Plugging into SarbOx
- By Jack Vaughan
A raft of misdeeds have undermined the public's trust in the way corporations do business. Enron, HealthSouth, WorldCom and others have been caught in frauds of great proportion, leading to the adoption of new standards for accountability in business practices. Notable among these standards is the Sarbanes-Oxley (SarbOx) Act.
CEOs and CFOs now risk jail time if they sign off on "cooked" corporate books. Certainly, they count on accountants and auditors more than ever to keep the company on the straight and narrow - and to keep themselves out of the clink. But they also depend on CIOs and application development managers to create new system monitors that oversee key business processes and better automate the job of corporate governance.
In Enron's case, computers and software helped abet nefarious corporate schemes. Now with the SarbOx amendment to the original Securities Exchange Act of 1934 setting the marching orders, computers will be employed to ensure that the same things do not happen again. Software of all shades and ilk touch each element of the enterprise business process, and software vendors of all types are now lining up to solve IT's new problem.
The problem bears some superficial resemblance to the Y2K data conversion problem of the late 1990s, if only for the diversity of solutions providers that are on the case. Like Y2K, SarbOx had a hard stop -- a deadline by which it had to be accomplished. But this feast has proved movable -- and rolling.
Different sections of SarbOx have different compliance deadlines. SarbOx Section 302 was the first and most public step. It required CEOs to sign off on the veracity of financial numbers.
Then came Section 404. If Section 302 asked "Do you certify your results?," Section 404 asked "Do you do what you say you do?" It requires annual assessment of internal financial controls. This means studying your key processes, creating control documentation, monitoring for consistent application of controls and, finally, attestation by management and auditors. In February, the SEC, charged with enforcing these rules, extended compliance dates from the first fiscal year after June 15, 2004, to Nov. 15, 2004, for public companies valued at more than $75 million to begin to comply with Section 404.
For firms in industries steeped in compliance requirements, these new requirements may not require untoward effort. Still, it is not as though anyone needed more work. In fact, creating a formal approach to financial controls that includes risk assessment and monitoring can challenge many firms. The mere act of uncovering processes is likely to turn up occasions to redo some of those processes. That can mean new apps.
In the wings after 404 -- which as of this writing has a still-indefinite due date -- is SarbOx Section 409. This section requires real-time reporting of events that could materially affect financial results. This job has plenty of potential for infusing the corporation with more technology, and it is beginning to get attention among corporate and IT planners who, on the main, are well along in 404 compliance projects.
Boston-based AMR Research estimated that companies would spend $5.5 billion on SarbOx projects this year. That is across the business, not just IT. Technology actually only represents about 20% of the expense by AMR's accounting, said John Hagerty, AMR's vice president, research. The Section 404 compliance projects have brought together broad teams, said Hagerty, led to date by finance people. In planning for long-term compliance, he noted, companies will seek consulting, expert guidance and training around security and audit control, document and records management, reporting and risk management. Also at issue is business process management, a long-simmering technology best practice that may gain momentum in the wake of SarbOx.
"It has only just begun," said Hagerty. "This is not just about operations, it's about managing risk," he advised.
Adrian Bowles, research director at the IT Compliance Institute (ITCI), said the work involved in Section 404 should not be underestimated. But, he added, it is "a fairly straightforward problem."
"Most people that have looked at it understand what's going on," Bowles said. On the other hand, "[Section] 409 is a much more interesting problem to solve." The question there, as usual, revolves around what "real-time reporting" is; to date, the SEC has only given limited guidance. So how quickly do you have to identify, analyze and begin to fix an unforeseen problem that can materially affect your earnings?
"The prevailing interpretation is that two days is close enough to 'real time.'
But that doesn't give you a lot of time to fix problems," said Bowles. "Before,
if you found a problem, you had until the next reporting period to fix or disclose
it. Ideally, that meant you might have 90 days to fix things." [For more, see
A gift from the government?," ADT,
What about those vendors ready to help you wend your way from process documentation through to real-time reporting? Well, they include makers of audit software, data reporting software and financial app software. Count among these Business Objects, MicroStrategy, Oracle, Page One, PeopleSoft, SAP and others.
Also include makers of software portfolio management tools, change management tools, version control and configuration management tools. Count among these vendors Computer Associates, Mercury Interactive, MKS, Niku, Planview, Visible Systems and others.
And do not forget that project management tools, diagramming tools, data life-cycle tools and document management systems may be the focal point for many compliance undertakings. Among vendors here count EMC, Microsoft and Veritas. Call-center software, business process management software and rules engines also come into play. Players here include Adventis, BMC Remedy, HandySoft, IBM, Ilog and others.
Each step of the way, forward-looking development and integration teams will need to judge the role IT governance plays within the larger picture of corporate governance. This means ensuring that IT does what it says it will do, and that the data is truthful.
The move to better business control systems has been enabled to some degree by the increasingly popular Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. Adepts call it "COSO."
"COSO has been a method enabling the convergence of IT governance and corporate governance," noted Bowles.
Checklists of the gods
Enterprise software companies do seem to have some early advantage in this arena. Corporate governance has been around a long time, pointed out Seamus Moran, director, financial application development at Oracle Corp. It is at least as old as the human tendency to "feather the nest." Pointing to Enron's antics, he said what is new is the "tremendous amount of dollars" involved in connivance.
Thus, say Moran and others, software dev managers should expect more tasks along the lines of those created by SarbOx. "Sarbanes-Oxley is just the latest in a long line," said Moran. Auditor software has addressed these issues to some extent.
"There is a common thread between what the audit forms built and what we and other people are doing now," said Moran. "Audit people always had software to do their job. It was a differentiator." But in some ways this type of software resembles best-practices checklists.
"They reminded you to look at receivables, to look at various exposures. These checklists of exposures are now called risks," said Moran. For IT now, he said, these risks must be mitigated.
Moran indicated that Oracle's Internal Controls Manager (OICM) works with its eBusiness Suite and puts items into the context of business processes exposed to risks. At heart is the COSO framework for governance.
SarbOx checklists of exposures ask what a user did to ensure that the firm did not take on too much risk. In Oracle's scenario, as in many others, e-mail workflow is used to ensure that risks are formally addressed and that reports are fed to top management.
For Oracle competitor (and takeover target) PeopleSoft, the occasion to report on key processes is also an occasion to optimize the business for more profitable results. "We are looking at compliance from a pretty broad spectrum," said Chris Leone, PeopleSoft's vice president, product strategy. PeopleSoft's Section 404 product is known as the Internal Controls Enforcer, he said.
"It's not just about monitoring the process -- it's about enforcement of the process." The company also has a product for IT governance known as ESA for IT.
"We have looked at ongoing compliance issues. It is more than just tracking e-mail," said Leone, who noted that PeopleSoft, like others, bases some of its SarbOx-related practice on the COSO framework.
"We capture the information in an organized fashion so that auditors have a system of record they can go back to in order to certify that controls have been in place for an entire year," said Leone. Various BI tools can roll up the data for reporting.
"A lot of companies have come at this space," he said. "There have been content management and process management tools. There have been BI vendors. We have provided a comprehensive solution." As a result of SarbOx, he said, companies will have a much better idea about the state of their financial practices.
As Section 404 work gives way to Section 409 work, and as the general SarbOx compliance process uncovers some financial black holes and blemishes, corporations will seek to fix some processes. Here, IT governance may assume a bigger role, and portfolio management software will come more into play.
"Most companies are still in the assessment stage, but we see things picking up to do remediation work," said Alex Lobba, vice president, product management for IT governance at Mercury Interactive. Mercury bet big on the value of software for IT governance last year when it purchased Kintana for about $225 million in stock and cash.
"People are adjusting their processes to provide compliance and to make changes that enforce the changes," said Lobba. "We can play a key part in identifying all the projects [that have compliance issues], and then track that they are on target and on schedule to validate that the new changes you made are addressing the Sarbanes-Oxley issues."
Added Lobba: "People in the financial world are used to this, but for other industries, it is new."
More initiatives for governance can be expected, though future moves are likely to be more narrow than wide-focus SarbOx. These initiatives continue to place a premium on certain types of data, and application development teams must become more aware of the life cycle of information, said Roy Sanford, vice president of markets and alliances, content addressed storage at EMC Corp. The industry needs to "add data management and content management layers to our understanding of how information has to be managed through the life cycle," said Stanford. "From EMC's perspective, the value of information changes through the data life cycle and the change is not always downward in terms of value." SarbOx litigation is one step here.
"We did a study of corporate governance and regulation compliance over the last year and a half and realized there are 20,000 international, national and state regulations that companies may or may not have to comply with," said Stanford. Policies, procedures and best practices are all up for grabs, and all these things have implications for storage infrastructures, he said.
"Your first goal is to keep your executives out of jail, and to prevent criminal and civil [misdeeds]," added ITCI's Bowles. "But at the end of the day, you also want to add some value."
The role of IT has become huge in corporations, and its operations success is often intrinsic to the overall success of the organization.
"IT is so central to business. It is key to do IT governance well in order to do corporate governance well. The accuracy and quality of information is key," Bowles said. What is needed now, he said, is to put the processes in place to track the kind of information you may hear asked of a Tyco executive or Adelphia executive on trial: "What did you know, and when did you know it?
Please see the following related story: "IT
governance smoothes the cruise"
by Jack Vaughan.