In Search of Efficient Compliance
Feature

Software products can help automate Sarbanes-Oxley compliance to a degree, but resulting process improvements may be just as big a payoff

By Robert D. Kugel

Software products can help automate Sarbanes-Oxley compliance to a degree, but resulting process improvements may be just as big a payoff.

For the past decade, countries around the world have been enacting legislation and rules to enhance the timeliness, truthfulness and transparency of publicly quoted companies’ reports to shareholders. In the United States, the Sarbanes-Oxley Act of 2002 (SOX) is the best known and is the focus of this article. Yet even before the act’s passage, the Securities and Exchange Commission (SEC) imposed “fair disclosure” rules and accelerated financial statement filing deadlines to promote transparency. The European Union passed International Financial Reporting Standards (IFRS) rules aimed at harmonizing and expanding reporting requirements. The U.K. has enacted more stringent requirements for the operating and financial review to improve shareholders’ understanding of past performance and future prospects. Such regulations have been ratcheting up over the past five years, creating a significant administrative burden. Should companies use software to help them with compliance? Under what circumstances? Which kinds of software fit into the regulatory environment?

Looking at SOX
Our focus here is specifically on SOX because most U.S. SEC filers have just started investigating how to achieve sustainably efficient compliance. Most companies found they needed little if any software as they prepared for their initial Section 404 audit. However, as they move forward they must cut the cost of managing the process and reduce the risk of noncompliance. SOX calls for monitoring and testing activities of financial processes and ensuring the integrity of the corporate IT infrastructure in which these financial processes are executed. The key requirements are:

    Ensuring a sound compliance process is managed consistently and monitored.
    Achieving real-time visibility into the status of the various compliance processes.
    Documenting the monitoring and testing of financial controls.
    Archiving and retrieving all documentation.
    Creating an audit trail to ensure the integrity of the process itself.

Sustainable Compliance Is the Key
The roots of Sarbanes-Oxley Section 404 extend back about 20 years. The National Commission on Fraudulent Financial Reporting convened in 1985 to identify systemic factors causing fraudulent financial reporting so reliable prevention measures could

be implemented. The commission’s Committee of Sponsoring Organizations (COSO) subsequently developed the COSO Framework, a high-level methodology. First published in 1992, it languished until the passage of SOX, when those charged with implementing Section 404 went looking for ways to define and gauge financial control and assess its efficacy.

The original COSO Framework defines goodness as “mature” control systems, where maturity is measured in part by management’s ability to prevent (not just uncover) fraud by developing internal risk mitigation and control systems. It calls for anticipatory measures such as a formal risk assessment process, monitoring of these tests and formal information and communication about test results. In mature environments, managers and internal auditors establish key risk indicators and monitor them continuously.

Much of the frustration with SOX Section 404 stemmed from the huge effort to formalize and document financial controls and to start keeping detailed records showing reliable controls were in place and were tested successfully on an ongoing basis. In the past, competent controllers and internal auditors performed these tasks informally, and in many respects, will continue to do so. Now that they have completed their initial Sarbanes-Oxley 404 audits, the challenge is how to change financial and internal control processes to overcome the drag on efficiency caused by a more rigorous oversight and audit environment. Several factors drive the inefficiencies:

SOX has forced companies to formalize a wide range of control processes that were handled informally before its passage and to document these compliance activities. In our experience, company procedures and their supporting information systems were not designed for efficient execution under the new rules.

Some financial controls companies put into place in preparation for their initial Section 404 audits were “Band-Aids.” They may have been adequate to address control system problems in the past, but they are inefficient for a SOX environment. Finance organizations must reduce the ongoing cost of compliance by restructuring their processes and IT support systems to promote compliance efficiency.

The traditional approach to controlling financial fraud stressed trying to catch fraud after the fact. While companies have some preventative control mechanisms in place (e.g., defined procedures, segregation of duties, invoice matching, reconciliations and budgets), internal and external auditors spend a great deal of time verifying that those procedures are sufficient. Section 404’s focus on formal risk management, controls and ongoing testing places greater emphasis on prevention. It is much like the idea of building quality into manufacturing processes, rather than focusing efforts on final inspection in order to build better products at a lower total cost.

Ventana Research believes SOX’s biggest payoff will be the result of business process improvements necessary to handle its requirements cost-effectively. To comply with SOX efficiently, companies have to change elements of their financial processes to eliminate unnecessary control risks and make it easier to monitor and test those that remain. In doing so they will have to eliminate two areas of financial process inefficiencies:

Manual or partially automated systems (particularly those that use stand-alone spreadsheets) introduce control issues. Automating these processes may not have seemed worthwhile in the past but are necessary today and probably will be in the future. Manual systems not only increase audit costs, but they are also error-prone and therefore have expenses associated with discovering and correcting the errors. Although the cost of each individual error may be small, we believe their reduction will significantly reduce the cost of Sarbanes- Oxley compliance.

Global 2000 corporations commonly discover they have dozens of processes for handling the same type of process (accounts payable, for example). Consequently, they must standardize these processes and eliminate unnecessary ones. Manufacturing companies have found process commonality is a vital part of efficient execution, and we believe the same holds true for financial processes.

Most companies can cut their audit and control costs by improving financial processes. Companies will often support process changes through software and other information technologies.

Software and Compliance
Companies have been using software to manage legal compliance requirements for decades. They have used document management, coupled with work-flow-enabled pharmaceutical firms, for example, to handle record-keeping tasks required by the Food and Drug Administration (FDA) and other government bodies.

Software can provide companies with many cost-effective options for dealing with regulatory requirements. This does not mean companies have to buy new software. Companies might use existing systems to support their compliance activities. They should invest in software that increases the speed and efficiency of those compliance activities and reduces the risks of running afoul of the law or both. Another, complementary approach is to find ways of applying IT that not only promotes compliance efforts but also increases the efficiency or effectiveness of related activities. For example, Ventana Research advises companies to make better use of its Sarbanes-Oxley compliance efforts by eliminating manual steps and stand-alone spreadsheet use in their financial processes, increasing the level of automation. Investments needed to bring reporting requirements up to par for external investors also should be used to increase the flow of useful information to managers. We believe most Global 2000 companies will find software is a worthwhile investment.

Ventana Research also cautions companies to avoid underinvesting by relying on seemingly cheap applications such as spreadsheets, word processing software and e-mail. In the long run, cheap software can be much more expensive in terms of employee hours spent and can expose the company to greater risk than may be apparent. A major investment banking firm recently lost a $1.4 billion dollar lawsuit in part because it failed to keep adequate records of its e-mail backup tapes, a seemingly trivial task. Long-term storage and retrieval of information about compliance activities is crucial to demonstrating, when asked, that the required tasks were performed correctly and on time.

Dedicated Sarbanes-Oxley Software Types
We classify software for Sarbanes-Oxley compliance falling into three main categories:

    Comprehensive management
    Enterprise content management/work flow
    Focused solutions

Besides this dedicated software, other categories play an important role in compliance. Companies looking to automate and integrate processes to reduce manual steps will probably find they can accomplish this using their ERP systems more effectively. Consolidation software is a much better approach than stand-alone spreadsheets for this critical (and vulnerable) component of the accounting cycle. Reporting systems are also crucial since visibility is a key to transparency. On the IT side, companies must ensure their systems are accurate and secure and that the IT department executes quality processes consistently well. Also critical is software that supports quality and effective governance (for testing, change management, project management and so on) as well as applications that promote security.

Comprehensive management solutions should do the following: 1) help the company define the five Rs of compliance management processes, 2) automate the execution of the process, 3) perform all tests to ensure that the system is working and 4) generate all necessary documentation.

The five Rs of compliance management are as follows:

    Role: defining the function performed by each individual in a specific operation or process.
    Responsibility: listing and assigning the full duties of the individual in a specific operation or process.
    Routing: mapping the complete order of the steps executed in carrying out these duties in a compliance function, including any conditional branching and looping that occurs.
    Reporting: listing the status of each process, the results of the process, and exceptions to the expected condition of either the process state or outcome.
    Response: affirmatively confirming the achievement of the compliance function or launching the appropriate remedial processes to achieve compliance.

Traditionally, workflow systems were about the first four of these. Since the Sarbanes-Oxley Act, as interpreted by auditors, requires companies to document they have performed the necessary tasks, comprehensive solutions must have a way of automating this last part of the process. Documentation is more than just creating a record. Companies must be able to archive and retrieve these records for as long as necessary under the law. Moreover, they must have mechanisms to deal with and keep track of exceptions when they occur and how they are resolved. Lapses in the audit function led to the act’s passage, so having an audit trail and facilitating the work of auditors are two other requirements for this type of software. We caution that while comprehensive solutions have a great deal of content and process built in, all require thought and preparation to ensure successful implementation.

Enterprise Content Management (ECM)/Work Flow software offers a more generic approach to building a solution for the five Rs. Some system integrators offer Sarbanes-Oxley compliance management solutions built around leading ECM vendors’ products that offer varying degrees of out-of-the-box completeness. The ECM platforms are typically more robust than the comprehensive management software in terms of their capabilities for managing digital content, images and forms, capabilities that might be useful to some companies.

Companies that already use ECM software to support other business processes or compliance requirements may find this approach is best when they can take advantage of existing licensing and business relationships as well as in-house skills. Corporations considering ECM for the first time will find greater value if they also scope out other uses for this software as follow-on projects, particularly in all forms of regulatory compliance.

While companies in “paperwork” businesses such as insurance and other financial services, government entities and heavily regulated businesses such as pharmaceuticals have been using ECM successfully, it wasn’t as heavily adopted in other verticals. This is too bad since it has the potential to increase any organization’s administrative efficiency.

Most ECM offerings have work-flow capabilities, but companies may consider using work-flow software by itself as a part of their compliance efforts. Work flow both automates and monitors business processes so that management can define and then ensure consistent execution of best practices or actions needed for regulatory compliance. In so doing, it increases the speed and efficiency of the process and reduces the risk of noncompliance. As with ECM software, companies with existing investments are in the best position to use work-flow software to sustain compliance efforts.

As for focused solutions, some software is focused on executing critical elements of the Sarbanes-Oxley compliance effort. For example, certain vendors’ software helps companies manage segregation of duties (dividing responsibility for executing processes between different staff members in order to reduce the potential for fraud)–-a key preventative control. Others work with leading ERP packages to monitor that the controls are functioning and configured properly, and that when changes are made they do not violate company policies. Still others monitor transactions as they are executed to detect policy violations and mistakes. This category of software can be very useful in uncovering hidden vulnerabilities and ensuring that any changes to business processes or IT systems do not—either inadvertently or by design—leave the company vulnerable to fraud. Some of these functions may be handled by a comprehensive solution. In addition, some of the focused solutions have business benefits that go beyond simply conforming to Sarbanes-Oxley by improving process execution efficiency or reducing errors and the need to correct them.

Evaluating and Investing
Ventana Research advises companies to take a people-process-information-technology approach to buying software and not rush headlong into defining requirements based simply on features and functions. Beyond cutting the overhead and higher auditing costs associated with law, maximizing the value of Sarbanes-Oxley software investments means having a clear picture of how the software also can drive and sustain business process improvements. While we recommend against overscoping, companies should look beyond the immediate requirements of Sarbanes-Oxley compliance to see how they can use the software to reduce administrative costs and generally improve process execution. SW

Kugel heads up the Financial Performance Management (FPM) practice of Ventana Research, focusing on the intersection of information technology and the finance organization. Prior to joining Ventana Research, Kugel was an equity research analyst at First Albany Corp., Drexel Burnham and Morgan Stanley, as well as a consultant with McKinsey and Company.

Jan2006, Software Magazine