Is software the solution for Sarbanes-Oxyley.
With many choices of programs and numerous "bells and whistles," in the big picture the software does the main job of centralizing, systematizing, organizing, check-listing, tracking and keeping current with what needs to be done, by whom and on what date. Systems also have a myriad of elements and features to prevent or limit process failures. Bottom line, many are saying that in the long run, even the high up-front costs will eventually pay off for companies as they see the improvement to process related to governance and compliance, and, importantly, to minimizing risk.
"At the heart of Sarbanes-Oxley compliance is solid business processes and control, and efficiency around measuring that," says Steven Miranda, vice president of development of Oracle Corp. "We try to tell people how they can go beyond just the reporting function and bootstrap their efforts towards consolidating information--similar to the newest corporate management solutions now gaining in popularity."
So what questions are customers asking, and what are they doing? While some are comparing Sarbanes-Oxley Section 404 implementation to Y2K, Miranda disagrees: "Y2K was a one-time event; 404 is an ongoing effort--you have to certify your numbers every quarter of every year." The correct question to ask, he says, is: "How can we incorporate this into an ongoing process?"
Also, he says he hears a lot of, "We have Oracle," or "We have an XYZ enterprise transition system, and now have to document our procedures and controls within that system, and have it on an ongoing basis." Another concern, from a senior finance executive's perspective, is reducing risk. So, many questions relate to: "How can you assure me that this will lower my risk?"
Still another issue relates to executives being asked to do more with less, while still under budget constraints that are now often greater than pre-SarbanesOxley. "So, they have to think creatively and not think of it as an added set of work," says Miranda. Certainly, he argues, every organization of size will have some process change to go though to mitigate some of the risk that comes out in the early audits. "If you have disparate systems, you'll have a lot more work in documentation, a lot more potential risk, more controls to implement--and different change-control processes. Getting information out of the system has been difficult," he says.
Customers dealing with the extra work are certainly experiencing a frustration level, Miranda says. However, he advises, "If you just look at the problem and what you have to do you are not going to do anything except add costs to your budget. If you look at driving benefit into the organization, there are certainly benefits of having a single-process in a control system."
So, is Sarbanes-Oxley driving companies to do better? Absolutely, he states. "The most successful companies will be those who take a holistic view towards the corporate governance process. The law basically says you have to have documented processes and controls on those processes that mitigate against fraud and other risks. That should be an overall positive to the organization."
He notes three sections of the act that come into play in terms of system providers: one is decreased time to report, and more stringent guidelines going forward. For years, he says, Oracle has been working with clients to achieve a faster close. Indeed, 10 or more years ago Oracle's tagline spoke of "closing your books faster, getting to the daily close and having process automation."
The second is where executives have to have real-time disclosure publicly for material events to their business. "We are increasing the ability to put in more and fine-tune to keep performance indicators, so that even secondary effects may hit the material impact of the business," says Miranda.
The third aspect is complying with Section 404, which relates to internal controls. The biggest effort here, he says, involves people just documenting the process, because most organizations have controls in place and are not doing anything intentionally incorrect. On the flip side, most organizations are just getting their risk assessment, and finding some things that are surprises to management.
Miranda says both prior to and post-Sarbanes-Oxley, Oracle's advice to customers hasn't changed. It's been, "to combat information fragmentation (fragmentation is bad); to centralize information (which will allow them to get better information--collect apples with apples); to get this real-time; and the whole notion of the e-business suite, to have all your information in one or fewer places." Also, Oracle has added software--Internal Controls Manager, and recently Internal Controls Manager Version 2, which came out in response to Sarbanes-Oxley Section 404 and which goes directly to the COSO framework (what both Oracle and many auditors are recommending customers use for 404 certification).
"But again," warns Miranda, "this is not a once-and-done deal. Something we explicitly developed the product for--to try to integrate it with a company's transactional system, to use it on an ongoing basis. The tighter you are documenting, the better off you will be in the long run. And you lower your risk."
As for the main risks companies are dealing with, Miranda says, "People are going to start getting a lot of examination, because while there are a lot of controls already in place, as you get into the IT part of the process, that's where there'll probably be much tightening related to access: who has access to what systems, because, fundamentally, IT controls passwords. How do you register a new person for the system? When that person leaves, how do you assure that access is removed? Someone changes a role--how do you assure that they have appropriate access?"
It gets more complicated with disparate systems, says Miranda. "Who has access to those scripts? Where is data when it is en route? Who runs it? What if something fails?" This is an area where process is going to need tightening, he adds.
"Fraud is going to be tough to catch," he says, "but what I think is going to happen is a little exposure to data, normal processes--and you're going to get a few surprises."
Three elements are crucial, according to Miranda. First and foremost, it's about the people, and the culture that you set in place, to behave ethically. The second part is around creating the right processes and policies--making people understand the policies and being accountable for certifying their knowledge of the policies. The third part is having the right technology framework that helps an organization automate all of the processes, so that a lot of the controls are built into the product.
Miranda says that the successful organizations will be those who use Sarbanes-Oxley as a "lever to combat this information fragmentation problem and drive it from compliance to a business process focus." He says that's obvious when looking at the COSO framework changes. The new pillar to the COSO framework has been objective-setting, measuring against objectives. Combatting information fragmentation permits better visibility of the information. "With this knowledge," he says, "I think it will change the culture. Just the fact that you know the information is there, and someone is monitoring this information--it will change behavior in a beneficial way. It will be the easiest cultural change a company can have."
|Printer friendly Cite/link Email Feedback|
|Author:||Heffes, Ellen M.|
|Date:||Jun 1, 2004|
|Previous Article:||FASB Chairman Herz reviews key issues.|
|Next Article:||Putting directors in the classroom.|