In the wake of the passage of the Sarbanes-Oxley Act (SOX) in 2002, software companies ramped up their efforts to market a range of tools and systems that quickly came to be grouped under the "governance, risk, and compliance" (GRC) label. The SOX requirements are the reason why many companies have purchased software to ensure that separation-of-duties structures are not breached and to manage their IT systems' security more effectively.
Unfortunately, the term "GRC" is a bit artificial, as most often the various tools designed to address governance, risk, or compliance are purchased separately by different people in different departments and often for separate business units within a given corporation. It is true that in some corporations that are heavily regulated -- such as financial services, pharmaceuticals, and airlines -- managing governance, risk, and compliance is strategic, so the software and systems to support these efforts command greater attention. Nonetheless, many (if not most) corporations approach risk and compliance management software in a tactical fashion -- with little coordination and no regard for the broader business and technology issues at work.
Comprehensive GRC software doesn't exist today. Should it? Ventana Research thinks that the answer is yes, but it's not clear how fast this evolution will take place. That it will occur, though, is a certainty, enabled by the emerging ability to automate more finance department governance and handle risk on a cross-functional basis and driven by the long-standing need to do so.
Thanks to the demands of SOX, more effective finance department governance using software has become increasingly feasible. Compliance with Sarbanes-Oxley Section 404 initially seemed so challenging because of early confusion about how broadly to address the specific demands of the act to prevent fraud in external financial statements. This confusion, and a lack of clear guidance on responding to SOX, sent companies on a paper chase to document all of their financial processes and analyze them for vulnerability to fraud or misstatements, regardless of their relevance or potential to harm external investors.
This largely ended with the issuance of Accounting Standard 5 in 2007. Nonetheless, even though companies are not compelled to monitor and control every nook and cranny of their processes and systems, they have opened the Pandora's box of financial governance, and many have realized that there likely are areas where more effective controls can yield a positive ROI.
Today, companies can use software to monitor end-to-end processes such as procure-to-pay and order-to-cash to automatically spot duplicate invoices from vendors, invalid purchase orders, shipments made without orders or invoices, or inaccurate commissions. Tools exist to make it possible to spot duplicate merchant charges or to split purchases to avoid going over thresholds on purchase cards, and Finance can automatically be notified if the company's payroll records show errors or indications of benefit irregularities.
Public companies now can purchase systems that enable them to automate their close-to-file process, compiling their text and financial data from multiple systems to produce ready-to-file SEC 10-Ks, 10-Qs, and 8-Ks that incorporate eXtensible Business Reporting Language (XBRL) tags required by that agency's interactive data mandate. These systems save time and money and reduce the chance of errors in filing.
However, some of the demand for governance and risk management software will come from two sources: from companies concluding that it is in their best interest to anticipate and monitor a greater scope of risks, and from changing rules and practices. For example, the shift from U.S. GAAP (Generally Accepted Accounting Practices) to International Financial Reporting Standards (IFRS) will have an impact on governance and controls because of the shift to a principles-based approach from what has become a rules-based system. Ventana Research believes that the absence of specific rules will, somewhat paradoxically, put a premium on having software that can manage the governance and controls of financial systems to streamline and speed up internal and external audits.
That noted, we also think that pure compliance software will remain a largely tactical purchase because it needs to address the highly specialized needs of people in a specific part of a business. In most corporations, we expect that people will continue to get small budgets to fix small compliance problems, not overarching ones. Moreover, we expect compliance to remain funded at minimal, "good enough" levels in most companies.
We expect that the adoption of more strategic GRC software will take place over the next couple of years, transforming a three-letter acronym into a real product category. SOX and an increasingly risky world will continue to drive this; the continued expansion of the scope and use of enterprise systems will make it possible, as will the ever-increasing connectedness of corporations and the people who work in them. In the accompanying table, we list a selection of GRC software vendors and their products. An exhaustive listing, which we cannot undertake, would include all companies that offer software for document management, e-mail monitoring software, spreadsheet auditing, business intelligence and analytics, and process management, as well as Control Objectives for Information and related Technology (CobiT).
See a larger version of Turning IT Amps Into GRC Muscle [1].
