Software Offers Compliance Solutions
Companies are finding that software can help them rein in the high costs and disruption caused by complying with new regulations.
The government’s main instrument to promote corporate responsibility and prevent future Enron debacles, the Sarbanes-Oxley Act of 2002 (often dubbed SOX), has been much more costly and time consuming than most companies expected. The thorniest component of the SOX law has been Section 404, which requires public companies to establish, maintain and document effective internal financial controls and get those controls approved by their outside auditors.
According to a recent Financial Executives International survey of 217 public companies with revenues averaging $5 billion, implementation of SOX Section 404 cost firms an average of almost $4.4 million in 2004—that’s nearly 40% more than companies had budgeted—and 94% of the survey respondents said the cost of compliance exceeded the benefits. Moreover, hundreds of publicly traded companies in recent weeks have delayed filing their annual reports with the US Securities and Exchange Commission as the firms struggle to prove the robustness of their internal controls. Many firms are turning to technology solutions, compliance-automation software in particular, to make it less painful to comply with the law in 2005 and beyond. AMR Research predicts that US companies will spend a total of $6.1 billion to manage SOX-compliance efforts in 2005, of which, $1.7 billion is allocated for technology. That’s more than a 40% increase over tech spending on SOX in 2004.
|Easing the Pain|
So, what are companies that have to comply with SOX seeking from technology? “The number-one thing they want is relief from the way they dealt with this last year,” says Sebastian Holst, vice president of marketing at Axentis, a six-year old, Cleveland, Ohio-based firm that licenses the risk-compliance management application Axentis Enterprise, which is used by more than 80 companies with average annual revenues of $11 billion. “They’re saying, ‘Give us a way to avoid the pain and uncertainty we muscled through last year,’” Holst says.
The pain came in the form of long hours for corporate financial officials, IT staff members and auditors. Most public companies approached SOX with manual processes, using simple spread sheets and calling upon an army of people to document, test and re-test internal controls. It was expensive and time consuming because it is all unstructured work started from scratch and unplanned, reactive work, says Sanjay Srivastava, chief operating officer of San Mateo, California-based Aceva Technologies, which makes transaction-reconciliation software.
One company that went through the cumbersome SOX-compliance process last year was Loral Space & Communications, a New York-based satellite-communications company that generated more than $500 million in revenue in 2004. Loral used a manual process and passed its own compliance audit at the end of last year, well before the April 15 deadline for US public companies with a market capitalization of $75 million or more to comply with Section 404 of SOX. Having gone through that experience, the company is now moving to a non-manual solution. Barry Goldfeder, senior director, business controls, systems and processes, at Loral, says the company is in the process of certifying its first-quarter 2005 financials using automation. Specifically, Loral is using the Oracle Internal Controls Manager (OICM) application, which Oracle says is in use by about 300 companies.
Foreign companies and US-based firms with a market capitalization below $75 million were recently given a break. On March 2 the SEC extended to July 15, 2006, the deadline for these companies to meet the Section 404 requirements of SOX. That doesn’t mean companies should wait to get their acts together, vendors say. “I think many [foreign companies] learned from their US counterparts that this is not a 30-day enterprise. So they should start now in order to be ready in time,” says Neil Selvin, chief marketing officer with Approva, a Vienna, Virginia-based firm that sells the BizRights compliance-software platform, which has several dozen corporate customers, including General Motors and Siemens.
Even those companies that don’t start now will realize eventually the need for technology to ease compliance. “Automation is inevitable. That’s the only way you’ll be able to take control of all your activities and make sure you’re keeping up with the times,” says Goldfeder.
Automated software can replace manual efforts that might take hundreds of hours with as few as a couple hours of analysis, says Approva’s Selvin. For example, a company might have a million purchase transactions in a month, and its internal auditors might spot-check about 50 of them to look for mistakes, inefficiencies or fraud. Approva’s software could monitor all 1 million of the transactions. “It’s about finding the needle in the haystack,” says Selvin.
To identify weaknesses in their internal-control procedures and processes, companies need software with sophisticated reporting options that help them identify where weaknesses exist, such as risks not addressed by controls or financial-statement assertions not addressed by controls, says Katharina Reichert, specialist in application solution management for mySAP ERP at German software giant SAP, which introduced its Management of Internal Controls (MIC) product in the third quarter of 2004. More than 65 corporate customers are using MIC, according to Reichert.
An example of a financial assertion that could get a company in trouble is booking as revenue sales orders that end up not materializing. Software systems can automatically check the orders against purchase documents to find out before the fact if it is bookable revenue. And when a company does identify a problem in its financial controls, it should be easy to configure the software system to bring it under control, avoiding the problem in the future.
Seamus Moran, director of accounting compliance applications development at Oracle and himself a former auditor, tells a story of one corporate customer that used OICM to identify about 400 instances of violating SOX’s segregation-of-duty requirement. For example, a database administrator correcting an invoice could be a violation because the accounting people should do it. When the customer used OICM to check processes and transactions against the list of staffers authorized to perform those functions, “they were automatically able to clean up the problem,” Moran says. “It made fixing it very easy.”
Broadening the Benefits
Vendors say that the benefits of putting in place automated financial controls extend far beyond Sarbanes-Oxley compliance. Just by going through the process, companies can manage business processes better, become more efficient, save money and comply with many other laws, such as the European counterparts to SOX. “I end up thinking hard about my business and what my common standards are, and that always saves me money,” says Oracle’s Moran.
Companies are clamoring for “a way to make my compliance effort pay off in some kind of competitive advantage for my business,” says Approva’s Selvin. Srivastava of Aceva Technologies echoes that thought. Aceva’s transaction-reconciliation application was first introduced about five years ago to help companies reduce the number of days of sales outstanding, before the company started transitioning the product into the SOX-compliance marketplace. “People get it for both. I don’t know of a single customer that has bought it for just one of these things,” Srivastava says.