Tools to Master the Sarbanes-Oxley Challenge

The demands of Sarbanes-Oxley compliance may prove to be the medicine enterprises need to improve their processes and controls, but at the moment, most organizations feel only pain as they have had to scramble to meet implementation requirements. And that pain has been more than simply some unpleasant days at the office—it’s had bottom-line impact as well.

Research firms say Sarbox is helping to push compliance costs through the end of this year to a total of nearly $15.5 billion in the U.S. Significantly, IDC estimates the market for financial compliance applications, including those used for Sarbox, will grow to more than $2 billion in 2009, up from $1.1 billion in 2005 and at a 17-percent compound annual growth rate.

Not surprising, with those kinds of numbers being thrown around, there’s a kind of gold rush taking place in the applications market, with software sellers releasing dozens and dozens of products that have been either reconfigured, repositioned or freshly developed to serve the Sarbox constituency.

However, leading research firms such as Forrester, Gartner and AMR are warning that for the long term, point solutions alone won’t work. What’s needed, they say, are tools that provide an overarching means of visibility and control, reducing or eliminating manual operations and cutting the costs of compliance.

Sarbox bandwagon
Paul Hamerman at Forrester Research says although hundreds of vendors have climbed on the Sarbox bandwagon, the key capability, which only a few provide, is the ability to go beyond simply documenting internal controls to evaluating and enforcing those controls to comply with Section 404, the portion of Sarbanes-Oxley that requires management to provide an assessment of the reliability of internal controls as they pertain to financial reporting.

The key features these applications should provide, he says, are a dashboard to provide instant process visibility along with a compliance framework and some capability for content management, collaborative work flow and risk analysis. By focusing on specific areas such as security identity management and e-mail archiving, “other solutions complement what these key vendors provide,” he says.

Right stuff
In a recent report Forrester’s list of products with the right stuff includes Certus Governance Suite, HandySoft SOXA Accelerator, IBM Workplace for Business Controls and Reporting, OpenPages SOX Express December, Oracle Internal Controls Manager (ICM), Paisley Consulting Risk Navigator, PeopleSoft Internal Controls Enforcer SAP Management of Internal Controls and Stellent Sarbanes-Oxley Solution.

New York-based Loral Space & Communications, a satellite communications company, for example, is using Oracle ICM to help it comply. When the Sarbox challenge loomed, the company had to make some hard choices, says Barry Goldfeder, senior director, business controls, systems and processes. “It was generally a very immature software market—those that touted themselves as the best had no track record because, like Y2K, it had never happened before.”

Loral chose its package based on what the Big 4 accounting firms were recommending, Goldfeder says. “Since we already had Oracle financial applications we felt it was a no-brainer.” In addition, Loral’s staff was already familiar with the Oracle GUI; ICM looked to be cost effective and would allow Loral to leverage its sunken costs, he adds.

Culture change
Goldfeder explains that applying ICM for Sarbox was largely a cultural change because, as an ISO-certified firm, the company had previously learned to focus on policies, procedures and processes, or “the three Ps,” for short. The old pre-Sarbox compliance system involved initially creating many volumes of binders, chock full of those “three Ps.” However, those binders were difficult to update, particularly with hundreds of copies in the field.

“Sarbox compliance wasn’t new except for the control part,” he says. But even that simple change involved considerable effort. “We were empowering the process owners to take ownership,” instead of relying on professional writers through a traditional manual approach, Goldfeder says.

“For the first time, people were writing their own control activities to comply with Sarbox. Now, you have process owners doing it from day to day, articulating it and living by it,” he says. ICM allows that cumbersome process to be automated and modified to fit the COSO framework used for Sarbox. All the information now resides in an online repository to which everyone has access.

Goldfeder says the conversion from manual compliance methods to Sarbox automation took six weeks, with everything up and running by the end of 2004. Now the company is certifying the first quarter of 2005 using the same methods. (See related story, “Advice from the front lines .”)

Even relying on a 24-carat name-brand provider like Oracle was not without problems, Goldfeder says. Initially, the product was shipped in a fairly immature state. “There were a couple of bumps at first, but Oracle rose to the challenge,” Goldfeder says. “Oracle had a great development team—some of our suggestions were implemented in days and they got us patches when needed instead of making us wait for new product releases.”

Similarly, Cynthia Russo, VP and corporate controller at Micros Systems, a technology provider for the hospitality industry, also faced Sarbox hurdles. Russo says Micros selected OpenPages late in 2003 based on the recommendations of an internal auditor after finding out first hand that a compliance tool from PriceWaterhouseCoopers was simply too difficult to learn. “Because we had 45 locations all around the world, we wanted a Web-based tool that was easy to use and didn’t require much training,” she explains.

What auditors want
OpenPages was able to readily upload spreadsheet information that had been used to begin the compliance process, she says, and employees in every geography were able to master it quickly. However, because the compliance requirements are still evolving, using OpenPages hasn’t been entirely painless, she says. “When we bought it, we didn’t know exactly what the auditors would want or need,” she explains. Now, however, they have found out what’s really necessary, and in some cases they have had to ask OpenPages to provide additional features that can supply more customized reports.

Still, OpenPages provides Micros its primary repository for Sarbox, including a control matrix, testing plans and policies and procedures. “Now I can go into OpenPages at any moment and find out what Australia is doing,” she adds.

Although analysts may recommend some solutions as optimal, some companies have found reason to use other Sarbox compliance products. For example, Brendan Austin, manager of business analysis for the Oil & Gas Division at Occidental Petroleum, also had to help his company deliver Sarbox compliance. “We initially started with a largely manual process using Excel spreadsheets, but within a month it had become a nightmare,” he recalls. Instead, he wanted something with a central repository, security and transaction logs. His company chose to adopt the TM1 analytics platform from BPM vendor Applix which is promoted as an alternative to “Excel hell.”

“We used it as a cube processing tool to track reconciliation risk and balances on about 800 accounts,” Austin says. TM1 tracks information such as whom the information preparer is for each account, the name of the reviewer and whether an approval has been registered.

Occidental implemented TM1 in September of 2004 for its third-quarter reconciliations in about a day and a half. “And we have kept it up to date since,” Austin says. The company’s Sarbox team uses it for audits and to drill down into specific accounts. In addition to using it as an account watchdog, Austin says, TM1 will probably be adapted for other control issues.

Echoing Occidental’s choices of technology, AMR analyst John Hagerty takes a somewhat contrarian position when it comes to recommending specific applications or types of applications. “At the end of the day, it may not matter which application you select,” he says. What matters most is to simply “do something.” (See related story, “What to look for in Sarbox tools .”)

“The way people have been doing Sarbox testing is by having a person check the established processes annually, or in some cases even monthly or weekly, and that can be a real time sink when it’s done manually,” Hagerty says. That, of course, is driving the demand for tools to automate and manage the compliance process, he adds.

“There’s a lot of documentation associated with controls, a lot of review and a lot of approvals, all of which has been captured up until recently on file servers, in Word documents and in Excel spreadsheets,” adds Gartner’s French Caldwell. “Now, they want to automate and they want more visibility.”

Caldwell says the process can be compared to enterprise search functions, except that with compliance tasks there is more structure assumed up front. The real issue, he says, is being able to provide managers with a red-yellow-green status report and the ability to dig into greater detail.

Although Caldwell concedes organizations could develop their own solutions by adding to their document management capabilities, “People I have talked to tell me it is too hard to create a home-grown solution,” he says. What’s more, the vital dashboard capabilities available in leading-edge products would still be missing. And, most of all, customers are looking for quick solutions.

However, speed is still only half the battle. Although Sarbanes-Oxley doesn’t mandate specific control methodology, it does leave open the possibility that auditors could identify controls as ineffective, which could contribute to identification of “material weaknesses.” At the very least, such a finding could negatively affect share prices. So, over the long haul, tools that contribute to airtight compliance should flourish.

But Forrester’s Hamerman says so far, the leading tools still only focus on achieving end-of-year compliance-documenting controls so that companies can provide a report to the SEC. Hamerman says the evolution is toward continuous monitoring and control. “New, complementary tools are coming on the market from companies like Virsa Systems and Approva that provide for continuous monitoring and control,” he says.

In a not so far off future, Hamerman says products with those emerging capabilities “will look at every single transaction in light of Sarbox requirements.”

Sidebar: What to look for in Sarbox tools
Sidebar: Advice from the front lines
Case Study: Bandag, a tire company, treads softly to SOX compliance
Case Study: Mondavi refines TeamTrack for SOX compliance