Sarbanes-Oxley compliance may be a burden, but it's helping some companies improve operations at various levels
By Steven Marlin,
InformationWeek
To hear many company executives tell it, the Sarbanes-Oxley Act has been a monumental burden, sucking up time and resources without making their businesses more competitive.
At MasterCard International Inc., complying with Sarbanes-Oxley financial-reporting regulations required 45,000 staff hours of work provided by its consultant, Deloitte & Touche, and its external auditor, PricewaterhouseCoopers. "The cost has been overbearing," says Chris McWilton, CFO at the charge-card company with $2.6 billion in revenue.
 |
|
Automation reduces human error, MasterCard CFO McWilton says.
Photo by Ken Schles |
|
But MasterCard is trying to get something back from that investment. A post-mortem of its Sarbanes-Oxley compliance effort, looking at what worked and didn't work, found inconsistent documentation of financial controls, as well as ones that should have been automated. Among the lessons learned is that "standardization of processes minimizes the risk of misstatements on financial reports," McWilton says.
MasterCard isn't alone in trying to learn from its Sarbanes-Oxley experience. Nextel Communications Inc. found it needed to do a better job controlling employee access to sensitive data and IT systems. And United Technologies Inc. discovered that it wasn't
making full use of the financial controls built into its enterprise-resource-planning systems.
U.S. companies are expected to shell out $6.1 billion this year alone for the manpower, IT, and consulting services they need to comply with Sarbanes-Oxley, according to AMR Research. The Securities and Exchange Commission estimates that companies collectively spend nearly 5.4 million staff hours each year implementing Sarbanes-Oxley's section 404--the part of the federal legislation that deals with financial-reporting controls. No wonder Sun Microsystems CEO Scott McNealy in 2003 likened Sarbanes-Oxley to throwing "buckets of sand into the gears of the market economy."
Sarbanes-Oxley, which took effect late last year, was designed to improve the quality of financial reporting and restore confidence in financial statements in the wake of the Enron and WorldCom accounting scandals. Certainly, it has been a headache for some businesses. Major companies, such as SunTrust Banks, Eastman Kodak, and Toys "R" Us, already have reported accounting problems that may preclude issuing a statement in their 2004 annual reports attesting to the effectiveness of internal financial-reporting controls as required by the law. If the companies don't address problems in a timely manner, they could face SEC enforcement actions.
Forward-looking companies see Sarbanes-Oxley compliance as an opportunity to identify and implement business-process improvements, AMR Research analyst John Hagerty says. "They're using compliance initiatives to drive business improvement and achieve greater profitability." At Nextel Communications, which is merging with Sprint Corp., the compliance process "began as an administrative task but has evolved into a basis for achieving competitive advantage," says Michael Bryan, who until leaving the company last week was Nextel's director of IT governance.
While working through the steps to comply with Sarbanes-Oxley, Nextel managers discovered they needed to pay more attention to how employees were given access to sensitive data and programs. Although Nextel had created written access-control policies, they were enforced haphazardly, if at all. The company installed Thor Technologies Inc.'s Xellerate Identity Manager system to automate the management of Nextel's 90,000 user identities. "When someone asks for an audit trail of access privileges, the relevant documentation is contained in the Thor system," Bryan says.
Access to programs and data is one of the major IT controls mandated by the Public Company Accounting Oversight Board, a private, nonprofit body that sets auditing standards for Sarbanes-Oxley. Other controls include monitoring computer operations, software development, and software change management.
Companies are finding that beyond complying with Sarbanes-Oxley, automating access controls helps enforce information security policies, such as limiting access to sensitive data to authorized users, according to a February report from the Aberdeen Group market-research firm that examined the Sarbanes-Oxley compliance efforts of 40 companies. And information security and access control are going to become increasingly vital for compliance, not only for Sarbanes-Oxley but for the Health Insurance Portability and Accountability Act and other regulations. As information security and access control become more important, they're being transformed from a set of ad hoc activities into coordinated business processes.
Brightpoint Inc., which provides outsourced manufacturing, logistics management, and marketing services such as Web-site management to wireless phone companies, spent about $3 million last year on Sarbanes-Oxley compliance. The company has gained peace of mind that it had the necessary financial controls in place for complying with Sarbanes-Oxley, CFO and executive VP Frank Terence says. But working through the compliance process also uncovered areas where business processes needed to be improved, particularly IT change-management processes and procedures used to control access to critical software programs and data.
"We needed to strengthen processes for requesting, developing, approving, and testing" programming changes, such as the frequency with which a customer's Web site gets updated, Terence says.
Access-rights management, such as controlling which employees have access to Web content, is especially hard to enforce across a global company in which each division has its own IT organization, Terence says. Brightpoint plans to implement systems that automate its change-management and access-control processes.
Working through the compliance process has even convinced Brightpoint to accelerate efforts to hire its first corporate CIO, originally planned for later this year. "The CIO will play a critical role since so much of section 404 compliance navigates through the IT infrastructure," Terence says.
Financial controls, as defined by the Committee of Sponsoring Organizations, a nonprofit organization of auditing firms, encompass more than just financial reporting. They also address operational effectiveness and efficiency--ensuring that management identifies and analyzes risks to achieving predetermined objectives, for instance--in addition to compliance with laws and regulations. So effective financial controls developed to comply with Sarbanes-Oxley also can be leveraged to improve business performance.
MasterCard is trying to leverage the work it has done for Sarbanes-Oxley into a broader-based enterprise risk-management initiative, CFO McWilton says. Sarbanes-Oxley "focuses on only one slice of a company's risk profile," the one associated with financial reporting, he says. "But companies deal with a broader range of risks, many of them operational in nature."
Under Sarbanes-Oxley, a bank needs to test controls for ensuring that it has adequate reserves set aside to cover bad loans. But the bank also needs to examine its operational practices, such as credit or collections, associated with lending. "It needs to understand what caused the bad loans to begin with," McWilton says. The company is "also looking at making greater use of technology, particularly in user provisioning, to track who has access to what," he says.
MasterCard developed an in-house database to collect and track documentation and testing information on more than 1,000 key financial controls. "We found areas for improvement," McWilton says. For example, in one financial process, fixed-asset reporting, MasterCard discovered that controls were being performed manually despite the fact that its Oracle 11i financial-reporting system had the controls built in. "Any time you can automate something, you take the human element out of it. You're reducing the chance for error," McWilton says.
|
 |
United Technologies is making compliance with Sarbanes-Oxley regulations part of its continuous-improvement effort, VP Haberland says.
Photo by Mark Ostow |
|
United Technologies is another company that discovered through its compliance-assessment process that its IT systems had automated capabilities of which the company wasn't taking advantage. During the documentation phase of the assessment, United Technologies learned that its ERP systems from J.D. Edwards, Oracle, and SAP had built-in controls, such as one that checks that the information on an invoice matches up with a purchase order. But the company wasn't using them. "We're making a greater push to rely on automated controls," says Jay Haberland, VP of business controls.
Automating controls needed for Sarbanes-Oxley compliance can result in improved business and financial operations, fewer financial errors, and reduced potential for fraud, according to the Aberdeen Group report.
Some companies are finding the software tools used to comply with Sarbanes-Oxley can have unexpected benefits. York International Corp., a global $4 billion-a-year supplier of heating, ventilation, air-conditioning, and refrigeration systems, tapped PeriscopeIQ's PeriscopeSox risk-assessment and -management tool to survey some 85 business managers around the world to ensure that they had the technology, accounting systems, and other resources needed for compliance.
The survey responses were translated into a map that let York International's CEO and top executives view the results at corporate, regional, group, and individual-manager levels. Sarbanes-Oxley compliance was the goal, but the executives discovered the survey metrics provided them with a view of which operations weren't running effectively, says Ian Howells, York's director of Sarbanes-Oxley compliance. The PeriscopeSox tool has provided York International with "a business-excellence tool that helps us identify and address issues more efficiently," Howells says.
The survey also has brought a sense of unity to a company that's sprawled out over 125 countries, Howells says. And the process of developing a standard way of documenting and testing financial-reporting controls has led to standardization in other accounting processes and policies. "That shift would have taken much longer if it hadn't been for Sarbanes-Oxley," Howells says.
United Technologies is making Sarbanes-Oxley compliance a part of its "Achieving Competitive Excellence" continuous-improvement effort. "There are a lot of parallels between the goals and methods employed in both Sarbanes-Oxley compliance and continuous-improvement programs," Haberland says.
THE UPSHOT
Companies will spend more than $6 billion on Sarbanes-Oxley compliance this year alone
Many companies say the cost of compliance so far exceeds its value, but others say they've learned important lessons about automating controls and improving processes
For those companies, benefits include increased security, more standardization in other policies, improved use of software, and even competitive advantages
|
|
|
|
Sometimes tools that aren't explicitly related to compliance have worked in companies' favor as they attempted to meet Sarbanes-Oxley mandates. Syngenta Crop Protection Inc., an agri-chemical producer with $3 billion in annual revenue, realized that cash receivables software it installed from Emagia Corp. in May 2003, a full 18 months before Sarbanes-Oxley's section 404 went into effect, would also strengthen the company's internal controls and reduce the cost of compliance.
In addition to improving cash flow, the software automatically reviews each of Syngenta's more than 5,000 customer accounts and performs risk scoring, which is the basis for making credit-granting decisions. The software helps satisfy compliance with Sarbanes-Oxley internal-controls requirements pertaining to accounting, such as maintaining audit trails for credit-granting decisions and documenting that credit policies are in place and being followed.
"Sarbanes-Oxley requires that you have a policy and that it's being followed consistently," says Bert McCuiston, head of credit, receivables, and cash management at Syngenta. By continuously monitoring all of Syngenta's accounts, the Emagia software has made Sarbanes-Oxley compliance a "piece of cake," he says. Instead of McCuiston having to gather stacks of customer statements and present them to company auditors on a weekly or monthly basis, the software does the work for him.
Still, with the need to devote so much time and resources to complying with Sarbanes-Oxley, you won't find many companies that truly can say the benefits outweigh the costs. Although compliance may one day have a transformational impact on MasterCard, for the moment, "the cost of that transformation exceeds the value," McWilton says.
And some companies have been so absorbed in meeting Sarbanes-Oxley's requirements that they haven't had time to consider whether the work might be a catalyst for business-process changes.
|
 |
AGL used consultants, staff, and auditors for compliance, Lepionka says. |
|
That's the situation at AGL Resources Inc., an energy-services holding company that has spent $4 million on internal staff, consultants, and external auditors for Sarbanes-Oxley tasks. "Most companies in 2004 were more worried about getting in compliance," says Ron Lepionka, AGL's chief auditor. The company has implemented business-process-management software from Oversight Systems Inc. to test its entire population of procure-to-pay transactions to pinpoint possible errors or fraud and plans to use that as part of its Sarbanes-Oxley compliance efforts this year. It's also designing new tests of its internal controls. "In 2005, many companies will start looking at improving processes and automating controls," Lepionka says.
The sooner the better, says Steve Hill, national partner in charge of risk-advisory services at accounting services firm KPMG LLP. By incorporating financial controls and other Sarbanes-Oxley-inspired processes and technologies sooner rather than later in planning decisions, companies will be both more efficient and effective, he says.
"Five years from now," Hill predicts, "people will look back at their compliance initiatives as a catalyst for business improvement."
