News Stay informed about the latest enterprise technology news and product updates.

Survey: Compliance spending soars

A new AMR Research study breaks down the damage: SOX, HIPAA -- and all the rest.

Companies will spend nearly $15.5 billion on compliance programs in 2005, according to a recent study by Boston-based AMR Research.

Sarbanes-Oxley (SOX) programs topped the list for spending, accounting for 40% or $6.2 billion of the $15.5 billion, but the corporate reform law is not the only compliance issue eating into company budgets, the study found.

Compliance spending on the Health Insurance Portability and Accountability Act (HIPAA) is expected to exceed $3.7 billion, and account for 24% of total spending. Indeed, for just over 13% of the companies surveyed by AMR, HIPAA compliance is their largest spending category. These companies will spend an average $2.2 million on HIPAA in 2005.

The Federal Drug Administration and U.S. Securities and Exchange Commission exact their price too, each sucking up about $1 billion in 2005. The survey, conducted in the fourth quarter 2004, polled 225 companies from around the globe.

So, just where is all that money going? Most of it's being spent on people -- internal staff and external consults. AMR reports that nearly two-thirds of compliance budgets are spent on compliance-related salaries and contracts.

That will likely prove true at Muzak, the South Carolina-based provider of music programming, the type played in some elevators and malls. Dave Thompson, vice president of information technology, says the privately held company is gearing up to make its first investment in compliance in 2006. Thompson has been talking to Policy Technologies International Inc. of Rexburg, Idaho about policy management software. The big bucks will go to the outside consultants.

"We'll probably use Jefferson Wells to help with compliance," Thompson said, referring to the Milwaukee professional services provider. "They haven't given us back a sold figure but are basing it on having two full-time consultants on staff for four or five months."

Although SOX and HIPAA account for the largest compliance expenditures in 2005, record keeping and training are demanding attention. Over half the companies cited document and record-keeping requirements as a current concern; 42% cited code of conduct and training.

Very few companies say their work is done on compliance. Nearly 70% of companies plan to add to or improve their compliance plans in 2005. In terms of budgeting, 92% of those surveyed said their budgets will stay the same or increase in 2005, with 44% reporting increased spending.

One consultant, John Verver, believes that technology must step up to the plate to help companies rein in costs.

"The amount of money companies have poured into assessing Sarbanes-Oxley is not sustainable in the long run," said Verver. "We see compliance spending increasing, but increasingly being spent on areas that provide payback. I think spending on consultants and third parties will decline and will be replaced by software."

Verver is vice president of professional services for ACL Services Ltd., a Vancouver software company that got its start by working with the big accounting firms.

"What we saw by working with large numbers of auditors was that they found control problems, sometimes transactional and sometimes systemic. We decided to build products that took all of these audit best practices and embed them into the business process, not so much from a compliance point of view but to benefit these different business areas," he said.

When Sarbanes-Oxley came along, the company's software took on a "whole new value proposition," he said. ACL has developed a suite of products that continuously monitor transactions and identify those that fail control tests -- from duplicate payments to payroll inconsistencies.

Clients include the federal government, which uses ACL products to monitor procurement spending, as well as large multi-national companies.

ACL software for a single business area costs about $200,000. A full suite of software for all business process areas would come to about $1 million, an amount Verver claims compares favorably with the 0.5% to 1% error rates.

"In a multi-billion company that mounts up," he said, citing one large multi-national where duplicate payments identified by the ACL software in just one of its operating entities amounted to $900,000 within a few months.

"They were running an ERP where the system was not meant to allow duplicate payments. We implemented a system that monitored across the ERP and found they were making payments both within the US and in Mexico."

This article first appeared on

Dig Deeper on IT compliance and governance strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.