Welcome to the new, post-Sarbanes-Oxley corporate America. As U.S. companies face deadlines for conforming with the act, a picture is beginning to emerge of what the Sarbanes-compliant company will look like, and how its technology, operations, networks and databases will be affected by the legislation. Ironically, Crown Medias financial controls application, while quite simple, is well ahead of the curve. Most businesses, scrambling this year to satisfy the laws Section 404which requires companies to issue a management report, signed by their outside auditor, attesting that they have adequate controls on their financial systems to protect against fraud and sabotagehave not turned to new technology to monitor financial operations. Instead, theyre making do with the systems they have, cataloguing processes as best they can, closing loopholes and potential security breaches manually, and putting off the distraction of major technological fixes.
"Companies dont need technology to meet the standards in Section 404," says Stan Lepeak, vice president of professional services strategies at META Group Inc. "Most organizations have already invested in ERP and financial management software, and right now theyre trying to figure out how to use what theyve got to suit Sarbanes-Oxley. Its a lot of nuts-and-bolts activity.
Each companys experience with Sarbanes-Oxley complianceand the technology used to meet the legislations demandswill depend upon the particular DNA of the organization. Companies with uncomplicated business modelsChiquita Brands International, a $2.6 billion fruit company with one basic product line and very little inventory, comes to mindcould probably get along by implementing simple audit controls over financial processes, avoiding an all-out monitoring system that tracks every individual piece of financial data throughout the system. By contrast, a company that thrives on acquisitionsCisco Systems Inc., for example, which has acquired about a dozen companies in the past two and a half yearswould need a transparent tracking system to ensure that the financial data from each of its new partners is integrated with the companys existing corporate files, with no leakage into renegade applications that could be used to alter and pollute quarterly numbers.
|| Section 302|
Requires the CEO and CFO to certify that the content of quarterly
and annual SEC filings is accurate and the controls that the company
has designed to meet its periodic disclosure obligations are sufficient.
Requires companies to provide a one-time internal control report to
attest to the integrity of their processes for handling corporate
financial-related data, and to stipulate that these processes are
safeguarded from fraud and sabotage.
Requires companies to disclose in "real time" material events
and financial-related information.
Requires companies to store in an accessible fashion audit documents
and other financial-related data.
Corporate culture, set by management, is another key consideration driving the type of technology and internal processes companies adopt over the next few years to respond to Sarbanes-Oxley. Companies with CEOs who persistently view new technology as an opportunity to improve productivity and enhance the use of data as a strategic edge are more likely to take risks with Sarbanes-Oxley applications in hopes that they produce ancillary benefits. As a result, say experts, the Sarbanes-Oxley bell curve is made up of about 10 percent to 20 percent early adopters, like Crown Media, who are already implementing aggressive compliance systems; 60 percent to 70 percent pragmatists, who are slowly scoping out their compliance needs and will make their technology decisions in the next 24 to 36 months; and about 10 percent skeptics, who would prefer to use existing technology to improve controls or whose business models are simple enough not to require an ambitious compliance effort.
"Any decision you make about Sarbanes-Oxley compliance technology, youll have to live with it for at least three years," says Vani Kola, CEO of Nth Orbit Inc., a maker of corporate governance software. "Thats about the time frame when all technologies, architectures and applications go through a significant revision. So you need to map out what you know about your business now and for the immediate future to determine your compliance technology requirements. That can range from a lot to a littleor almost nothing."
Sarbanes-Oxley may be just the first of a series of regulatory mandates that federal agencies produce over the next few years to manage the darker side of business behavior. In addition to increased financial disclosure, new health and safety requirements, environmental standards, recycling guidelines and security and encryption rules are likely to leave companies aiming at a constantly moving compliance target. So viewing Sarbanes-Oxley as part of a larger company-wide effort to question the ethics and attitudes that underlie operations throughout the organization could be the most apt strategy.
"Regulation is determining what is good for society in more and more aspects of business behavior," says John Parkinson, chief technologist for the Americas at consultants Capgemini. "Companies need what we call a compliance services model to address this new reality. This model says here are the regulatory rules that I have to meetor will have to meetand heres how I automate these rules to demonstrate that I met the standards."
Among the applications Parkinson sees as a part of the compliance services model are digital rights management programs that monitor content for copyright and identity protection; software that reads binary code as it is running to ensure that programs written by third parties conform to specifications; and pollution control systems that monitor factory waste output second by second.
Next Page: Dialing in.