CA Global Survey Finds Cost of Compliance Increased Over the Past Year for Nearly Half of Global Businesses

New Regulations and Changing Interpretations Drive Increase in Time and Money Required to Meet Compliance Demands

ISLANDIA, N.Y. – To conduct business in today’s global economy, organizations must comply with country-specific regulations and adapt when existing regulations change or are interpreted differently over time. According to an independent global survey sponsored by CA, nearly 45 percent of the companies surveyed reported an increase in the time and monetary resources required to ensure compliance with 13 regulations and industry standards found in countries around the world.

The CA-sponsored study surveyed nearly 575 IT directors or above from large and mid-sized enterprises representing companies headquartered in North America, Europe, Asia Pacific and Central and South America.

The study revealed that the shifting nature of regulations is a factor in the escalating costs:

* In North America 41 percent of organizations reported the introduction of new regulations as a reason for increasing compliance expenses. In Asia Pacific, where J-SOX was recently enacted, this number was significantly higher at 55 percent. Europe and Central/South America reported 40 percent and 29 percent, respectively.
* Changes to existing regulations also were reported to be a factor by 49 percent of North American and Central/South American organizations, by 39 percent of Asia Pacific businesses, and by 34 percent of European organizations.

The study also showed that most of the respondents relied on manual processes to achieve compliance, although manual processes and a lack of centralized control are “a recipe for spiraling costs” in an increasingly regulated environment:

* More than two-thirds of the companies surveyed reported that they maintained information about the status of their IT compliance controls in multiple spreadsheets and often within different organizational units.
* Over 75 percent of respondents expressed that the operation, testing, monitoring and reporting of IT controls were at best a combination of automated and manual processes.

“This survey verifies what we regularly hear from customers – that compliance remains a big challenge for them in both direct cost and impact to business processes, and the issue grows with every regulatory change or addition,” said Lina Liberti, vice president for CA Security Management. “Automation of compliance processes and centralization of controls is a key ingredient for how businesses can bring efficiency to their compliance processes.”

Of the 13 common standards and regulations* evaluated, the study showed that Sarbanes-Oxley Act of 2002 (SOX) had the biggest impact on cost, IT and the overall business. SOX was followed in cost by CLERP-9, an Australian corporate accountability regulation, and in impact on the IT organization by Basel II, a global standard that governs the capital adequacy of international banks. The regulations that followed SOX in having the biggest impact on the overall business were the Australian regulations: CLERP-9; AS4360, Australia’s guide for managing risk; and ACSI33, Australia’s regulation for processing, storing and communicating government information.

* 13 Regulations

1. Sarbanes-Oxley Act of 2002 (SOX) – U.S. regulation on the financial practice and corporate governance of business.
2. HIPAA – U.S. regulation that protects health information.
3. Basel II – Global standard that governs the capital adequacy of international banks.
4. Gramm-Leach-Bliley – U.S. regulation that protects personal financial information held by financial institutions.
5. J-SOX – Japanese standards with objectives similar to those of SOX.
6. PCI – Payment Card Industry Standard – A set of requirements designed to enhance payment account data security.
7. Bill 198 – Canadian legislation with objectives similar to those of SOX.
8. CLERP-9 – Australian corporate accountability regulation with objectives similar to those of SOX.
9. King Report – South Africa corporate governance initiative.
10. AS4360 and ACSI33 – Australia’s guides for managing risk and securely dealing with government information.
11. Policy 52-109 – Canadian certification of disclosure in interim and annual filings.
12. LSF (Loi de Securite Financiere) – French law with objectives similar to those of SOX.
13. L262/2005 – Italian regulations with objectives similar to those of SOX.



About CA

CA (NASDAQ: CA) is the world’s leading independent IT management software company. With CA’s Enterprise IT Management (EITM) vision and expertise, organizations can more effectively govern, manage and secure IT to optimize business performance and sustain competitive advantage. For more information, visit www.ca.com.

###

Copyright © 2008 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.