisle. "You'll hear, 'Oh gosh, so that's what you really need, that's what you do with what we input [from finance],'" says Schmidt. "'If that's the case, here are some different ways we can do things faster, quicker, and smarter.'"
Now that most companies have controls in place and are in compliance, IBM's Schroeck says the next step is to add BI software to the mix. The logic? Why gather up lots of information merely to satisfy a legal requirement when you can also use it as the basis of better decision-making. "Companies will augment financial information with customer, product, and channel information in an effort to make quicker, better-informed decisions about business developments," he says. In 2006, expect vendor sales pitches to begin to emphasize this beyond-compliance idea. — Laton McCartney
What Else in '06?
We polled a number of IT consulting firms and asked what they see as the big issues for 2006. Here are some of the highlights.
While it's surprising that a mere 2 percent of CFOs responding to our survey want to reduce the number of vendors they deal with, they may understand that the market is simply doing it for them. IDC predicts that IT and telecom mergers will continue unabated, with infrastructure, data/content management, and services particularly ripe for consolidation.
IDC also believes that software-as-a-service will reach a notable tipping point as one or more of the major software vendors (SAP, Microsoft, Oracle) offer next-generation versions of their products in this model.
Outsourcing and offshoring will lose their luster, says Nucleus Research, although the company believes that clients of such services have learned valuable lessons regarding project/ contract management and collaboration, which they will extend through their internal operations.
Service-oriented architectures will gain ground and win over skeptics, says Nucleus, and also give companies a viable way to rebuild patchwork systems and kill legacy applications.
Specialization will become a handicap for IT workers, says Gartner, predicting that the market for IT staffers with expertise in a given technology will decline by 40 percent over the next five years. On the rise are "versatilists," who understand the business and whose multidisciplinary backgrounds and experience allow them to harness IT to ever-changing business conditions.