Market dynamics: Sarbanes-Oxley-financial storm in an IT teacup?
The 2002 Sarbanes-Oxley (SOX) Act, which is being touted as landmark legislation for US corporate governance and accountability that will change the way in which organizations manage their businesses. In a nutshell, SOX introduces stringent new financial reporting rules and regulations aimed at deterring corporate fraud. AMR Research said in a report published early in May 2003 that SOX has the potential to be "bigger than Y2K" and that the public companies will spend up to $2.5bn this year to comply with the SOX. A large portion of that will inevitably be set aside for IT. Regardless of the user pull, vendors are also pushing SOX to the hilt. A raft of enterprise software vendors, ever quick to spot a new and lucrative business opportunity to shore up their flagging sales pipelines are rolling out or developing applications and tools to help simplify SOX compliance. Software vendors are certainly taking SOX to the bank. But are they also taking customers to the cleaners? This report examines whether SOX, like its Y2K-compliance predecessor, is really a legitimate concern for IT user organizations, or whether it is simply the by-product of over-opportunistic vendor hype and rhetoric.
What is SOX?
The SOX Act of 2002 is a relatively fluid set of corporate disclosure and financial reporting rules for companies that are traded publicly in the US. The Act, which essentially reconciles two competing corporate reform bills (one sponsored by Paul Sarbanes in the Senate and the other sponsored by Republican Michael Oxley in the House of Representatives), was signed into law last July by President Bush in a move to restore confidence in the US financial markets in the wake of several highly publicized financial scandals that happened that year. The SOX requirement for companies to establish best-practice procedures for meeting their reporting obligations is specifically intended to curb massive accounting irregularities such as those that led to the December 2001 bankruptcy of energy trader Enron and resulted in an obstruction of justice verdict against its auditor Arthur Anderson.
Among other things, SOX requires executives and auditors of publicly held companies to companies to validate the accuracy and integrity of their financial management. The processes and documentation required for compliance are quite rigorous, and regulated in part by the US Securities and Exchange Commission. Companies must document and certify the effectiveness of internal controls and procedures relating to financial reporting, and CEOs and CFOs must personally certify that their companies' statements are complete and accurate. Internal Controls
Most of corporate America's focus on SOX, both in terms of general media buzz and IT vendor activity, has thus far has been on two Sections of the Act that specifically relate to the requirement of management to report annually on the effectiveness of internal controls.
* Section 404 deals with the "certification of financial reporting processes and controls." This requires companies to identify risks to internal business processes that could affect financial results, and to document the controls in place to mitigate those risks. Outside auditors must evaluate those controls and report any problems. According to rules laid down by the SEC, most large US companies (i.e. those with a market capitalization of over $75m) will be required to show compliance with Section 404 for fiscal years ending on or after June 15, 2004 (which extends by about eight months the original deadline). Smaller businesses, and so-called "foreign private issuers", will have until April 15, 2005 to comply.
* Section 302 requires CEOs and CFOs to attest to the accuracy of generated reports on internal controls and financial reports. It also requires these officers to formally sign off that the internal controls are in place and to acknowledge responsibility that the internal systems meant to execute these controls are reliable and secure.
* Section 404 appears to be a key leverage point from a software standpoint, while research seems to show that most companies are better prepared to meet the financial reporting requirements of SOX Section 302.
The importance of internal controls is not a new phenomenon in financial IT circles--in fact this has been major auditing emphasis for decades. However, what is new is the emphasis. Whereas auditors in the past focused primarily on detecting errors and certifying accuracy, the Enron, WorldCom and similar debacles, have put a greater pressure to detect and discourage risk and fraud.
SOX has the potential to make an impact on businesses of all sizes. Market research estimates that nearly 15,000 public companies will need to achieve and sustain compliance with the laws. Mid-sized and larger companies will spend from 5,000 to 15,000 hours to achieve compliance and more time to sustain it quarter over quarter.
These public companies now face a tall order of management and technical challenges, not least:
* Identifying issues and improvement opportunities in auditing and internal control processes.
* Ensuring the integrity of records with audit trails, document management, version control, and security measures that ensure the protection of data and documentation.
* Establishing internal controls that conform to standards such as the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework.
Generating up-to-date, accurate reports on internal controls and financial statements that can be attested to with confidence.
* Simplifying processes and documentation required for compliance to speed the deployment and acceptance of change within the organization.
* Providing real-time reports and continuous monitoring that deliver insights into the status and performance of controls.
* Leveraging and/or enhancing existing financials, ERPs, and other legacy systems to minimize the cost of SOX compliance.
According to AMR, the world's largest 1,000 public companies have earmarked more than $2.5bn in IT investment this year on investigation and initial compliance with these SOX-related issues. AMR's survey shows that over 85% of companies will change their IT and application infrastructure as part of SOX compliance efforts.
Financial Systems Overhaul
SOX has significant implications for the integrity and reliability of enterprise financial reporting systems. With reporting time frames shrinking and system integration and integrity being audited more closely, corporate financial systems are now under increased scrutiny. Enterprises are being forced to take a long look at the financial systems infrastructure they have in place to assess potential weaknesses in accounting and reporting systems and processes that could lead to inaccurate results, or worse, risk exposure to fraud. At the same time, financial system vendors see new business opportunities and are scrambling to get a piece of the action by re-casting software offerings in an opportunistic SOX light.
Without mentioning the systems specifically, SOX obliges companies to produce the results that financial management systems are primarily used for accurate and timely financial reports. This task cannot be performed without the transactional and reporting systems in place that reliably generate the financial information, and it is often not feasible to do this manually.
Modern accounting systems from leading software vendors are generally well equipped to handle the financial reporting requirements of companies in the US and abroad. Theoretically at least, these systems have some degree of built-in "control". As such they should not require major replacement or modification as a result of the new SOX requirements.
Companies with disparate and legacy accounting systems are more at risk to meet the new and evolving SOX requirements. A major sticking point for providing accurate and timely reporting is a fragmented accounting system characterized by multiple general ledgers and numerous transactional system interfaces. A fragmented financial systems environment requires more interfaces and reconciliation procedures that extend the time required to "close the books". Such an environment also increases the risk of material errors in consolidating financial results as data is often dumped into spreadsheets and re-keyed into other systems for reporting purposes.
Ideally, an integrated ERP system with fewer interfaces and subsidiary general ledgers would be easier to control. Companies with disparate accounting systems and those with older, unsupported accounting software should seriously consider moving to an integrated environment that is more easily upgradeable. At a minimum, they should be investing in more effective financial consolidation and reporting tools, and consider a strategy to merge disparate accounting systems into a centralized, single financial management system. Tighter integration of financial applications can benefit companies by improving the timeliness of periodic accounting closing and reporting cycles. Additionally, a homogenous financial and accounting system environment can also be more easily upgraded in the event that reporting compliance changes are imposed. Therefore, the viability of incumbent financial software vendors should also be based on their ability to deliver maintenance updates as external reporting requirements and standards evolve.
While SOX legislation undoubtedly requires financial management applications to step up to the increased accountability and regulations, it is important to remember that SOX does not explicitly spell out the precise requirements for an ideal financial system. Nor does SOX mandate wholesale changes to underlying systems despite what some IT vendors might say. Rather, it is the focus on process and controls that is new.
Beyond the Number Crunching
Even though much of the focus on corporate governance controls has been on financial practices, SOX is more than just having an efficient financial reporting system in place to more effectively consolidate data and produce financial reports. Upgrading the existing financial application infrastructure to provide greater efficiency, consistency and performance can help, but only up to a point. These applications alone, however, will not create a sound internal control environment or eliminate fraud.
The real challenge of SOX is to identify processes, documents, controls, and risks associated with financial reporting. Leading commercial accounting software packages are certainly capable of handling the financial accounting chores of most enterprises, but only if supported by appropriate staff and sound accounting policies and control procedures that feed these systems. For example, the process of closing the books and consolidating financial information must be carefully documented, and care must be taken during each accounting cycle to ensure that everything worked as planned.
Control processes around financial reporting systems are varied, and must be built around the following:
* Automating the gathering and centralization of documentation and evidence needed for compliance.
* Providing each member of the "extended" accounting team with a personalized view of the compliance process and his or her assigned tasks.
* Allowing for secure collaboration between internal finance groups and external accounting agencies on documentation and processes.
* Utilizing workflows for automating issue management and document sign-off.
* Focusing on a risk-management strategy that includes preventing loss of data and provides audit trails to analyze anomalies and deter fraud.
With a focus on financial governance, a governance agenda is implicitly set for information security. In fact, systems hackers have openly discussed the perils of so-called "data poisoning of financial statements" at industry events such as Black Hat and Def Con. With the increased reliance of financial systems on IT, it is near-impossible for company officers to realistically sign off on the accuracy of financial statements without proper security control functions in place. Companies therefore need to bundle their financial systems with security to achieve the authentication, authorization, administration and audit functions that provide confidentiality and integrity of financial information. A robust architecture will establish the security requirements, internal controls, maintenance and monitoring of the systems. SOX's emphasis on the maintenance of controls around financials further points out that security is not simply a point-in-time goal, but a continuous assessment effort to provide adequate protection and accuracy of financials.
Implications for IT Vendors
Enterprise software vendors across the board are finding numerous opportunities to position their products in a SOX light. There are two main reasons for this.
First, because of the sheer depth and breadth of SOX compliance activities, compliance does not only involve putting the necessary financial systems in place. It also involves a careful orchestration of technology partners and solutions from ERP, BPM, and other e-business application areas.
Second, the quick time frame for SOX compliance has companies scrambling to define, document, and improve internal processes and controls along with the underlying technologies to support them. As yet there is no single product on the market that can claim to address all SOX requirements. Much of the early response from IT vendors has focused on the management and reporting of structured financial information, with financial business application vendors or financially oriented BI vendors leading the way. As a result, many software solutions have emerged to support the internal control reporting requirements specifically pertaining to SOX Sections 404 and 302.
For companies where it might not be feasible to move to a single accounting system architecture, BI tools and financial consolidation packages provide reasonable alternatives to effectively manage financial information from disparate systems. For example, analysis and reporting tools that allow rapid dissemination of financial results internally (via the corporate intranet or "standard" viewers such as Microsoft Excel), as well as the analysis of key performance indicators. In addition, IT can assist in making financial information more accessible and transparent to internal and external users by delivering results through Web-based reporting tools and portals.
Content management software providers are also getting in on the act. Recognizing that SOX also has implications for the management of related financial information that is typically held in unstructured formats, CM vendors are putting a content twist on the compliance issue, and vendors are now developing tools and/or beefing up their respective records management solutions to help companies manage the storage and retention of records for SOX compliance.
Finally, knowledge management, business process management, workflow, portal and collaboration vendors also see a role for their respective technologies in the effective project management of the financial auditing and reporting process.
Specialist SOX compliance vendors such as Nth Orbit are also starting to emerge in the market.
The vendor landscape for SOX compliance is evolving very rapidly, as the compliance requirements are becoming better defined by the SEC and better understood by companies subject to the regulations. Enterprise software vendors have seized the opportunity to launch new corporate SOX accountability and compliance marketing campaigns. Many see a new a business opportunity to boost their flagging software sales, by offering infrastructure, applications and even complete solutions that all promise to alleviate the pain of meeting SOX compliance.
A raft of vendors are now jostling for a competitive position with "new" SOX products, making for a noisy and confusing market. While SOX may in fact be spawning a new breed of compliance software, it is unlikely that this will ever be encapsulated in a single product offering. Many of the so-called SOX solutions on the market today are simply customized versions of vendors' existing products that attempt to embed best-practice SOX principles into their applications' logic.
Given the sheer diversity of technologies and applications, a clear leader has yet to emerge on the software front. Moreover, it will take time for SOX to make a significant impact on sales. Since many of the early SOX plays are really consulting plays, the short-term beneficiaries revenue wise are the established global professional services and business consulting firms as they help companies put compliance reporting systems and procedures in place.
A cross-section of some of the current SOX compliance solutions available on the market are briefly reviewed below.
The database and business applications giant Oracle is poised to ship its Oracle Internal Controls Manager product later this summer. Oracle's main development partner in its SOX effort is auditing firm PricewaterhouseCoopers.
The new software, which is an component application contained within Oracle's E-Business Suite 11i, specifically targets Section 404 of SOX and is designed to help companies document and test internal controls and monitor ongoing compliance. It does this by establishing financial controls and alerting users when such controls are circumvented. For example, Internal Controls Manager can be used to create a "library" of such risks that can then be linked to each business process in an organization, and used as the basis for risk assurance activities.
The software links to other Oracle applications including Oracle Workflow, a process-modeling tool that forms part of the Oracle E-Business Suite. The combination of the workflow tool and Internal Control Managers enables companies to design their business processes and store them in a centralized repository while also monitoring the business processes to ensure they are performed in the manner in which they were designed. Alerts are automatically sent to the appropriate person when deviations are detected.
Internal Controls Manager will be sold separately from Oracle's E-Business Suite Businesses. Customers can also outsource the application from Oracle.
IBM is developing what it calls a "SOX compliance toolset" that ties together its Lotus Notes messaging and Tivoli storage technologies with records and content-management systems. The new solution will effectively build e-record management capabilities into IBM's core content management and Lotus-branded products.
The combined solution will also provide capabilities for the capture and storage of unstructured data, such as documents, email and instant messaging threads. IBM is also working on an administration component for monitoring, reviewing, and auditing content. IBM has not announced a formal release date for its as yet unnamed SOX solution.
Documentum has rolled out its Corporate Governance and Compliance Solution, which the company developed in partnership with BearingPoint (formerly KPMG Consulting). The solution is best described as a document management product leveraging Documentum's enterprise content management and e-Room collaboration technology.
It uses existing records management, CM, collaboration technologies, pre-configured templates, and process controls. The core of the system is built around a set of enterprise-wide controls and a centralized records repository that supports automated "best-practice" SEC reporting (10K and 10Q) workflows for compiling, reviewing, formatting, publishing and archiving financial records and related document types in a secure repository.
Automated exception handling is also built in to identify deviance from standard policies or practices. E-Room templates are designed to facilitate collaboration-related compliance activities, such as support for "digital workplaces" to facilitate discussion and collective management of content across departments as well as executive dashboards that provide a consolidated view of projects.
DecisionPoint, a relatively small BI vendor, has announced a new product aimed at SOX compliance called DecisionPoint Compliance Dashboard. DecisionPoint's solution leverages its core strength in applying its data warehousing technology to extract and analyze data resident in ERP systems, including financial data.
Using analytics similar to BPM applications, the application can detect anomalies in the financial data based on thresholds and business rules, and create alerts. The system uses analytic tools and applications to help understand and validate the accuracy of financial data by comparing reported results with preceding periods, budgets, forecasts and defined metrics. The anomalies are red-flagged in the dashboard-style user interface, and investigations to explain the anomalies can be captured in the application. The data warehouse is robust enough to capture transaction details, allowing users to drill into the data from the application.
DecisionPoint's new Compliance Dashboard appears well suited to meeting many of section 404's requirements, although the product has yet to be proven in live customer installations.
Plumtree Software & HandySoft
Corporate portal software vendor Plumtree Software has teamed with HandySoft, a business process management vendor, to roll out a portal/business process management offering designed to help companies build the necessary internal controls and reporting procedures for collecting and reporting financial data.
Dubbed SOX Accelerator, the solution combines Plumtree's portal, collaboration, search, and personalization technologies with HandySoft's application workflow logic and process automation capabilities. The solution marks the culmination of co-development efforts than began in January 2003. For HandySoft the SOX proposition is relatively straightforward: project management of the audit process. HandySoft touts its BizFlow process management platform's ability to incorporate human users into system-to-system process flows and provide the project and task management for defining processes, risks and internal controls that conform to standards such as the COSO framework. These capabilities fit nicely in the SOX world, which benefits greatly from customized views into the complex audit process that are collaborative in nature.
Meanwhile, Plumtree is weighing in with its portal prowess--specifically the Plumtree Portal's ability to provide customized views into the complex audit process and support collaboration. Plumtree believes that the portal will be the locus for not only visibility but also collaboration across multiple departments that will be part of the audit process.
HandySoft is one of the first pure-play BPM vendors to view the portal as a "natural interface" to kick off business processes. Plumtree and HandySoft have worked together in the past, closing HandySoft prospects who wanted BPM within the context of an enterprise portal. This experience on the ground convinced both companies to "productize" the partnership. The Sarbanes-Oxley Accelerator is expected next month.
Content management (CM) software provider FileNet has entered into a partnership with Steelpoint Technologies, a risk management provider, to produce an integrated SOX compliance and risk-management solution. FileNet recognizes the broader need for companies to make sure their entire CM strategies work more effectively than before. The partnership is defining a new category of software that FileNet is calling "compliance and litigation risk management."
The jointly developed solution is built on FileNet's P8 content integration platform and integrates Steelpoint's Introspect eCM litigation support software application to provide tighter control of content management processes. At the core is Steelpoint's eDiscovery technology that allows users to identify relevant and responsive content (collect, categorize and store information from a variety of sources) and provides tools to collaborate on issues of risk and drive-corrective mitigation processes.
PeopleSoft is selling two products to promote Sarbanes-Oxley compliance: Global Consolidation software, which helps companies collect and report data from around the world; and Investor Portal, which helps companies make key financial information available to shareholders. PeopleSoft has also teamed up with consulting and auditing firms Protiviti and Ernst & Young to offer complete cradle-to-grave SOXcompliance solutions.
BI supplier Hyperion Solutions has a long-standing (dating back to 1982) heritage in regulatory compliance and mandatory hyperinflationary accounting methods. Corporate accountability and SOX compliance dominated proceedings at Hyperion's recent user conference. Hyperion is now aggressively casting several of its packaged financial analytic applications as SOX-compliant. These include: Hyperion Financial Management, Hyperion Performance Scorecarding (as an executive "dashboard" of closely monitored KPIs), and Hyperion Planning, Budgeting, Forecasting and Business Modeling. The company's ability to offer integrated solutions spanning financial, operational and analytic systems should keep the company at the forefront of the SOX Sections 404 and 302 niche.
Nth Orbit is a Silicon Valley start-up founded the by former CEO of e-procurement vendor RightWorks, which was subsequently acquired by i2. The company was founded with a single focus: compliance. The company's Orbit Certus software suite, which was announced just as the SEC approved the final rules pertaining to Section 404 was released, is best described as an internal controls and assurance solution. Certus has evolved into a comprehensive Internal Control & Assurance (ICA) solution also covering Sections 302, 407 and 906. It comprises several modules: control framework (a customizable COSO library of documented risks and controls), control handbook (to formalize and publish policies and procedures), certification programs (for coordinating and capturing sub-certifications and close checklists), self-monitoring controls (activated procedures with workflow), compliance monitoring (via Workbenches to provide visibility, incident tracking, and project management), and routine basements (for periodic auditing of controls).
Open Pages is a relatively new software company that specializes in knowledge process automation. Its OpenPages Sarbanes-Oxley Express is an internal controls management application that provides corporate governance and brand management solutions to facilitate what the company calls Enterprise Business Control. The modular solution comprises several key elements: management dashboards, project management, controls documentation, issues management, collaborative task management, issues management, and COSO-based process and controls repository.
Methodware is widely acknowledged as an established leader in distributed risk management and internal audit software. Its Enterprise Risk Assessor (ERA) is not a new application, but its functionality clearly addresses several aspects of SOX. The software provides tools that assist management to identify the top risks in the organization, and determine the adequacy of internal controls. The tools are built around a comprehensive risk framework that is COSO compatible, and share a central repository to ensure consistent consolidation, tracking and monitoring of risk and audit information over time. An innovative feature of ERA is its use of key mapping and graphical information called Heatmaps to identify and display comparative risk data and risk matrices. Methodware also provides pre-built risk management data models for project management incorporating the Prince II Methodology, procurement, and corporate governance.
Financial transparency and visibility are this year's rallying cry for both corporate America and enterprise software vendors. While SOX attempts to bring clarity to corporate financial reporting, much still remains unclear about the potential impact of this new law. Research shows that even companies whose financial systems appear to comply with the act are uncertain as to exactly what some provisions mean, and when they must comply with the requirements. Some of this uncertainty stems from the SEC, which is still fleshing out the details of the law through a series of proposed rules. In addition, some regulatory responsibility has been outsourced to external bodies like the NYSE that have been dragging their heels.
For enterprise software vendors, SOX clearly drives opportunities for further IT investments--witnessed by the incorporation of SOX into financial management systems marketing. These vendors are counting on the combined weight of SOX and other new regulations to result in major systems changes at some companies. True, SOX does implicitly state a requirement for reliable financial systems, but sound financial management systems have always been a cornerstone for accurate financial reporting, and this requirement existed well before SOX came into the corporate limelight. With the SOX compliance deadline one year away, many software vendors are in fact exploiting a "scare-tactic" of penalties to promote their products. While SOX may be spawning a new breed of compliance software, few vendors have yet come up with new functionality specifically to respond to the legislation. Therefore, the question remains over whether the current crop of SOX compliance software will provide new value beyond core transactional and reporting capabilities; and if it does, whether companies will be ready to stretch their thin IT budgets for a process they feel they should have in place anyway.
Ultimately, the decision to invest in SOX-compliance software should be based on the company's perceived level of risk and the extent to which the internal control environment has previously been documented. Many companies with fragmented, disparate, and aging financial systems will be challenged. Here, opportunistic vendor posturing does have some validity, but organizations that have already standardized on leading financial management software and adhere to sound best-practice accounting and reporting principles shouldn't need to worry. Nevertheless, they should consider implementing internal control assessment software to gain proficiency in the compliance processes.
When implementing new SOX compliance software, companies should be aware of the risks of being early adopters of the newer software for SOX compliance such as OpenPages and Nth Orbit, risks that ironically these solutions are intended to avoid. Companies should consider mature risk-management solutions such as Methodware to avoid the additional risk of attempting to comply with newly released software. But the fact that the deadline for compliance begins with fiscal years ending June 2004 mitigates much of the risk of early adoption.
Above all, customers should guard against excessive vendor rhetoric and hype that overstates the capabilities of software products to ensure compliance. As more vendors press hard to fit their products into the SOX frame, the more blurred the overall picture becomes and the more diluted the message becomes. Technology alone cannot ensure a sound internal control environment, nor can it fix ethical problems of fraud. This is dependent on a number of factors, not least skilled accounting personnel, a good system of internal control processes, the proper application of policies and procedures, and an honest commitment to report the "truth".
|Printer friendly Cite/link Email Feedback|
|Publication:||MarketWatch: Business Intelligence|
|Date:||Jun 19, 2003|
|Previous Article:||Plumtree continues to fight its portal corner. (BI News Review).|
|Next Article:||Accrue looks for exit strategy. (BI News Review).|