FRAMINGHAM, Mass., Aug. 3, 2005 -- On the same day former U.S. Representative Christopher Cox (R-CA) was sworn in as Chairman of the U.S. Securities and Exchange Commission (SEC), a new poll of chief information officers (CIOs) reveals that more than two-thirds (69%) of CIOs impacted by Sarbanes-Oxley (SOX) regulation want more specific guidelines about the SOX compliance process. To date, CIOs estimate their organizations have spent just under 2% of gross revenue to comply with Sarbanes-Oxley and an average of $1,450,000 of their information technology (IT) budget during the past twelve months. The poll, conducted by IDG's CIO Executive Council, also shows the majority of CIOs believe SOX compliance costs will either increase (21%) or stay the same (49%) in Year 2. The SOX regulation, mandating public companies hire internal auditors to ensure financial reporting is accurate and ethical, is enforced by the SEC.

According to Marc West, CIO of H&R Block and chair of the Council's Sarbanes-Oxley Task Force, "Following the CIO's sizeable investment in Year 1 set-up costs, it remains unclear how much money and work will be needed to maintain compliance standards in Year 2 and beyond. In addition, external auditor firms often take different approaches, leaving CIOs wondering whether they're doing too much or too little to meet the requirements. Greater clarity on the specific SOX requirements would help to level the playing field, reduce angst and assure CIOs of the long-term business benefits of their investment."

CIOs on the Impact of Sarbanes-Oxley Act:

Poll results show CIOs currently lack confidence in the intended long-term benefits of Sarbanes-Oxley with only 6% saying the Sarbanes-Oxley Act will be "extremely or very effective" in meeting its ultimate goal of preventing corporate financial scandals. Forty-nine (49%) percent say it will be "somewhat effective" with 44% saying it will be "not very or not at all effective."

At the organization level, CIOs remain divided on the benefits with 37% rating the impact of Sarbanes-Oxley as fair (vs. 41% in October 2004), 35% as good (vs. 29% in October 2004) and 26% as poor (vs. 23% in October 2004).

On a personal level, one in four CIOs says the SOX compliance process has taken years off his/her life. Twenty-percent (20%) estimate losing one to four years, and another 5% estimate losing five or more years.

CIOs on General Regulation Practices/Working with SEC:

Despite their current misgivings, the majority (61%) of CIOs are surprisingly optimistic that a "holy grail of compliance" is possible. In other words, they believe it is viable to create a single, minimum, yet sufficient set of IT standard operating procedures (SOPs), quality processes and audit practices to meet compliance standards for all, or nearly all, major regulatory controls. However, the disconnect lies with the fact that most CIOs (85%) believe the U.S. federal government's creators and writers of IT- related regulatory measures (i.e., HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley) do not adequately understand how regulation impacts companies.

Adds West, "As CIOs are on the frontlines of regulatory compliance practices such as Sarbanes-Oxley, we are in a position to better inform U.S. regulators like the SEC about what is and isn't working, as well as where benefits are being reaped and where tough challenges still exist. CIO Executive Council members are investing a great deal of time, thought, training and resources to understand and achieve Sarbanes-Oxley compliance and are vested in its success. We are prepared to share experiences and lessons with other stakeholders to build greater understanding and awareness of this issue and see this through."

NOTE: Given the number of CIO Executive Council members impacted by Sarbanes-Oxley regulation, the Council (a professional organization of CIOs with 230 members worldwide) formed a SOX Task Force to help member CIOs effectively manage the ongoing process of achieving compliance. The Task Force's first major deliverable -- a 35-page how-to guide and resource to help CIOs better manage/streamline their SOX compliance process -- was distributed to members earlier this summer. Excerpts of the Council's Sarbanes-Oxley Playbook are available to select media and government entities. Contact Karen Fogerty at 508.935.4091 or fogerty@cxo.com for details.

    Complete Poll Results:
    1.) Is your organization subject to regulation by the Sarbanes-Oxley Act
of 2002? (base: 292)

     55%  Yes
     41%  No
      4%  Unsure

    2.) To date, what percentage of gross revenue has your organization spent
to comply with the Sarbanes-Oxley Act? (Select one only) (base: 160)

      1%  None
     40%  Under 1%
     29%  1% to under 2%
     13%  2% to under 5%
      3%  5% or higher
     15%  Unsure
     Average: 1.6%

    3.) How much has it cost the IT department to support compliance with
Sarbanes-Oxley Act over the past 12 months? (Select one only) (base: 160)

     19%  Less than $100,000 (US)
     36%  $100,000 to $499,999 (US)
     14%  $500,000 to 999,999 (US)
      8%  $1,000,000 to $1,999,999 (US)
      6%  $2,000,000 to $2,999,999 (US)
      6%  $3000,000 to $4,999,999 (US)
      1%  $5,000,000 to $6,999,999 (US)
      1%  $7,000,000 to $9,999,999 (US)
      0%  $10,000,000 to $14,999,999 (US)
      0%  $15,000,000 to $19,999,999 (US)
      0%  $20,000,000 to $29,999,999 (US)
      1%  $30,000,000 or more (US)
      9%  Unsure
     Average: $1,450,000

    4.) Do you expect the IT-related cost of complying with the Sarbanes-Oxley
Act to increase, stay the same or decrease over this next year? (Select one
only) (base: 160)

     21%  Increase
     49%  Stay the same
     26%  Decrease
      5%  Unsure

    5) How would you rate the impact of Sarbanes-Oxley compliance to your
organization? (Select one only) (base: 160)

     35%  Good: The enforced reporting structure is good for business
          processes and efficiency
     37%  Fair: Sarbanes-Oxley brings limited value to business
     26%  Poor: Sarbanes-Oxley compliance is costly and takes away from
          investment in other areas
      2%  Unsure

    6.) In your opinion, have the auditors your organization uses for
Sarbanes-Oxley compliance been helpful to your organization's efforts in
meeting the requirements? (base: 160)

     59%  Yes
     27%  No
     14%  Unsure

    7.) When it comes to Sarbanes-Oxley compliance guidelines, are you more
comfortable with ambiguous guidelines (less $$ and more risk) or very specific
(more $$, less risk) guidelines? (Select one only) (base: 160)

     69%  The more specific the better -- I'd rather know for sure that I
          need to be spending all this time and money
     23%  Ambiguous is better than expensive and time-consuming
      8%  Unsure

    8.) How effective do you predict the Sarbanes-Oxley Act will be in meeting
its ultimate goal of preventing corporate financial scandals? (Select one
only) (base: 160)

      1%  Extremely effective
      5%  Very effective
     49%  Somewhat effective
     34%  Not very effective
     10%  Not at all effective
      1%  Unsure

    9.) A CIO recently mentioned that the Sarbanes-Oxley compliance process
had taken years off his life. How many years do you estimate the Sarbanes-
Oxley compliance process has taken off your life? (Select one only) (base:
160)

     66%  None
     20%  1-4 years
      4%  5-10 years
      1%  More than 10 years
      9%  Unsure

    10.) Do you believe it is possible to attain a "holy grail" of IT
regulatory compliance procedures within your organization?  That is, is there
a single, minimum, yet sufficient set of IT standard operating procedures
(SOPs), quality processes and audit practices that if fulfilled, would meet
compliance standards for all, or nearly all, major regulatory controls?
(Select one only) (base: 160)

     13%  Done -- My organization already accomplished this
     61%  Possible
     20%  Impossible
      5%  Unsure

    11.) In general, do you feel the U.S. federal government's creators and
writers of IT-related regulatory measures (i.e., HIPAA, Sarbanes-Oxley, Gramm-
Leach-Bliley) adequately understand how regulation impacts companies? (base:
160)

      6%  Yes
     85%  No
      9%  Don't know/unsure

    Source: CIO Executive Council News Poll
    Note: Due to rounding, percentages may not add up to 100 percent.

Poll Methodology:

The CIO Executive Council commissioned Research Results, a third-party research firm, to conduct the online survey between Thursday, June 23rd and Thursday, June 30th among CIOs who are members of the CIO Executive Council or who qualify for Council membership, as well as qualified subscribers to CIO magazine. All Council members must serve as the senior-most IT executive in their organization and have purchase authority for their organization's IT products and services, as well as strategic oversight of the IT function. An email invitation containing a link to the survey was sent to 4,645 CIOs, yielding 292 completed surveys for a 6.3% return rate. (NOTE: 160 of the respondents are impacted by the 2002 Sarbanes-Oxley Act. Margin of error is +/-7.75%).

About the CIO Executive Council

First launched in the United States in April 2004, the CIO Executive Council gives CIOs worldwide a united voice on technology and business matters impacting their companies and society as well as an opportunity to work together to make better business decisions and advance the profession of the CIO. All members-who must hold a CIO or equivalent title-pay an annual membership fee of $17,500USD (adjusted for CIOs of nonprofit organizations) and are granted access to a Council members-only web site (http://www.cioexecutivecouncil.com), which includes online discussions, case studies, reports and a secured database directory of Council members and their top lieutenants. In addition to downloading information, members can send secure personal messages to one another and register to attend Council conference calls, meetings and events. Members can also take part in driving the initiatives of various Task Forces focused on global and cross-industry issues (e.g., Vendor Relations and IT Staffing). For more details go to http://www.cioexecutivecouncil.com

About CXO Media & IDG:

The CIO Executive Council was founded by CXO Media Inc., which produces award-winning media properties and executive programs for corporate officers who use technology to thrive and prosper in this new era of business, including CIO, CMO, CSO magazines and websites, Darwinmag.com and the CSO Executive Council. CXO Media is a subsidiary of International Data Group (IDG), the world's leading technology media, research and event company. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World, and PC World. The company features the largest network of technology- specific websites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo(R), Macworld Conference & Expo(R), DEMO(R), and IDC Directions. IDC provides global market research and advice through offices in 50 countries. Company information is available at http://www.idg.com.

Website: http://www.cioexecutivecouncil.com/

Karen Fogerty
Office: 508.935.4091
Email: fogerty@cxo.com