Companies are investing in new software to help them comply with Sarbanes-Oxley. But is any single tool sufficient to address most businesses' needs? It may all depend on the current state of internal controlsand documentation.
Kirk Krappé, president and CEO of Nextance inc. in Redwood City, Calif., says the noise from software vendors pitching Sarbanes-Oxley solutions has grown deafening. He receives two or three e-mails a day from vendors and consultants offering to solve his compliance problems, even though his small, private company isn't subject to the provisions of the new law -- and it's a competitor in the Sarbanes-Oxley compliance assistance market itself.
Most CEOs and CFOs need a document management system just to sort through the hundreds of compliance pitches they're fielding. But few leaders would deny that compliance assistance products and services fill a real need. * Earlier this spring, the SEC underlined the deadly seriousness of compliance issues when it fired off a volley of criminal charges against senior executives of HealthSouth Corp., the $4.3 billion-a-year Birmingham, Ala.-based health care services provider. News of that investigation broke just as management teams at many public companies, particularly those with Sept. 30 fiscal year-ends, began plotting their compliance strategies, investing in external Sarbanes-Oxley assistance and focusing on their assertions of internal controls as laid out in Section 404 of the new legislation.
"What Congress did when it passed the act was to eliminate the Ken Lay defense," says Trent Gazzaway, national director of corporate governance advisory services for accounting and consulting firm Grant Thornton LLP in Charlotte, N.C. "CEOs can no longer say, 'That wasn't my responsibility -- it was the fault of internal audit, the external auditor or the accounting department.' " Ultimately, the buck stops with CFOs -- and their subordinates. So far, the HealthSouth criminal charges have targeted (in addition to the company's former CEO) two former CFOs, a former assistant controller, three finance vice presidents, and an assistant vice president of finance and accounting.
There's no question that compliance assistance providers found an eager market for their products early this year. Stephanie Woodruff, Minneapolis-based global managing director of internal audit services provider Resources Audit Solutions, reports that public-company investment in her firm's compliance assistance software surged in early March. Other finance and accounting consulting firms and accounting firms report similar sales leaps. Gazzaway conducted presentations of CAT Scan, Grant Thornton's control analysis tool, for 40 public companies in a five-week stretch beginning in February.
The flood of compliance assistance software products shows no sign of abating. While there's no question that they are timely and needed, the sheer volume of offerings is overwhelming to many finance executives. And grasping the pros and cons of all available solu-tions remains a challenge.
Woodruff segments the compliance process into three stages: documentation, assessment and testing, and audit support and attestation. She says some software tools skip the documentation in favor of a basic assessment checklist -- check enough boxes, the thinking behind these products goes, and you've adequately tested the effectiveness of internal controls. That's a mistake, she argues, noting that for Resources Audit Solutions, the first stage of compliance management is "all about documentation [of the] client's policies and procedures." And she insists that those policies and procedures must be steeped in first-rate accounting and internal audit best practices know-how for a compliance tool to be effective.
Gazzaway echoes Woodruff's caveat. "Tools are just a way to efficiently execute the methodology," he notes. "Some of the tools I've seen out there are just electronic filing cabinets."
But enterprise contract management, compliance management and document management software vendors insist that it's a mistake to underestimate the sophistication of their applications. Although those vendors may have limited consultative expertise in internal controls and accounting processes, some have helped large public companies comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); the FDA's Regulation 21 CFR Part 11, which governs data security and electronic signatures in FDA-regulated industries; OSHA regulations; various antidis-crimination laws; e-commerce regulations; and other SEC rules. "Sarbanes-Oxley requires corporate controls be put in place, and that's the focus of contract management software," says Mike Kaul, president and CEO of diCarta Inc. in San Carlos, Calif.
Invest in a contract management solution to ensure compliance with the new law, vendors say, and you can realize additional benefits by staunching value leakage from shoddy contract management practices. Krappé points to a February 2003 Nextance survey of executives at 100 Global 2000 corporations; more than 80 percent of respondents reported that locating their contracts was an area of concern, and 71 percent identified contractual risk as a major area of concern. DiCarta's enterprise contract management application boosts contract compliance, contracting controls and visibility, says Kaul.
Ken Thrasher, CEO of enterprise compliance management software provider Complí in Portland, Ore., believes that risk management practices are incomplete if they don't include "employee practices compliance monitoring." Gazzaway echoes that point when he notes that "subsidiary certifications" have so far received short shrift in the overall compliance discussion. "While most listed public companies now require lower-level finance and accounting managers to certify information and controls, the only reason people sign is that they're going to lose their job if they don't," he says. "An effective tool provides documentation at that low level. It gives them support as to why they're signing a certification within their specific area of responsibility."
Business performance management (BPM) software and ERP vendors say their products provide that support to managers involved in forecasting, budgeting, planning, analysis and financial reporting. Gottfried Sehringer, vice president of marketing for revenue management software provider Softrax Corp. in Canton, Mass., says his company's solutions help eliminate inconsistent documentation, processes and treatments. That's a convincing pitch when it comes a few weeks after the SEC's March release of its "screening" of annual reports from Fortune 500 companies. (The SEC review warned of a lack of clarity in revenue recognition practices, particularly in the high-tech, energy, pharmaceutical and retail industries.)
Is any single tool powerful enough to meet all -- or most -- of a company's compliance needs?
The answer depends on several factors, the most important of which are the present state of the organization's internal controls and its documentation of those processes. The following steps can help narrow the field of tools vying for compliance-management dollars:
Strike a balance between compliance efforts and internal controls. Finance executives need to evaluate the strength and visibility of the company's internal control framework as well as its financial data aggregation and treatment processes. Rieger stresses that assessments of internal controls should be "pervasive across an organization." For example, if data-entry controls are weak, no amount of controls or documentation related to the preparation of financial statements will help reduce data-entry risks. "The level of detail you have to get down to is pretty significant," says Gazzaway. "You have to get down to the level of Excel spreadsheets and determine whether or not the people using them know what they're doing and whether or not they're being appropriately monitored and reviewed."
Organizations that already conduct evaluations at that level of detail will have fewer compliance needs. For example, banks with more than $500 million in assets have been conducting rigorous reviews of their financial reporting controls -- and certifying the effectiveness of those controls in their 10-Ks -- since the passage of the Federal Deposit Insurance Corporation Improvement Act of 1991. But while a Bank of America may be able to meet Sarbanes-Oxley compliance demands by making a few enhancements to its document management, ERP or business performance management system, companies closer to the HealthSouth end of the spectrum will need to resuscitate their control framework before they even think about documentation.
Pay attention to auditor independence. As the SEC's auditor independence rules currently stand -- according to the agency's Feb. 7 clarification of Sarbanes-Oxley -- external auditors can document the internal controls of auditing clients so long as they don't assess or test those controls. But financial and accounting consulting firms and software vendors are pitching the idea that companies are better off playing it safe. "Do you really want your external audit firm to document?" Resources Audit Solutions' Woodruff asks. "I think there are a lot of confused clients out there right now, trying to figure out what [their external auditors] can and cannot do."
Rieger agrees that involving an external auditor in compliance consulting can be the first step on a slippery slope. Through mid-April, Crowe Chizek's 100 or so external audit clients, most of which are banks, have avoided that treacherous incline. But he also notes that the better an external auditor understands and applies a tool for documenting internal controls, the more effective and efficient its external audit work is likely to be.
"We can give the tool to our audit client to use," says Grant Thornton's Gazzaway. "We can't populate the tool for them, make assessments or design controls for them. We're very cautious and conservative in how we approach the independence issue." Public companies subject to the new law should follow suit.
Sorting the ToolsGottfried Sehringer, vice president of marketing at revenue management software vendor Softrax Corp. in Canton, Mass., divides Sarbanes-Oxley compliance assistance software into five types: best-of-breed financial applications, including performance management and revenue management packages; ERP financial systems; analytics tools; document, contract and compliance management tools; and basic infrastructure tools, such as e-mail, storage and tracking systems. Add to that list one more category: freebies. Karl Nagel is principal of Karl Nagel & Co., an accounting oversight compliance services firm in Huntington Beach, Calif. Nagel, who has a flair for all things IT, has developed a zero-cost (to Nagel clients) open-source compliance management and reporting system that can be installed on a corporate intranet in a couple of hours. The program, based on open-source database/scripting technology, helps users accomplish critical compliance tasks such as establishing corporate policies and procedures and managing audit committee oversight duties. Information about the tool is available at www.centiare.com [1]. |
Few CFOs jump at the opportunity to discuss the tools and methodologies they hope will identify, test and improve their company's governance processes. It is not an opportune time to suggest that internal controls are anything less than stalwart.
Vendors and consultants naturally have their own interests at heart when commenting on compliance management approaches, but they sometimes offer helpful insights if persuaded to venture away from the topic of their own offerings. Mike Malwitz, senior manager of product marketing for Sunnyvale, Calif.-based Hyperion Solutions Corp., says that if he were a CFO, he would want to supplement his BPM investment with content management software for "unstructured data like policy and procedure documents, policy change control, exception control and documentation archiving." Ulysses Knotts, CEO of BPM solutions provider CommerceQuest Inc. in Tampa, Fla., says that if he were CFO of a large public company looking for compliance management software, he would value visibility above all other capabilities. Knotts also emphasizes the importance of flexibility, as does Ken Molay, director of strategic marketing for analytics technology provider Fair Isaac Corp. in San Rafael, Calif. Molay points out that the new law's regulations will continue to change as the Public Company Accounting Oversight Board hits its stride.
John Verver is vice president, professional services group, with business assurance solutions provider ACL Services Ltd. in Vancouver, British Columbia. He's also a former Deloitte & Touche consultant with 20 years' experience in computer-assisted audit. Verver notes that effective compliance assistance software helps finance executives achieve three critical assurances: that their business transactions comply with established controls, that their control systems are comprehensive and designed to account for all transactions, and that their data is accurate and complete.
Finance and accounting consultants and accounting firms stress the importance of software and methodologies that incorporate an internal-control approach endorsed by the Committee of Sponsoring Organizations (COSO), a private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
Woodruff notes that strong internal audit departments can help companies quickly and effectively incorporate compliance into their processes. "CFOs and controllers don't always have a good idea about the state of all of the business processes within an organization," she says. "They're looking to the internal audit function because it is constantly looking at all of the processes -- all of the risk and controls within the organization -- and they can quickly get their arms around it and quickly funnel it into their overall audit plan."
In the long run, a prudent and comprehensive approach to compliance will likely restrain rising external audit fees. In the short term, that strategy may lower the risk of incurring much higher costs -- those associated with an SEC investigation.
The Compliance Cost ConundrumAlthough it's still too early to add up Sarbanes-Oxley compliance costs, a review of recent surveys and reports reveals a broad range of estimates -- from a one-time $50,000 investment in document management technology to comparisons with Y2K spending. Contract and document management systems cost anywhere from $50,000 to $500,000. But few public companies will be able to meet all of their compliance needs with a single software tool, according to finance consultants and external auditors. A Morgan Stanley report released Feb. 24 includes an analysis, geared toward Morgan Stanley investors, of Sarbanes-Oxley compliance opportunities for finance and accounting firms. The study, based on interviews with corporate finance executives at 20 public companies with average revenues of $2.7 billion, estimates that public companies will spend $600 million this year to ensure compliance with the new law. That calculation is based on an assumption that half of the nearly 12,000 public corporations in the United States will shell out an average of $100,000. Those figures seem low compared with the findings of a less-scientific analysis conducted by Chicago-based finance and accounting consulting firm The Johnsson Group Inc., which suggest that a $3 billion public company will spend an estimated $3.5 million to $9.5 million on initial compliance costs and $2.8 million to $8 million per year in ongoing costs. Those figures, which were not based on a formal survey, include all internal costs (additional hours worked in finance and accounting, internal audit, and legal departments; expenditures on governance and process improvements; and new technology) and external costs (increases in consulting, auditing and legal fees). The Johnsson Group is probably most familiar with the cost of consulting services; the firm estimates that a $3 billion public company will spend an extra $400,000 to $600,000 on consulting fees this year and an additional $250,000 to $300,000 per year thereafter. The final tally no doubt will vary by company size, quality of internal controls and documentation, and compliance strategy. But many finance executives think there's worse to come. In a PricewaterhouseCoopers fourth-quarter 2002 survey of 137 U.S.-based CFOs and managing directors, 71 percent of respondents said they believe compliance costs will move higher (59 percent said "somewhat higher" and 12 percent said "much higher") over the long term. Where will the money come from? Be prepared for some surprises. Larry Rieger, partner in charge, internal audit and risk management services, with accounting firm Crowe Chizek and Company LLC in Oak Brook, Ill., recently asked the CFO of a $40 billion public company how he planned to fund his company's Sarbanes-Oxley compliance activities. "He told me he thought his company was well-controlled, but that he was finding opportunities for improvement," says Rieger. "His company decided to defer a global ERP system installation for a year. The company is taking some of the resources it was going to use on the first year of the $100 million, five-year implementation and applying [them] to the control-documentation process." |
Links:
[1] http://www.centiare.com