Sarbanes-Oxley: Road to Compliance - Page 4

IT cant shy away from playing an important role in compliance. Yet a recent Hackett Group survey indicates that more than 50 percent of public companies arent getting IT involved in the process.

"IT can be a huge, huge enabler," said Scott Holland, senior director at the Hackett Group, an Answerthink Inc. company. "Technology and processes need to be in the same room. One cannot be successful without the other."

Hackett analyst David Oppenheim said Sarbanes-Oxley could make the public company CIO a "superstar."

"Having an understanding of what different technologies are in an organization and how theyre connected to each other is critical to the analysis associated with Sarbanes-Oxley compliance," said Oppenheim in Philadelphia. "The business users may think they understand the system, but thats a false sense of security."

IT is heavily involved in the Section 404 compliance process at Volt, according to Groberg.

As part of the compliance process, Volt IT personnel needed to document security and application access as well as know when the companys PeopleSoft Inc. financial system is not functioning properly. IT works closely with financial and operational personnel, Groberg said. "They look to you to give them what they need to do their job."

At Boise Cascade, IT was first actively involved in screening companies with Sarbanes-Oxley compliance offerings, based on Boise Cascades specifications, Martin said.

As part of the compliance initiative, IT was then given ownership of certain business processes involving design, testing and implementation of software so that all software applications involved in compliance are running as they were intended to, Martin said. "The internal auditors test the financial controls and the IT auditors test the IT controls," he said.

Like Viasys, commercial real estate developer The Rouse Company consolidated its financial planning applications. But instead of Cartesis, the company turned to SRC Software Inc. and its SRC Budgeting product.

Breaking it down

The average billion-dollar public company ...

  • Manages 48 disparate financial systems
  • Manages 2.7 enterprise resource planning systems
  • Uses stand-alone spreadsheets for financial reporting (47 percent)

Robert Edwards, vice president and CIO at Rouse, said the consolidation ensured the companys finance software was easier to administer and organize around a set of common business rules, which helps in the compliance process.

"We have less gaps in our Sarbanes-Oxley process, so theres less of a chance well have a compliance issue because someone didnt understand the disparity of systems," said Edwards, in Columbia, Md.

Edwards agreed that Sarbanes-Oxley compliance was costly, although he declined to discuss how much Rouse was spending on compliance efforts. However, he said he expects Rouse to realize benefits in the long term.

"We think a lot of the upside will be long-term, not an immediate payback," Edwards said. "The long-term effect should be that we produce higher-quality business processes throughout the organization with higher-level awareness and controls."

Ultimately, the Sarbanes-Oxley Act will change the way the business world works, for the better, Edwards said.

"Companies will have higher-quality staff, automation and processes," he said.

There could, however, be casualties along the way. While smaller-cap companies will have longer to comply, they are otherwise bound by the same standards as larger companies. Edwards said he is not sure thats the right way to go and predicted that Sarbanes-Oxley could drive many smaller public companies out of business or at least into the arms of private financiers.

"If you have to pony up $1 million a year in ongoing compliance costs, and youre only making $100 million a year, thats a lot of money to spend on a non-revenue-generating activity," Edwards said.

The Hackett Group, of Atlanta, predicts costs of annual compliance at most companies will be in the range of $5 million to $7 million.

While Rouses IT department is heavily involved in Sarbanes-Oxley compliance, Edwards stressed that all departments in an organization need to take ownership of business processes for compliance to succeed. He advocated that each department have its own compliance team leader to oversee department-level compliance efforts.

"If companies are just getting their accounting department or auditors involved, then I can guarantee you theyll have an opinion rendered against them," Edwards said.

"Sarbanes-Oxley compliance is a lot like Six Sigma or TQM [total quality management], where everyone in the organization has to be aware and own their own processes," he said.

(Editors note: This story has been changed since its original posting to more accurately reflect the cost of Sarbanes-Oxley compliance to Boise Cascade. regrets the earlier error.)