For the majority of corporations, compliance with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) has rapidly become an expensive and complex proposition. Surveys reported at the 2004 SEC Conference on Sarbanes-Oxley 404 showed that the effort involved in 404-compliance is resulting in double and triple the amount of work originally estimated and involves tens of thousands of hours.

The year 2004 also saw company executives opening their coffers in an effort to implement the internal controls necessary to achieve 404-compliance at virtually any cost. This “open checkbook” policy meant that while some funds were spent wisely, money was also wasted. Along the way, an army of consultants and advisory firms was hired (and sometimes fired just as quickly). In summary, there was a feeling of chaos as companies sought to comply with unfamiliar processes and controls.

In 2005, companies now realize that along with compliance there is an urgent need to reduce costs and improve efficiency. Throwing money at this problem doesn’t necessarily solve it. According to proxy advisory firm Glass Lewis & Co., companies are reporting “control deficiencies” at a record pace. The answer is that companies need to streamline visibility, control, and processes.

In most companies, SOX 404-compliance is treated as a separate project, independent of the rest of the organization. This “silo” mentality creates a wall between those responsible for reporting and controls and those who are involved in day-to-day processes. Instead, SOX compliance needs to be integrated back into the day-to-day operations of the enterprise. This means shifting responsibility for testing and documentation to process owners. In other words, you must decentralize to reduce costs.

But it’s difficult for 404-compliance owners to transfer responsibility due to lack of visibility into the schedules, status, and issues of process owners spread throughout the enterprise. In addition, the change control process is manual, which makes it difficult to synchronize documentation, controls, and processes. Finally, many control-owners are reluctant to transfer responsibility for 404-compliance simply because they anticipate having to redo all their work from year one.

Leveraging technology to streamline visibility, control, and processes is the best way to reduce the cost of SOX compliance over the long term. The most straightforward approach is to adopt a project and portfolio management (PPM) software system, preferably one that offers pre-built templates for 404-compliance and supports the internal control integrated framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The software should serve as a central repository of all documents, with role-based access for stakeholders. Web-based access is essential to ensuring that various team members across the globe can easily get to the right version of a document.

PPM software also makes sure that change control is implemented on all documents. As a result, processes, risk matrices, tests, and evaluations are always in synchronization. Scheduling of tests (measuring operational effectiveness) and evaluations (measuring design effectiveness) is centralized, with visibility to all. This ensures nothing “slips through cracks” as responsibility is transferred to process owners.

It is equally important that stakeholders still retain an appropriate level of visibility into all documents, test schedule, results, issues, and status. Again, visibility should be driven by a role-based access model.

Several users who have implemented PPM software systems have found that the potential total savings for a mid-sized company are greater than $140,000 per year. The first savings comes from a reduction in SOX-related external audit fees by 15 to 25 percent, or approximately $20,000 per year, because the information and reports that auditors need to review are more easily accessible than before. The second savings comes from the elimination of consultants for documentation and reduction of consulting hours for testing. Savings are at least 1.5-2.5 full-time equivalent employees or approximately $120,000 to $200,000 per year.

But the benefits don’t end with cost savings. There are intangible benefits as well. By streamlining, process owners have more time to focus on the business, resulting in increased efficiency and revenue. Private companies also have better prospects for acquisition (or any other liquidity event) once they are SOX compliant.

Chris Lynch is vice president of engineering at eProject, a provider of PPM software. Prior to eProject, he served as vice president of research and development at Media Logic, a project engineering consulting firm specializing in Microsoft development technologies and solutions. More information is available at www.eproject.com, or by calling 206.341.9117.