* Section 404 compliance cost companies less in the 3rd year of compliance than in each of the first two years.

This is expected. It always costs more to ramp up and implement a complete compliance program than it does to maintain it. A large portion of the companies who have to comply with SOX had practically nonexistent information security and compliance programs prior to the law.

* "Total average cost for Section 404 compliance was $2.9 million during fiscal year 2006, which represents a 23 percent decrease from 2005 totals."

* "The data also shows reductions in internal and external costs of compliance, with internal staff time decreasing by 10 percent."

* Audit fees are virtually unchanged.

Actually I'm surprised the drop wasn't more than 23%.

If an organization has established an efficient, centralized enterprise compliance responsibility area, there should be significantly less costs once the program has been established.

* The initial purchases of compliance technologies, which can be very huge depending on the organization and the technology they chose, should be comparatively low for maintenance on an ongoing basis.

* There may also have been additional staff, but hopefully they are utilizing such personnel for more than just SOX compliance; they should be able to address a wide multitude of information assurance responsibilities while also ensuring SOX compliance.

* The time spent in the first year on creating policies, and more significantly time-wise procedures, should no longer be a big cost in subsequent years.

I have seen too many organizations addressing SOX, and other, regulatory compliance in a very decentralized way, though, creating redundancies of efforts throughout the enterprise, and even purchasing different software and systems to address the same purposes. In fact, many have had different business units succomb to the wooing of slick sales folks feeding them FUD, ending up making "SOX Compliance Solutions" purchases when they really didn't need them.

FUD for those of you not familiar is Fear, Uncertainty and Doubt.

Organizations need to do a reality check occasionally and see how efficient their enterprise compliance efforts are.

1) Are your compliance efforts centralized? Not only for SOX, but for all other regulatory and legal requirements you have. If you centrally manage compliance you can address multiple regulatory and legal requirements in a unified manner, drastically reducing your redundancies. This is not to say others throughout the enterprise should not be involved with compliance; to the contrary. Everyone throughout the enterprise must be involved in supporting compliance activities. However, there should be a centralized area overseeing, managing and driving the efforts.

2) Do you have policies and procedures in place that support centralized compliance? It is common, and expected, for each business unit to have their own procedures to support corporate policies. However, be sure those department-specific procedures do not create more work than is needed. Often when a business unit creates their procedures they have their folks doing things that the centralized corporate area is already doing, or they could be modeling their procedures upon a more efficient set of procedures that exist elsewhere in the company. If you are responsible for corporate compliance, check with your business unit contacts and review their procedures; you may be able to help them comply with corporate directives in a more efficient, and less expensive, way.

I'm not surprised the audit fees are unchanged. From what I've seen the audit firms are still using the same audit plans now as they did three years ago. However, from some of the audit plans I've seen I think they are going overboard in some areas.

I'm not going to shell out money to see the full FEI report, but if any of you have and see any startling revelations about SOX compliance please let us know! :)