Tools to Master the Sarbanes-Oxley Challenge
- By Alan R. Earls
The demands of Sarbanes-Oxley compliance may prove to be the medicine enterprises
need to improve their processes and controls, but at the moment, most organizations
feel only pain as they have had to scramble to meet implementation requirements.
And that pain has been more than simply some unpleasant days at the office—it’s
had bottom-line impact as well.
Research firms say Sarbox is helping to push compliance costs through the end
of this year to a total of nearly $15.5 billion in the U.S. Significantly, IDC
estimates the market for financial compliance applications, including those
used for Sarbox, will grow to more than $2 billion in 2009, up from $1.1 billion
in 2005 and at a 17-percent compound annual growth rate.
Not surprising, with those kinds of numbers being thrown around, there’s
a kind of gold rush taking place in the applications market, with software sellers
releasing dozens and dozens of products that have been either reconfigured,
repositioned or freshly developed to serve the Sarbox constituency.
However, leading research firms such as Forrester, Gartner and AMR are warning
that for the long term, point solutions alone won’t work. What’s
needed, they say, are tools that provide an overarching means of visibility
and control, reducing or eliminating manual operations and cutting the costs
Paul Hamerman at Forrester Research says although hundreds of vendors have climbed
on the Sarbox bandwagon, the key capability, which only a few provide, is the
ability to go beyond simply documenting internal controls to evaluating and
enforcing those controls to comply with Section 404, the portion of Sarbanes-Oxley
that requires management to provide an assessment of the reliability of internal
controls as they pertain to financial reporting.
The key features these applications should provide, he says, are a dashboard
to provide instant process visibility along with a compliance framework and
some capability for content management, collaborative work flow and risk analysis.
By focusing on specific areas such as security identity management and e-mail
archiving, “other solutions complement what these key vendors provide,”
In a recent report Forrester’s list of products with the right stuff includes
Certus Governance Suite, HandySoft SOXA Accelerator, IBM Workplace for Business
Controls and Reporting, OpenPages SOX Express December, Oracle Internal Controls
Manager (ICM), Paisley Consulting Risk Navigator, PeopleSoft Internal Controls
Enforcer SAP Management of Internal Controls and Stellent Sarbanes-Oxley Solution.
New York-based Loral Space & Communications, a satellite communications
company, for example, is using Oracle ICM to help it comply. When the Sarbox
challenge loomed, the company had to make some hard choices, says Barry Goldfeder,
senior director, business controls, systems and processes. “It was generally
a very immature software market—those that touted themselves as the best
had no track record because, like Y2K, it had never happened before.”
Loral chose its package based on what the Big 4 accounting firms were recommending,
Goldfeder says. “Since we already had Oracle financial applications we
felt it was a no-brainer.” In addition, Loral’s staff was already
familiar with the Oracle GUI; ICM looked to be cost effective and would allow
Loral to leverage its sunken costs, he adds.
Goldfeder explains that applying ICM for Sarbox was largely a cultural change
because, as an ISO-certified firm, the company had previously learned to focus
on policies, procedures and processes, or “the three Ps,” for short.
The old pre-Sarbox compliance system involved initially creating many volumes
of binders, chock full of those “three Ps.” However, those binders
were difficult to update, particularly with hundreds of copies in the field.
“Sarbox compliance wasn’t new except for the control part,”
he says. But even that simple change involved considerable effort. “We
were empowering the process owners to take ownership,” instead of relying
on professional writers through a traditional manual approach, Goldfeder says.
“For the first time, people were writing their own control activities
to comply with Sarbox. Now, you have process owners doing it from day to day,
articulating it and living by it,” he says. ICM allows that cumbersome
process to be automated and modified to fit the COSO framework used for Sarbox.
All the information now resides in an online repository to which everyone has
Goldfeder says the conversion from manual compliance methods to Sarbox automation
took six weeks, with everything up and running by the end of 2004. Now the company
is certifying the first quarter of 2005 using the same methods. (See related
story, “Advice from the front lines
Even relying on a 24-carat name-brand provider like Oracle was not without
problems, Goldfeder says. Initially, the product was shipped in a fairly immature
state. “There were a couple of bumps at first, but Oracle rose to the
challenge,” Goldfeder says. “Oracle had a great development team—some
of our suggestions were implemented in days and they got us patches when needed
instead of making us wait for new product releases.”
Similarly, Cynthia Russo, VP and corporate controller at Micros Systems, a
technology provider for the hospitality industry, also faced Sarbox hurdles.
Russo says Micros selected OpenPages late in 2003 based on the recommendations
of an internal auditor after finding out first hand that a compliance tool from
PriceWaterhouseCoopers was simply too difficult to learn. “Because we
had 45 locations all around the world, we wanted a Web-based tool that was easy
to use and didn’t require much training,” she explains.
What auditors want
OpenPages was able to readily upload spreadsheet information that had been used
to begin the compliance process, she says, and employees in every geography
were able to master it quickly. However, because the compliance requirements
are still evolving, using OpenPages hasn’t been entirely painless, she
says. “When we bought it, we didn’t know exactly what the auditors
would want or need,” she explains. Now, however, they have found out what’s
really necessary, and in some cases they have had to ask OpenPages to provide
additional features that can supply more customized reports.
Still, OpenPages provides Micros its primary repository for Sarbox, including
a control matrix, testing plans and policies and procedures. “Now I can
go into OpenPages at any moment and find out what Australia is doing,”
Although analysts may recommend some solutions as optimal, some companies have
found reason to use other Sarbox compliance products. For example, Brendan Austin,
manager of business analysis for the Oil & Gas Division at Occidental Petroleum,
also had to help his company deliver Sarbox compliance. “We initially
started with a largely manual process using Excel spreadsheets, but within a
month it had become a nightmare,” he recalls. Instead, he wanted something
with a central repository, security and transaction logs. His company chose
to adopt the TM1 analytics platform from BPM vendor Applix which is promoted
as an alternative to “Excel hell.”
“We used it as a cube processing tool to track reconciliation risk and
balances on about 800 accounts,” Austin says. TM1 tracks information such
as whom the information preparer is for each account, the name of the reviewer
and whether an approval has been registered.
Occidental implemented TM1 in September of 2004 for its third-quarter reconciliations
in about a day and a half. “And we have kept it up to date since,”
Austin says. The company’s Sarbox team uses it for audits and to drill
down into specific accounts. In addition to using it as an account watchdog,
Austin says, TM1 will probably be adapted for other control issues.
Echoing Occidental’s choices of technology, AMR analyst John Hagerty takes
a somewhat contrarian position when it comes to recommending specific applications
or types of applications. “At the end of the day, it may not matter which
application you select,” he says. What matters most is to simply “do
something.” (See related story, “What to look for in Sarbox
“The way people have been doing Sarbox testing is by having a person
check the established processes annually, or in some cases even monthly or weekly,
and that can be a real time sink when it’s done manually,” Hagerty
says. That, of course, is driving the demand for tools to automate and manage
the compliance process, he adds.
“There’s a lot of documentation associated with controls, a lot
of review and a lot of approvals, all of which has been captured up until recently
on file servers, in Word documents and in Excel spreadsheets,” adds Gartner’s
French Caldwell. “Now, they want to automate and they want more visibility.”
Caldwell says the process can be compared to enterprise search functions, except
that with compliance tasks there is more structure assumed up front. The real
issue, he says, is being able to provide managers with a red-yellow-green status
report and the ability to dig into greater detail.
Although Caldwell concedes organizations could develop their own solutions
by adding to their document management capabilities, “People I have talked
to tell me it is too hard to create a home-grown solution,” he says. What’s
more, the vital dashboard capabilities available in leading-edge products would
still be missing. And, most of all, customers are looking for quick solutions.
However, speed is still only half the battle. Although Sarbanes-Oxley doesn’t
mandate specific control methodology, it does leave open the possibility that
auditors could identify controls as ineffective, which could contribute to identification
of “material weaknesses.” At the very least, such a finding could
negatively affect share prices. So, over the long haul, tools that contribute
to airtight compliance should flourish.
But Forrester’s Hamerman says so far, the leading tools still only focus
on achieving end-of-year compliance-documenting controls so that companies can
provide a report to the SEC. Hamerman says the evolution is toward continuous
monitoring and control. “New, complementary tools are coming on the market
from companies like Virsa Systems and Approva that provide for continuous monitoring
and control,” he says.
In a not so far off future, Hamerman says products with those emerging capabilities
“will look at every single transaction in light of Sarbox requirements.”
Sidebar: What to look for in Sarbox
Sidebar: Advice from the front lines
Case Study: Bandag, a tire company, treads
softly to SOX compliance
Case Study: Mondavi refines TeamTrack
for SOX compliance