The compliance technology market is still embryonic, but most public companies are purchasing software to help make compliance a natural outcome of their business.
To download a PDF file of the complete Compliance Technology Buyer's Guide functionality comparison, click here [1].
Year one of Sarbanes-Oxley compliance was simply overwhelming for many companies. In most cases, the process was burdensome because the required documenting, monitoring, verifying and reporting was performed manually. IDC, a research firm based in Framingham, Mass., estimates only about 10 percent to 15 percent of public companies used some type of compliance management tool in year one. Most companies didn't have the time to consider technology. CFOs felt they first had to determine what to document and where to insert controls before they could start thinking about how to automate.
Year Two promises to be quite different. Now that companies better understand what the law requires and where their process weaknesses lie, they are prepared to choose the kinds of compliance technology they need to make year two's filing less onerous than last year's.
Demand for technology solutions in this space is heating up. "Governance needs will be the single most important driver of change in IT spending in the next several years," says Lee Dittmar, principal, leader of the enterprise governance practice and co-leader of the Sarbanes-Oxley service offering at Deloitte Consulting LLP in Glen Mills, Pa. "Compliance technology going forward needs to address better information, not just transactions. How do you know if you even have a compliance problem if you don't have the right tools to find out if anything's wrong?"
In year two, finance managers are asking themselves whether they have too many controls in place or the right amount of emphasis on each control, how they can standardize compliance processes, and what role technology can play to improve those procedures, Dittmar adds.
Nearly every business software provider will tell you it has the technology to answer those key questions. How do you sort them all out? Do you stick with your ERP vendor's compliance offering or turn to a best-of-breed (BOB) software provider? Should you settle on your business performance management (BPM) vendor's compliance product or continue to use the interim compliance tool that your accounting firm provided? Here's a look at the scope of the compliance technology market and guidelines for finding the right solution for your company.
The number-one priority among companies in year two is automating the controls they put in place in year one. Businesses that attempted to automate their processes last year are evaluating the tool they used. For example, some companies were disappointed with the results generated by interim compliance tools provided by the Big Four accounting firms.
Vivek Sharma found that performance of one such tool was less than stellar. "It simply didn't do what we wanted it to do," says Sharma, group controller in finance at AMD, a global semiconductor manufacturer based in Sunnyvale, Calif. "Any time we changed a document, the compliance tool we were using was supposed to track the changes, but it didn't. So after contacting several major compliance vendors in February 2005, we began implementing the compliance management solution from Movaris. Our goal was to change our Sarbanes-Oxley compliance methodology by automating processes. With this change in SOX methodology and the use of Movaris, we're well on the way to reducing our key controls testing by 75 percent, which will result in significant reduction in SOX costs for 2005."
Sharma adds that those control processes are now automated. "We don't have to go back and do the same thing twice. Before, we had trouble just finding the document, which meant extra work. Now we just scan the document into the software, and that's it. It's given us greater consistency and reliability, especially since we were coming from an unreliable compliance process. In addition, we've made our entire SOX process paperless, which was a big achievement for us," Sharma says.
Companies eager to capture those kinds of benefits are tempted to rush out and buy a compliance management system as a quick fix. But before locking in to any compliance software purchase, a business should first assess its current position and determine what it needs going forward.
John Hagerty, analyst and vice president at AMR Research in Boston, offers guidance for organizations embarking on the assessment process. "Some of the key questions companies should ask themselves include: What compliance-related activities should you automate? How far should automation go? What can wait until later? Should you take a preventative approach or an audit approach to testing and enforcing controls? Plus, how far should you delve into risk management? Which IT architecture extends most naturally from your existing infrastructure today? Can you apply the same concepts from compliance to improve the quality of transactions processed through existing business systems? Your answers will help narrow your focus."
According to Hagerty, a long-term, sustainable compliance environment consists of three integral components: a compliance framework, a system of monitoring internal controls and a risk-management framework.
The companywide compliance framework includes the processes and responsibilities necessary to execute continuing compliance, Hagerty explains. "It also provides ongoing oversight for many compliance programs in the business."
Internal controls monitoring confirms adherence to policy, either in real time or near-real time, and directs remediation of material gaps in control. Hagerty points out that software helps executives manage compliance by automatically detecting errors and alerting managers to take action. The risk-management framework systemically evaluates key risks to the business at several levels and organizes priorities based on potential exposure, Hagerty concludes.
Risk management is the future of compliance technology. Although the first component that organizations need to cement in place is a compliance framework, businesses later will want to gain a greater appreciation of risk, and technologies are already emerging to fill this longer-term need. "Companies like BWise focus on risk management, and firms in the compliance framework category are also trying to step into this area as well," Hagerty says. "Yet no one vendor can do it all."
In year two and into year three of the Sarbanes-Oxley era, organizations are broadening their focus beyond automating internal controls. They are also beginning to look at technological ways to refine and improve the quality of their compliance processes, gain better visibility into problems and improve their ability to correct them. In essence, companies will move from a micro to a macro view of compliance. As they change existing processes, they'll need to install new controls.
"Companies will find [that] in making changes to improve processes, the whole issue of change management surrounding IT will become more important, as will the ability to demonstrate that although IT may have been upgraded, the IT system can still demonstrate integrity of internal controls," predicts Dittmar. "There are a lot of deer-in-the-headlights looks from CIOs about how these changes will be handled from a compliance standpoint."
Senior managers are wondering whether the vendor that handles a company's immediate corporate governance needs can be equally skilled in providing solutions to these broader kinds of challenges. Consequently, instead of looking only at compliance-management software that focuses on meeting immediate Sarbanes-Oxley requirements, they are also considering vendors that can help their company formulate more proactive compliance efforts, make changes without disrupting the controls they've put in place and achieve a more holistic view of risk.
Which type of provider will best serve those objectives? Some experts suggest that if a company has an ERP provider, the path of least resistance is to stick with that vendor. Fewer integration problems may arise with a known ERP system than with a new best-of-breed application. In addition, ERP vendors claim they offer something that best-of-breed players can't.
"The BOBs offer specific solutions to a problem and give the impression they're able to get that solution up and running faster; however, we offer customers the ability to automate these controls at a deeper level and to trigger an audit when segregation of duties is out of alliance," says Chris Leone, vice president of applications strategy at Oracle in Redwood Shores, Calif. "In addition to automating Section 404 processes and being able to provide technology for IT to standardize their practices, we can solve compliance problems at a more granular level." Leone adds that Oracle provides learning management tools to educate employees about Sarbanes-Oxley compliance requirements as well as more holistic, longer-term solutions that extend beyond a company's immediate compliance concerns.
Oracle client Barry Goldfeder is senior director of business controls, systems and processes at Loral Space & Communications Inc., a manufacturer of satellites and provider of fixed satellite services in New York City. He chose the Oracle compliance application in large part because of its familiarity. "We filed manually in year one and realized it was too monumental a task to go through it all manually again in year two. Then Oracle came out with their compliance management tool, which we went live with in the first quarter of 2005," Goldfeder says. "It had the same feel as the ERP systems we were using from Oracle. It takes less time, it's more consistent, more reliable, and as a result we've found that our people have a greater awareness of compliance and are willing to take more ownership of their respective processes."
Suppose, however, a company's ERP vendor doesn't have the kind of compliance capability the organization needs right now. Waiting for it to get up to speed could compromise compliance efforts. Or, let's say a business needs richer functionality than ERP systems currently provide. In those situations, the nod goes to the best-of-breed players. "The BOBs in this space still have the lead, but the ERPs have closed the gap and are coming on stronger now with their compliance capabilities," says Hagerty. "As companies chart their course for technology adoption, they increasingly value technologies that streamline, organize and automate their compliance-related activities."
In recent developments, ERPs have begun collaborating with best-of-breed vendors. ACL Services Ltd., a Vancouver, B.C.-based provider of internal control-monitoring software, is a case in point. "Large ERP players like Oracle and SAP may claim they can do it themselves, but right now they're working with BOBs like ours to create their compliance management functionality," says ACL Services' president and CEO Harald Will.
Business performance management (BPM) vendors are also offering compliance management functionality. Applications in this group give companies a way to gain the big-picture view of compliance while getting rid of the spreadsheets many organizations rely on to meet regulatory requirements. "BPM provides good financial controls and reporting [as well as] automation of processes, and with those BPM capabilities, companies are in a better position to make the compliance-related tweaks they need to make going forward," says Vicki Griffith, industry markets director at Lawson Software in St. Paul, Minn.
Applying BPM capabilities to the requirements of Section 404 can help organizations meet compliance challenges long-term. "BPM is going to serve as a more robust type of solution, a way for business assurance [also called continuous controls monitoring], compliance management and consolidation to all fit together," says Kathleen Wilhide, Wilmington, Del.-based research director, compliance and BPM solutions, at IDC.
This year, some BPM vendors have formed alliances with best-of-breed companies that specialize in compliance systems. In early 2005, Hyperion Solutions Corp. partnered with compliance management software providers Axentis and OpenPages, as well as IBM, to offer a compliance dashboard that integrates the monitoring of internal controls with financial reporting. The product is designed to help companies sustain compliance efforts over the long term by consolidating data from multiple sources into a single point of visibility.
Cognos has followed suit, partnering with OpenPages and Stellent to provide a compliance dashboard and more sophisticated reporting capabilities. The dashboard gives users graphic views into their internal controls framework while also providing comprehensive financial reporting and analysis. The product lets clients automate their compliance efforts and consolidate financial reports as well.
At SAS Institute Inc., however, compliance is just one of many features integrated into an overarching enterprise management platform. "Whether it's supplier management, compliance management, customer management, logistics management, analytics or predictive modeling, at SAS it all works off one data set," says Peter Christie, product manager for SAS corporate compliance at the company's Cary, N.C., headquarters. "Once all the data is fit into our business intelligence architecture, the system is available to answer compliance questions, performance questions, supplier questions and so on. It's tailored to each client's needs. In addition, SOX focuses mainly on corporate governance, but it doesn't specifically address operational risk. The goal of the future is to tie corporate governance and operational risk together."
CorVu Corp. also has an enterprise risk management framework for addressing regulatory, credit and operational risk. It's designed to enable companies to ensure regulatory compliance by monitoring key risk factors, risk scenarios and risk controls.
OutlookSoft's CEO Phil Wilmington believes add-on compliance products are not something end users will embrace. "We believe clients are looking for a unified solution to SOX compliance issues, one that can link structured and unstructured [compliance-related] data into their financial information," says Wilmington, who adds that his Stamford, Conn.-based company offers a unified compliance solution within its BPM offering.
When it comes to compliance management trends, vendors tend to lead from their strengths. If they have a strong planning reputation, they focus on the importance of that process in meeting compliance requirements. If their forte is business process management, they emphasize that capability to separate themselves from the pack.
Compliance software provider Stellent emphasizes documentation. "We've been developing software for document management and content management since 1996, and we've been developing business process management for a number of years as well," says Dean Berg, director of compliance solutions, who is based in Boston. "Being able to manage the changes made in the documentation process is the first step, so the ability to manage those changes is key. And secondly, going through the process of documentation tends to identify which processes need to become more efficient. So the documentation management and the business process management becomes a one-two punch. For other capabilities that we need, like business analytics, we'll partner with those vendors, like we did with Cognos in May 2005, instead of trying to develop those capabilities ourselves."
Looking ahead, vendor consolidation is likely as larger players fill gaps in their compliance features by acquiring niche firms. For example, in August 2005, Coda Financials Inc. announced its acquisition of Control Solutions International, a Sarbanes-Oxley software provider, in an effort to make Coda a one-stop shopping center.
That kind of activity, however, is more the exception than the rule at present. This space is so embryonic that most vendors are still testing the waters. To date, more partnering than acquiring has occurred. "It's a little surprising that someone like a Hyperion hasn't bought a compliance vendor firm yet, and I think it's because they're not quite sure yet what this market has to offer beyond the immediate SOX demand," says Wilhide.
Hagerty sees the same uncertainty. "This whole market is transfixed on SOX right now, and vendors want to see what the long-term potential of this market is before they do any acquiring of other firms," he says.
Ted Frank, president of Axentis Inc., a compliance management software provider in Warrensville Heights, Ohio, believes putting in place a consistent compliance system is the real key to meeting not only Sarbanes-Oxley requirements but any kind of regulation that may come along. "Whether it's SOX or a new set of compliance regulations down the road, we use the same process for meeting clients' compliance needs, which is basically a matter of helping clients in defining their organizational structure and policies and creating a system of record," Frank says. "That system consists of identifying risks, putting procedures in place to control them, and monitoring how well those procedures are being handled."
One thing is certain: Successful companies will move away from embracing a transaction-oriented view of compliance exclusively and decide which systems and processes they need to refine to make compliance an integral part of their business operations. Best-practices companies will likely use a BPM system to build compliance into their culture so that meeting regulatory requirements becomes just another process within their business. The future of technology in this space will be targeted toward those big-picture goals.
Controlling Sarbanes-Oxley Costs Through TechnologyThe average company's cost of meeting Sarbanes-Oxley requirements can run into the millions. Businesses bemoan spending money on compliance tools, figuring they will just add to their already skyrocketing expenses. Generally speaking, however, the reverse should prove true. When organizations are armed with the kind of technology that enables them to automate controls as well as processes, they can save money and time that they would otherwise devote to manual compliance chores. Their Sarbanes-Oxley-related tasks become easier, and the business runs more smoothly. For example, participants in a July Internet survey conducted by Lake Snell Perry Mermin & Associates and Decision Research in conjunction with controls-management software company Approva Corp. indicated that companies' use of technology to better document internal controls is helping to hold down their compliance costs. Of the more than 200 finance executives, controllers and CFOs responding to the survey (84 percent from companies with more than $1 billion in revenue), 66 percent are adopting automated documentation tools, and 42 percent are automating the testing of controls. Thirty-seven percent said documentation systems are the most effective compliance technology tools, followed by automated controls testing software (29 percent). |
Links:
[1] http://businessfinancemag.com/Magazine/archives/Issues/2005/November/BuyersGuide.pdf