The tab for regulatory compliance continues to climb - and along with it, demand for IT projects to bolster security, storage and reporting capabilities.

U.S. companies will spend $15.5 billion on compliance-related activities this year, according to research published last week by AMR Research. A large chunk of the spending is designated for public companies' projects related to the Sarbanes-Oxley (SOX) Act of 2002. SOX spending will grow 11% from $5.5 billion last year to $6.1 billion this year, AMR says. Other budget-consuming initiatives include compliance with the Health Insurance Portability and Accountability Act (HIPAA), Food and Drug Administration regulations, and the Basel II international banking accord.

In particular, SOX has put a spotlight on compliance initiatives since it affects a broader swath of companies than some of the industry- or geographic-specific regulations, says John Hagerty, vice president of research at AMR Research. Additionally, it's getting budget priority over other regulatory projects because its deadlines are imminent. "Those with the shortest deadlines move to the top of the queue," he says.

Passed in the wake of accounting scandals at companies such as Enron and WorldCom, SOX is designed to deter fraud and add transparency to public companies' financial reporting procedures. Among the more onerous of the legislation's requirements is Section 404, which calls for companies and their auditors to formally attest to the existence and adequateness of internal controls over financial reporting systems.

Establishing, testing and documenting such controls is a time-consuming effort that not only has financial departments scrambling but involves nearly every aspect of IT.

The toughest part of SOX compliance is the scrutiny it places on the IT department, says James Olson, CIO at Waterbury Hospital in Connecticut. SOX has increased the number and comprehensiveness of IT-related audits, he says. "It used to be that a 100-watt bulb would be turned toward IS once a year. Now we have a searchlight looking at us."

Prior to the legislation, auditors examined the hospital's patient accounting system. Today, audits extend to multiple applications, including accounting, payroll, materials management and decision support systems.