Ventana Research sees the issues of compliance, audit, and control entering a new phase. In our judgment, the post-scandal period that drove the passage of the Sarbanes-Oxley Act (SOX) is coming to a close. For the past two years, all U.S. public companies -- and even some others that have no legal obligation -- have been scrutinizing and correcting their financial control systems to comply with Section 404 of the act (by far the most onerous element of reform for a public company). For most of these companies, the distraction and anxiety associated with meeting the act's requirements will dissipate over the next couple of months as they complete their initial compliance phase.

What happens next depends a great deal on how well public companies have prepared to comply with the rules and how stringent auditors are in assessing their conformity. Ventana Research expects that if a reasonable amount of stringency is applied, the majority of public companies will be assessed as having adequate financial and IT control systems in place. We expect about 10 percent to 20 percent of the public companies will be cited with one or several "serious deficiencies" in their financial control systems in their initial annual audit, and that another 2 percent to 5 percent will be marked as having material weaknesses. Auditors likely will want to make an example of the companies that fall short in the Section 404 efforts, producing headlines (at least in the business press) in early 2005. Yet, unless we are mistaken about how prepared companies are to comply with Sarbanes-Oxley, or unless the Public Company Accounting Oversight Board (PCAOB -- pronounced "peek-a-boo") and the auditors it oversees want to be heavy-handed in their enforcement, Ventana Research expects the compliance topic to fade into the background.

In the background, perhaps, but not entirely forgotten.

For one thing, Ventana Research expects a gradual ratcheting up of control standards over the next several years. What was marginally passable for the 2004 audit will become unacceptable by 2006. Those companies that the auditors give some slack in 2004 will have to catch up in 2005. Next year they will continue their 2004 efforts, although with less uncertainty (because their shortcomings will have been made clear by their auditors) and less intensity. For the other two-thirds of public companies, compliance efforts will shift to optimizing their audit and control processes.

The challenge facing finance executives in 2005 is how to change their audit and control processes to overcome the drag on efficiency. Typically in the past, companies did not design their procedures and supporting information systems for efficient execution in today's environment. Some, maybe even many, of the financial controls that companies carefully put into place over the past two years represent mere "Band-Aids." They address symptoms of systems that may have been adequate in the past, but which now are ineffective for a SOX environment. Ventana Research asserts that world-class finance organizations will focus on reducing the ongoing cost of compliance by ensuring their processes and the IT systems that support them are structured to promote compliance efficiency.

Ventana Research recently completed a study of regulatory compliance, audit, and control issues facing companies. Objectives of this study were to assess the impact of audit, compliance, and corporate governance issues; determine ways in which the internal audit function has changed; and calibrate attitudes toward Sarbanes-Oxley software solutions.

Because Ventana Research advises companies on how they can use IT to address business concerns, we also looked into their use of software to address SOX issues. The data presented includes only qualified companies -- that is, those with 1,000 or more employees. Half of the respondents had finance titles, 8 percent were in IT, and the rest were mainly line-of-business managers.

The Most Important Issues

We asked respondents to assess the importance of various issues facing companies (particularly U.S. public companies), and to mention and rank any that were not in our list of choices (see "Importance of Compliance Issues"). Sarbanes-Oxley compliance and corporate governance are the most important issues. The former was ranked the most important issue by 46 percent of the participants and second by 16 percent of the participants, while the latter scored first with 30 percent of respondents and second with 38 percent of respondents. The weighted average (WAV) rank of the two responses is identical at 2.1. In the wake of the post-bubble corporate scandals, these two are top-of-mind issues for executives and receive a great deal of attention in business publications and general media.

Audit costs were ranked a distant fourth as an issue, with a WAV ranking of 3.2. At the beginning of 2004, audit costs received much attention because fees for larger companies had increased significantly. By mid-2004, their importance seemed to be fading, probably because the biggest bill from the auditor comes but once a year, and possibly because audit costs are of more concern for the CEO/CFO. Still, as the "Importance of Containing Audit Fees" graph shows, audit fees are very relevant to the study contributors. More than three-quarters rate the issue "very important" (28 percent) or "important" (52 percent).

Sarbanes-Oxley Compliance

"Sarbanes-Oxley" has become an all-encompassing term for governance and regulatory compliance issues. The act covers a lot of ground in its 11 titles. In 2004, though, most people use it to mean compliance with Section 404. This section requires management to assess the effectiveness of their company's internal control over financial reporting and then report on that assessment at the close of its fiscal year. It also requires the external auditor to confirm this, and report on this assessment made by management.

Compliance with SOX has been a small but significant burden for companies. Numerous surveys have been conducted to quantify the direct cost of this burden. From our study, we conclude that it has taken up an important chunk of time that companies might be spending doing other things. This is not to say that the aims of the law are unimportant or even less important than other potential uses of a company's time. However, these efforts have crowded out other things that a company, particularly the finance organization, could be doing.

We asked about the amount of time respondents personally spend on SOX. Exhibit 3 summarizes their input, which unsurprisingly shows that time spent on compliance varies widely. One-fifth said they are spending more than 30 percent of their time, 10 percent reported they are devoting 16 percent to 30 percent of their working day, while 30 percent said it takes 6 percent to 15 percent of their time. We also found 41 percent indicated they have little or no involvement in the process (these people are also the ones who ranked this issue fourth or fifth in importance). Those who answered this way come from all parts of the organization, including finance. Using the WAV of these responses (not a statistically valid measure), we estimate the average participant spends approximately 15 percent of their time on SOX compliance.

Exhibit 4 shows the time finance departments as a whole are spending. Nearly one-third (29 percent) are devoting more than 15 percent of their time to compliance, 37 percent indicated they are spending 6 percent to 15 percent of the department's time, while one-third said they are devoting 5 percent or less of their time. We calculate the average time finance departments are spending is about 11 percent -- a significant chunk of time.

The study participants also believe that SOX will continue to impose the same time burden even after the initial compliance phase is completed. In our judgment, if this is the case, companies must find ways to reduce the amount of time they are spending.

Halfway through 2004, all of the companies in the study required to file with the SEC had started their SOX compliance efforts, but only 8 percent of them had completed it, while another 28 percent reported they have nearly completed it. The largest group, 44 percent, indicated they are more than half finished, while 3 percent said they still have a long way to go. (The remaining respondents indicated they do not know.) We asked whether the participant's company would meet SOX requirements when they go into effect. We found 40 percent of those companies required to file said they "definitely" would, while 48 percent said they "probably" would. Another 8 percent believe they "probably will not" and 4 percent believe they "definitely will not."

Role of the Audit Committee and Internal Auditors

With corporate governance very much in the news these past two years, we were not surprised to find audit committees are more involved in oversight of the finance department's activities. For nearly two-thirds of the companies responding (61 percent), the committee has increased its involvement, while for one-third (33 percent), the committee's involvement has not changed. We wonder, though, whether the current level of involvement will be the norm in coming years, or whether it will intensify or decrease.

The role of the internal audit staff of many companies has increased over the past year as well. We found high-performance companies understand the link between an effective internal audit function and lowering the cost of their external auditors. We found almost half of our respondents increased the size of their internal audit staff, most commonly by up to 10 percent (18 percent of the participants) or by 11 percent to 20 percent (13 percent). There was no change or a reduction in staff size for 30 percent of the group, and 23 percent do not know.

For about half of the companies in the study, the internal audit staff plays a "significant" role in Sarbanes-Oxley Section 404 compliance efforts. In 14 percent of the companies, they play the lead role, for 30 percent they play a "key role but not the lead," and for 8 percent their part is "significant but not the lead or key role." Only 12 percent said the internal auditors play no role, and 26 percent indicated they do not know (most of them have nonfinance roles in their organization).

Controlling Audit Fees

For U.S. companies, two factors have driven audit fees higher over the past two years. The first is that the audit has ceased to be the loss leader that big public accounting firms use to generate more lucrative consulting assignments. Charges have had to rise simply to reflect this economic reality.

A second factor driving audit fees is that, in the wake of the business scandals that drove passage of the Sarbanes-Oxley Act, auditors have had to be much more thorough. Assessing initial and ongoing compliance with the act also will drive audit activity and therefore cost. For U.K. companies that do not come under SOX, audit fees are likely to rise because of the introduction of the Operating and Financial Review (OFR) and the introduction of global auditing standards.

We believe companies can do something about these systemic audit fee drivers by enhancing the maturity of the financial controls environment. Achieving a higher level of control is consistent with achieving lower costs in auditing as well as in operating a finance organization.

We asked participants to rate the importance of eight factors that can affect audit costs. The three chosen as having the most effect on costs are having an external auditor that understands the business, automating manual accounting processes, and harmonizing the chart of accounts.

For all companies, having a knowledgeable external auditor has always been important to speeding up the audit process and containing costs. However, for U.S. companies, the requirement that public firms will have to automatically rotate auditors will work against audit speed and cost containment unless competition for audit business drives the firms to reinforce their industry-specific groups with significant practice-development efforts.

Automating manual processes and harmonizing the chart of accounts are both ways of eliminating the source of audit activity because auditors have fewer sources of error and confusion to control and check. Similarly, reducing spreadsheet usage and minimizing points of control in the financial system also cut the number of things an auditor must check and confirm. Interestingly, the research panel believes the least-effective means of reducing audit fees is using a dedicated SOX compliance application.

The Software Dimension of Sarbanes-Oxley Compliance

The source of much of the frustration with 404 compliance is the requirement for companies to formalize informal processes that have worked perfectly well in the past, and to document things that they never had to document before. The trick to reducing the inefficiencies that come with these sorts of bureaucratic requirements is to eliminate processes or parts of processes that must be controlled, minimize the effort required by employees in the compliance process, and eliminate as much as possible the potential for individuals to make mistakes. Software plays a role in each of these steps, either by implementing new systems, or revamping processes using existing software.

So far, Sarbanes-Oxley has been much less of a bonanza than many software companies had hoped. On the contrary, during 2004 some of them attributed revenue shortfalls to public companies' distraction, new procedures that slowed the purchasing process, or a "lockdown" of systems in the final quarters before the audit.

In our opinion, the main reason why companies have failed to buy software is they understand the initial phase of becoming compliant has been about defining controls and related tests around their processes. The vast majority of companies decided they do not need to use dedicated software to do this. Only 31 percent of our survey participants implemented software to assist them. Those that used software in the process are divided between an internally developed solution (37 percent), a solution based on a document management system (33 percent), and a dedicated SOX tool (21 percent).

Once their processes are in place, companies likely will use software to support their ongoing compliance efforts. Only a small minority (18 percent of the participants) have no plans to evaluate Sarbanes-Oxley software solutions. A large majority (69 percent of the participants) believe that using software to manage ongoing Sarbanes-Oxley compliance is worth the money, mainly because it accelerates the process (49 percent) and decreases errors (38 percent). As we noted above, the study participants do not believe this software will have much of an impact on reducing audit costs.

At the same time, companies generally possess a lack of familiarity with the kinds of software that they can use to support their control and compliance efforts. We asked participants to indicate how knowledgeable they are about Sarbanes-Oxley solutions. Their answers are summarized below. For every software type, about half of the participants indicated they have little knowledge of the category but want to know more. Depending on the category, only 3 percent to 7 percent described themselves as "extremely knowledgeable."

In our opinion, few software companies have done a good job of demonstrating they have a solution. Many have used Sarbanes-Oxley in their marketing campaigns but have failed to demonstrate how their software addresses issues faced by finance people. The momentary "sizzle" evaporates as it becomes clear there is no "steak" in what the company is offering. Worse, those vendors that used Section 409 (the provision covering timely reporting of meaningful events) as a marketing hook almost uniformly succeeded in showing how little they understood the law. The burden does not rest entirely on software vendors. The results also show that people who work in finance departments are less familiar than they need to be with tools that can enhance the efficiency of their operations.

Taking the Next Steps

Most companies will heave a sigh of relief as their external auditors attest to the soundness of their financial control structure. For almost all companies, though, this will only be the end of the beginning. Ventana Research asserts that optimizing existing systems and processes for the Sarbanes-Oxley environment is the next step companies must take. The goal must be to increase the maturity of their control systems.

We maintain that metrics such as the time required to perform the monthly and quarterly closes are correlated to the maturity of a company's financial control systems. For example, automating most existing manual processes (e.g., reconciliations) performed during the close reduces the completion time because there are fewer steps for people to execute and fewer of the inevitable errors that need correction. Better still, automation also cuts the number of financial control points and tests that companies must perform. Addressing the root causes of a lengthy close (e.g., intercompany processes, allocations, redundant data processing, inaccessible data in spreadsheets, transaction coding errors, etc.) will frequently produce a cleaner, more controllable (and easier to audit) financial environment.

We believe world-class finance organizations will focus on reducing the ongoing cost of compliance by ensuring their processes and the IT systems that support them are structured to promote compliance efficiency. However, based on our study's results, most companies seem unaware of how to do this, and they possess a widespread lack of awareness of software technologies that could make the ongoing compliance process more efficient.

Robert D. Kugel heads up the financial performance management (FPM) practice at Ventana Research, focusing on the intersection of information technology and the finance organization. Ventana Research is a premium content partner of Business Finance and Business Performance Management (BPM) Magazine.