The Patriot Act was signed into law in 2001; the Sarbanes-Oxley Act, in 2002. The year 2003 was devoted to planning for compliance with these two famous Acts. North American financial services firms undertook much organizational activity around Sarbanes-Oxley (SOX) and the Patriot Act, but spending on external IT solutions to comply with these regulations was disappointing. Whereas 2003 was clearly a hype year for the compliance IT market, we believe that 2004 and beyond will bring real spending on IT to automate and integrate new compliance processes.
The Focus on SOX 404
Section 404 mandates that firms listed on U.S. stock markets provide annual disclosures and quarterly updates to shareholders on the effectiveness of their internal controls over financial reporting processes. The huge organizational effort required to comply with this rule brought SOX 404 to the forefront of the compliance agenda of North American financial services firms in 2003. Compliance with this section will continue to dominate compliance priorities in 2004.
Despite the attention devoted to SOX 404, financial services firms were hesitant to purchase external applications designed for SOX 404 compliance in 2003. Many financial institutions are planning to rely on the controls documentation solutions supplied by their consultants to meet the deadline for SOX 404 by November 2004. Others firms developed a SOX 404 solution in-house instead of purchasing an external solution. The primary reason cited for electing to develop the solution in-house: employees can do a better job with development of a SOX 404 tool that fits a firm-s unique processes.
Automating SOX 404 Workflow in 2005
Given this prevailing attitude, Financial Insights estimates that North American financial services firms spent less than $30 million on external solutions for SOX 404 compliance in 2003. We estimate that this number will double in 2004. While firms are clearly taking a 'just get it done' attitude toward SOX 404, we believe that they will change their attitude over the next couple of years. Financial firms will begin automating compliance processes after going through their first SOX 404 reviews and they will look to more robust external solutions to help them accomplish this. At this time, they will seek a more flexible solution that can expand to include additional fields or control types and they will recognize the need for a scalable enterprise solution that can support workflow for hundreds or even thousands of employees every quarter. Spending by North American financial institutions on solutions that can automate SOX 404 processes will grow strongly, at 40 percent annually, over the next five years, to reach $300 million by 2008.
Sarbanes-Oxley Compliance, More than Just 404
But what about other sections of Sarbanes-Oxley? Section 302 requires senior executives to certify that reported financial and non-financial information is accurate and complete. And what about related SEC rules that will require accelerated and additional disclosure for 10-Ks, 10-Qs and 8-Ks? Clearly, there is more to compliance than just SOX 404.