02:44 PM
Sophie Louvel, Analyst, Financial Insights
Sophie Louvel, Analyst, Financial Insights
Connect Directly

IT Spending for Compliance: From SOX 404 to Comprehensive Compliance

2004 and beyond will bring real spending on IT to automate and integrate new compliance processes.

The PATRIOT Act was signed into law in 2001; the Sarbanes-Oxley Act, in 2002. The year 2003 was devoted to planning for compliance with these two famous Acts. Much organizational activity took place around Sarbanes-Oxley (SOX) and the PATRIOT Act, but spending on external IT solutions to comply with these regulations was disappointing. Whereas 2003 was clearly a hype year for the compliance IT market, we believe that 2004 and beyond will bring real spending on IT to automate and integrate new compliance processes.

The Focus on SOX 404

Section 404 mandates that firms listed on U.S. stock markets provide annual disclosures and quarterly updates to shareholders on the effectiveness of internal controls over financial reporting processes. The huge organizational effort required to comply with this rule brought SOX 404 to the forefront of the compliance agenda of North American financial services firms in 2003. Compliance with this section will continue to dominate compliance priorities in 2004.

Despite the attention devoted to SOX 404, financial services were hesitant to purchase external applications designed for SOX 404 compliance in 2003. Many financial institutions are planning to rely on the controls documentation solutions supplied by their consultants to meet the deadline for SOX 404 by November 2004. Others firms developed a SOX 404 solution in-house instead of purchasing an external solution. The primary reason cited for electing to develop the solution in-house: employees can do a better job with development of a SOX 404 tool that fits a firm's unique processes.

Automating SOX 404 Workflow in 2005

Given this prevailing attitude, Financial Insights estimates that North American financial services firms spent less than $30 million on external solutions for SOX 404 compliance in 2003. We estimate that this number will double in 2004. While firms are clearly taking a "just get it done" attitude with regard to SOX 404, we believe that this attitude will change over the next couple of years. Financial firms will begin automating compliance processes after going through their first SOX 404 reviews, and they will look to more robust external solutions to help them accomplish this. At this time, they will seek a more flexible solution that can expand to include additional fields or control types, and they will recognize the need for a scalable enterprise solution that can support workflow for hundreds or even thousands of employees every quarter. Spending by North American financial institutions on solutions that can automate SOX 404 processes will grow strongly, at 40 percemt annually, over the next five years, to reach $300 million by 2008.

Sarbanes-Oxley Compliance, More Than Just 404

But what about other sections of Sarbanes-Oxley? Section 302 requires senior executives to certify that reported financial and non financial information is accurate and complete. And what about related SEC rules that will require accelerated and additional disclosure for 10-Ks, 10-Qs and 8-Ks? Clearly, there is more to compliance than just SOX 404. Sarbanes-Oxley Act rules imply that the executive office must have visibility into the details underlying reported financial information and must know in real time of any changes to business performance. This requirement will fuel new investments in performance management applications that enable detailed and dynamic monitoring of a firm's financial performance. Investments in performance management solutions are not new to financial services firms. Finance groups in financial institutions have been purchasing such solutions over the last several years to improve financial management processes. Compliance has been a leading driver for purchases driven by the corporate office at a few large financial institutions.

Financial Insights estimates that North American financial institutions spent over $100 million on enterprise performance management solutions in the U.S. and Canada in 2003. This number will grow to $174 million in 2004 and will reach $450 million 2008.

Beyond Sarbanes-Oxley, Comprehensive Compliance

Given the similarities in the applications and infrastructure components required to comply with new regulations impacting financial services firms, including the PATRIOT Act and Basel II, we estimate that a key long-term trend in the market for compliance solutions will be application and infrastructure integration.

On the infrastructure side, we foresee that the data infrastructure supporting compliance activities will become more and more integrated through data warehouses or through applications that can connect to disparate sources. On the application side, we are already seeing firms invest in solutions that meet both anti-money laundering requirements prescribed by the PATRIOT Act as well as SEC and Sarbanes-Oxley-related requirements to monitor for internal fraud and for compliance breaches with securities laws. Investments in such AML/Surveillance solutions have been particularly strong among securities firms.

Specific to Sarbanes-Oxley compliance, we estimate that SOX 404 solutions will become more and more integrated with enterprise performance management applications to facilitate the regulatory reporting process.

Integration will take time. Technologically, it is already here today and IT vendors have been ready with partnerships and attractive solutions. Culturally and organizationally, it is not. Financial services firms have much internal work to do before they can begin to combine disparate compliance processes. Until this time, investments in IT for compliance will continue to remain focused on specific regulations.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.