Tapping ERP as a Compliance Power Source

Could your ERP system shed more light on Sarbanes-Oxley compliance? An IT audit can show whether software is helping or hindering adherence to the law.

For CFOs and CIOs familiar with the ups and downs of large-scale corporate software implementations, the dual status of enterprise resource planning (ERP) systems as both a risk and a valuable tool in Sarbanes-Oxley compliance efforts should come as no surprise. Companies that can't properly document the controls within their system's accounting modules are in trouble. Those that can are a giant step closer to their compliance goals.

"I'm not sure we could have complied had we not decided to put in ERP at the beginning of the year," says L. Brunson White, CIO and vice president of information technology with Energen Corp., a diversified energy company based in Birmingham, Ala. "And if we did comply without the implementation, it would have been extremely expensive." White speaks highly of his new SAP suite's built-in controls, which he views as crucial to meeting the internal controls documentation, assessment and testing rules laid out in Section 404 of the law.

Yet few companies wrestling with compliance issues get to reap the benefits of new ERP implementations. Most organizations installed their systems before the passage of Sarbanes-Oxley and, even more important, before the SEC began clarifying the rules.

"ERP systems have always had good control features," says Robert Hirth, managing director, internal audit services, for consulting and audit firm Protiviti Inc. in San Francisco. "And those controls can help companies with Sarbanes, particularly in moving toward Section 404 compliance. But in a lot of cases, those controls aren't turned on."

For that reason, many ERP vendors have been fielding a wide range of compliance queries over the past year. "The questions are interesting," says Mike Rost, director of product marketing for Lawson Software in St. Paul, Minn. "There are a lot of different switches you can turn on or off depending on how you implement the system."

Lawson's compliance assistance has primarily consisted of examining ERP footprints, then helping clients determine how to better leverage the software they already have in place. Once armed with that information, CFOs and CIOs can decide whether to add controls, update their systems with new versions or added functionality, or -- at the most labor-intensive end of the spectrum -- consolidate multiple ERP systems.