SarbOx: The Next Generation
By now, most large companies have had to comply with Section 404 of the Sarbanes-Oxley Act, which mandates that chief executives certify that their companies have controls in place to ensure the accuracy of financial reporting. To achieve initial compliance, IT departments typically worked with auditors to activate application controls within enterprise resource planning packages such as those from SAP AG, Oracle Corp. and its PeopleSoft unit for Section 404 compliance.
In general, software control points are based on the COSO (The Committee of Sponsoring Organizations of the Treadway Commission) framework, created prior to passage of SarbOx to help identify where controls should be placed. However, it took the Sarbanes-Oxley Act of 2002 to spur widespread adoption of these guidelines.
Because the Section 404 obligation is annual, it behooves companies to handle the yearly chore as efficiently as possible. As a result, vendors are pitching products that improve compliance efficiency by adding real-time capabilities.
"I was flabbergasted at how much money we were spending on Sarbanes-Oxley compliance with no real return on investment," said Richard Lanza, who left his former company, which he declined to name, to start Cash Recovery Partners LLC, a consultancy in Lake Hopatcong, N.J.
"If these controls are manual, theyre the most expensive and risky you can have. But if you automate that process, its sustainable and the cost is a fraction," said Doug Laird, senior vice president of marketing at Virsa Systems Inc., in Fremont, Calif. Virsa is a vendor of real-time compliance software that works with SAPs enterprise resource planning, or ERP, software.
In a manual process, Lanza said, an auditor will work hands-on with a word processing or spreadsheet application, interview staff members, check control points, test processes, and pull invoices. "Its extremely time-consuming," he said. "Processes dont change much, so you can automate the testing."
"If you were actually to assess one year later, an enormous amount of money has been spent and an enormous amount of money wasted. After the painful period of original assessment is over, we believe very firmly that organizations will be operating much more efficiently," said Robert Williams, CEO of Manakoa Services Corp., in Kennewick, Wash., a 1-year-old startup thats seeking a niche in compliance optimization with four products that are geared not only at SarbOx but also at HIPAA (Health Insurance Portability and Accountability Act), Basel 2 and the GLBA (Gramm-Leach-Bliley Act).
Manakoa intends to sell its products through solutions providers. "They bring an end-to-end solution to the table, establishing a compliance program in an ongoing alerting process. The Manakoa suite ... plugs into [Microsoft Corp.s] MOM framework for automated alerting," said Jason McGregor, chief operating officer of Interlink Group Inc., of Englewood, Colo.
Harald Will, president and CEO of auditing software maker ACL Services Ltd., in Vancouver, British Columbia, expressed a similar view. "Companies need to reduce staff time and testing for internal controls," Will said. "The manual [work] involved in reviewing and testing ... is taking up a huge amount of time."
Capable of supporting compliance with HIPAA, the USA Patriot Act and other measures, ACLs software is geared toward business improvement and does offer a return, Will said. "Everywhere weve put this technology in place, it pays for itself in a matter of months," Will said. "This is about running a better business, and its about cost recovery."
Actually realizing that value from automation investments may take a leap of faith, and patience. Virsas Laird said he knows of no customers that have gotten business value to this point in their SarbOx compliance efforts, but, he promised, "Once people begin to bake this compliance layer into their business processes, theyll see a significant reduction in their costs."
Laird said Virsas Continuous Compliance software works within an ERP system to stop violations of business control procedures in real time. That is more efficient than checking for violations after the fact and can prevent problems from being introduced into systems, Laird said.
The price for Virsas software, which is sold by SAP, varies with the number of users; typical installations at large companies cost $300,000 to $500,000, according to Laird. The company plans to introduce versions of its products to work with Oracle and PeopleSoft applications in the future.
Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.