|
Sebastian Holst at Axentis
|
So, what are companies that have to comply with SOX seeking from technology? “The number-one thing they want is relief from the way they dealt with this last year,” says Sebastian Holst, vice president of marketing at Axentis, a six-year old, Cleveland, Ohio-based firm that licenses the risk-compliance management application Axentis Enterprise, which is used by more than 80 companies with average annual revenues of $11 billion. “They’re saying, ‘Give us a way to avoid the pain and uncertainty we muscled through last year,’” Holst says.
The pain came in the form of long hours for corporate financial officials, IT staff members and auditors. Most public companies approached SOX with manual processes, using simple spread sheets and calling upon an army of people to document, test and re-test internal controls. It was expensive and time consuming because it is all unstructured work started from scratch and unplanned, reactive work, says Sanjay Srivastava, chief operating officer of San Mateo, California-based Aceva Technologies, which makes transaction-reconciliation software.
One company that went through the cumbersome SOX-compliance process last year was Loral Space & Communications, a New York-based satellite-communications company that generated more than $500 million in revenue in 2004. Loral used a manual process and passed its own compliance audit at the end of last year, well before the April 15 deadline for US public companies with a market capitalization of $75 million or more to comply with Section 404 of SOX. Having gone through that experience, the company is now moving to a non-manual solution. Barry Goldfeder, senior director, business controls, systems and processes, at Loral, says the company is in the process of certifying its first-quarter 2005 financials using automation. Specifically, Loral is using the Oracle Internal Controls Manager (OICM) application, which Oracle says is in use by about 300 companies.
Foreign companies and US-based firms with a market capitalization below $75 million were recently given a break. On March 2 the SEC extended to July 15, 2006, the deadline for these companies to meet the Section 404 requirements of SOX. That doesn’t mean companies should wait to get their acts together, vendors say. “I think many [foreign companies] learned from their US counterparts that this is not a 30-day enterprise. So they should start now in order to be ready in time,” says Neil Selvin, chief marketing officer with Approva, a Vienna, Virginia-based firm that sells the BizRights compliance-software platform, which has several dozen corporate customers, including General Motors and Siemens.
Even those companies that don’t start now will realize eventually the need for technology to ease compliance. “Automation is inevitable. That’s the only way you’ll be able to take control of all your activities and make sure you’re keeping up with the times,” says Goldfeder.
|
Sanjay Srivastava of Aceva Technologies
|
Automated software can replace manual efforts that might take hundreds of hours with as few as a couple hours of analysis, says Approva’s Selvin. For example, a company might have a million purchase transactions in a month, and its internal auditors might spot-check about 50 of them to look for mistakes, inefficiencies or fraud. Approva’s software could monitor all 1 million of the transactions. “It’s about finding the needle in the haystack,” says Selvin.
To identify weaknesses in their internal-control procedures and processes, companies need software with sophisticated reporting options that help them identify where weaknesses exist, such as risks not addressed by controls or financial-statement assertions not addressed by controls, says Katharina Reichert, specialist in application solution management for mySAP ERP at German software giant SAP, which introduced its Management of Internal Controls (MIC) product in the third quarter of 2004. More than 65 corporate customers are using MIC, according to Reichert.
An example of a financial assertion that could get a company in trouble is booking as revenue sales orders that end up not materializing. Software systems can automatically check the orders against purchase documents to find out before the fact if it is bookable revenue. And when a company does identify a problem in its financial controls, it should be easy to configure the software system to bring it under control, avoiding the problem in the future.
Seamus Moran, director of accounting compliance applications development at Oracle and himself a former auditor, tells a story of one corporate customer that used OICM to identify about 400 instances of violating SOX’s segregation-of-duty requirement. For example, a database administrator correcting an invoice could be a violation because the accounting people should do it. When the customer used OICM to check processes and transactions against the list of staffers authorized to perform those functions, “they were automatically able to clean up the problem,” Moran says. “It made fixing it very easy.”
|