Insurance industry experts will argue for a long time about exactly how much the Sarbanes-Oxley Act (SOX) has cost the insurance industry. They probably can agree, however, that those costs are significant.Carriers incur the costs making sure they comply with the act, which aims to make corporate executives responsible for the accuracy of their financial statements and for the internal controls that minimize errors and reduce fraud.
Most industry experts say carriers experienced their highest SOX costs during the 2004 and 2005 deadlines. "These were critical years in terms of SOX compliance IT spend, where the focus was on personnel, auditing, consulting and internal process documentation," says Amit Shah, an analyst in financial services technology at Datamonitor PLC, a London-based business information and analysis firm.
The compliance deadline snuck up on insurers, and costs might have been a bit lower had they been given more of a lead time, says Donald Light, a senior analyst in Boston-based Celent LLC's insurance group. "But it would not have had the political impact, which was its purpose."
Indianapolis-based Conseco Services LLC experienced just that. "We were expecting deferrals, and thought we had more time [to comply] and didn't understand the magnitude of [the compliance requirements]," says Jackie Byers, vice president and SOX compliance officer at Conseco. "The majority of our pain was from a testing perspective and just really assessing the controls from June 2004 all the way up to the wire."
And this was when Conseco made its most significant investments for SOX compliance, says Byers. "In order to enhance our change management process within IT there was a pretty significant investment in some hardware and software-something we use as a repository to manage all of our requests to changes to the IT systems and as an audit trail to track the approval process."
Light agrees the SOX-related initiatives that required insurers' immediate attention cost them quite a bit. But he says those initiatives also "crowded out other projects that may have a business purpose rather than a compliance purpose."
Fortunately, those projects that were initially pushed aside may see action now, as the SOX compliance costs don't have as big of a presence in IT budgets as they did in 2004, according to Light. "In terms of total IT budgets, if there has been an expansion or extra cost I'd say it's probably been pretty modest-5%, maybe 10%, maybe for a year or two," he says.
Other experts say to expect even more of a lull in SOX costs as years go on. "IT spend was expected to slow down from 2006 onwards, however, the remaining spend will be more focused toward investing in technologies to integrate controls into insurers daily operations," says Shah.
TODAY'S COSTS
A present expense insurers face with SOX compliance is the cost of additional staff. Conseco did add staff and reallocate duties within its IT department. "Because of the segregation of duties now, we probably aren't as thin as we could be or would like to be," says Byers, noting that this may be due to backup requirements. "The backup for things alone created increased resources."
Light attributes the need for additional staff to the intensive documentation and processes requirements. "Essentially, that's all Sarbanes-Oxley is: You have to have proper processes in place that are documented and auditable. Companies have to divert a lot of their own staff to those tasks [to allow] major accounting firms to come in and review the review."
External audit fees contribute to insurers' SOX compliance costs. The insurance industry and other industries affected by SOX raise concern about external auditors' outdated processes and technologies and high costs.
Conseco tries to control those costs by focusing on internal auditing processes. "I have a team of about 10 people and we do the same level of testing that our external auditors do; we probably do more than they do because they rely on our work in certain cases," says Byers. "The [external auditing] firms are trying to do more of an integrated audit, so they don't necessarily have good data on SOX vs. what's on their substantive audit of the financial statement so we continue to see big numbers there but hope that recent guidance from the PCAOB (Public Company Accounting Oversight Board) will really help drive down some of the audit costs."
The PCAOB is a private-sector, non-profit corporation created as part of the Sarbanes-Oxley Act of 2002 to oversee, regulate, inspect and discipline auditors of public companies. It has issued guidelines on how auditors should provide their attestations.
Other insurers may be following Conseco's lead by spending more on internal processes to decrease external services costs. Boston-based AMR Research Inc. reports that internal staff effort for SOX spending is on the upswing, up 6.5% to $2.51 billion. However, according to the research, external services spending continues to drop, down 9% year over year to $1.72 billion.
Auditing will continue to play a large role compliance costs, says Datamonitor's Shah. "There are numerous technology areas that can help with this. Bearing in mind that SOX affects the entire organization, technologies that can help the auditing process range from business process management solutions to business intelligence solutions to data storage, analysis and management solutions and so forth."
GOOD VS. EVIL
Some industry experts may disagree on whether the outcome of SOX was worth all the costs. David McElroy, executive vice president, Hartford Financial Products, a unit of The Hartford in Hartford, Conn., sees benefits outweighing the costs. "A company's additional costs for Sarbanes-Oxley compliance are frequently offset by the benefits it derives. Focusing on internal controls and adhering to the financial reporting provisions of SOX will prevent the more egregious accounting frauds, which have a real cost to a corporation," he says.
Celent's Light disagrees with the idea of SOX benefits outweighing the costs. "Before Sarbanes-Oxley was passed, it was illegal to lie, cheat and steal," he says. "Sarbanes-Oxley just created a huge review on its mechanism with very draconian penalties attached to it to continue to make it illegal to lie, cheat and steal if you're running a public corporation."
Light will, however, admit that the act has improved insurers' processes and controls. Byers agrees and says she has seen the benefits Conseco has experienced after the first year. "The benefits in the first year clearly did not exceed the cost, and we'll never recover those costs," she says. "But just avoiding Enron-type situations, it's hard to put a value on what it's worth. Conseco has achieved numerous benefits from SOX."
Some benefits Byers says she sees include increased awareness and ownership of internal controls throughout all levels of the organization, improved understanding of the relationship between risks and controls, a better understanding of the risks associated with general computer controls on the IT side, and standardization.
"We have numerous locations, and SOX has encouraged standardization between our entities and our locations that has lead to more efficient procedures and some lower internal costs," says Byers.
Datamonitor's Shah believes these benefits are produced by technology and its "error-free" automated processes.
"Some insurers over the last 12 months have been focusing on their workflow engines and data warehouses/repositories in order to gain increased transparency and instant visibility for their internal control procedures," he says. "Data and the quality and accuracy of data is critical in complying with SOX as it is with complying with any regulation."
Therefore, Shah says, enhancing and improving workflows and data warehouses enables insurers to map compliance risks and controls. And they are able to manage policies and procedures and rapidly deal with issues as they arise.
"Insurers are looking to technology to achieve that desirable state of SOX compliance and, as such, a growing number of insurers are looking to the benefits of being SOX compliant," says Shah. "Whereas in the past, SOX compliance was seen from a very siloed mentality where it only was a compliance effort, an increasing number of insurers are now looking at the business benefits of becoming compliant."
SOX COMPLIANCE SPENDING : 2003-2008
Sarbanes-Oxley (SOX) spending will again reach $6 billion in 2007, according to an AMR Research Inc. survey of 200 business and IT professionals on governance, risk management, and compliance. According to the research, the spending has stabilized at the $6 billion level since 2005. Also, Boston-based AMR Research reports that technology-related spending is down just over 5% to $1.84 billion-the first time AMR Research has seen a dip in tech spending related to SOX.
