Sarbanes-Oxley: Road to Compliance
Sarbanes-Oxley: Road to Compliance
As the initial June deadline for complying with the Sarbanes-Oxley Act nears, publicly traded companies across the United States are scurrying to deploy software packages that will put them in compliance.
Not surprisingly, IT departments view the act as an opportunity to show their impact on the companys bottom line by helping forge tighter links between business processes and technology. However, the compliance process is turning out to be more costly and time-consuming than originally expected, and in many cases, according to at least one study, companies are not turning to their IT departments to manage compliance.
The law, officially known as the Public Company Accounting Reform and Investor Protection Act and enacted in July 2002, requires companies to make new disclosures on internal controls, ethics codes and the makeup of their audit committees on annual reports.
The act is better known by its nickname, after its co-sponsors, Sen. Paul Sarbanes, D-Md., and Rep. Michael Oxley, R-Ohio, who chair the House-Senate conference committee meeting on corporate accounting reform. The initial phase of the act focuses on Section 404, which requires companies to perform a self-assessment of risks for business processes that affect financial reporting.
Public companies with market capitalizations of $75 million or more must be in compliance with Section 404 for their fiscal year ending on or after June 15. Smaller companies have until the fiscal year ending on or after April 15, 2005, to comply.
But according to several large companies embroiled in the process, compliance isnt turning out to be quick or cheap.
Tom Martin, audit operations manager for Boise Cascade Corp., in Boise, Idaho, said his company has yet to determine how much it will spend on Sarbanes-Oxley compliance, but estimates it will include 20,000 auditor-hours this year, after recording 17,000 auditor-hours on Sarbanes-Oxley compliance last year.
"We should be in compliance by the end of the year," Martin said. "Then well have to do it all again next year."
Boise Cascade began an implementation of Movaris Inc.s Certainty product late last year to build a repository of accounting controls that share the same framework across the companys multiple divisions.
"We have to have a description of our controls and evaluate our controls on an ongoing basis and be sure theyre in place and work," Martin said. "We needed something that could be accessible throughout the U.S. and the world. And we knew we needed a Web-based system, something that was very easy to use, since folks would only be doing it once a year."
To Martin, Sarbanes-Oxley compliance is a five-phase project: planning; scoping, which is determining whats material to the company and needs to be documented; looking for information gaps; and implementation, evaluation and monitoring.
Boise Cascade is now in the implementation, evaluation and monitoring phase and expects to be audit-ready by Sept. 30, Martin said. The company is doing a pilot project at its distribution centers, then will roll out Certainty to its other business units.
"The product has enabled us to look at our controls environment in one package," Martin said. "We knew our controls were similar, but not the same, so we look for opportunities to standardize the process."
Forming a central repository of documented controls for multiple business units is also the task at hand at Volt Information Sciences Inc. The New York-based company needs uniform, complete documenting of controls, business processes and risks, according to its chief financial officer and senior vice president, James Groberg.
"The basic task may not be that difficult, but its extraordinarily difficult if you have many business units," said Groberg. "We need to be able to get at [the controls] quickly in a format the business units themselves can understand. We want an audit trail."
Volt is using OpenPages Inc.s Sarbanes-Oxley Express product to build its controls repository. Groberg agreed that the process was expensive but described it as a "wake-up call," one that his company could benefit from in the long run.
"[Section] 404 [compliance] is extremely difficult and very expensive, but in the long run, its a benefit for the management of the company," Groberg said. "Well be more certain that we have the internal controls in place that we need to have so well avoid the costs of finding errors."
Having the right financial controls in place is nothing new at Volt and most other companies, Groberg said.
"Weve always had these controls in place," he said. "Its a question of organizing them properly so that we have a better monitoring overview from the management standpoint and can prove to the public that we have the controls in place that can prevent a material misstatement."
Sarbanes-Oxley compliance requires more than just a new documentation system.
John Imperato, vice president of finance at Viasys Health Care Inc., saw compliance as an opportunity to get a standardized financial reporting system in place at his companys multiple business units. Until recently, each unit had its own reporting system, with nonstandard processes and consolidations done manually by e-mailing Microsoft Corp.s Excel spreadsheets back and forth.
Viasys is now in the final stages of implementing Cartesis Inc.s Magnitude financial reporting software companywide for internal and external reporting.
"The same general product categories [at different business units] did not update together," said Imperato. "Every one of the companies had their own reporting systems."
With Magnitude deployed throughout the company, all accounting systems update at the same time and link to a central consolidation system, Imperato said. Magnitude also allows Viasys to drill down into reports to get general ledger and sales information on specific products.
"Compliance was a big issue, but there were management issues as well," Imperato said. "Now well have a lot more confidence that our information and numbers are complete and accurate."
At Viasys and other companies, Sarbanes-Oxley compliance is spearheaded by and is the ultimate responsibility of the finance department. But as the examples illustrate, compliance ties into typical IT department challenges, such as application and data integration, particularly when different divisions and companies are involved.
IT cant shy away from playing an important role in compliance. Yet a recent Hackett Group survey indicates that more than 50 percent of public companies arent getting IT involved in the process.
"IT can be a huge, huge enabler," said Scott Holland, senior director at the Hackett Group, an Answerthink Inc. company. "Technology and processes need to be in the same room. One cannot be successful without the other."
Hackett analyst David Oppenheim said Sarbanes-Oxley could make the public company CIO a "superstar."
"Having an understanding of what different technologies are in an organization and how theyre connected to each other is critical to the analysis associated with Sarbanes-Oxley compliance," said Oppenheim in Philadelphia. "The business users may think they understand the system, but thats a false sense of security."
IT is heavily involved in the Section 404 compliance process at Volt, according to Groberg.
As part of the compliance process, Volt IT personnel needed to document security and application access as well as know when the companys PeopleSoft Inc. financial system is not functioning properly. IT works closely with financial and operational personnel, Groberg said. "They look to you to give them what they need to do their job."
At Boise Cascade, IT was first actively involved in screening companies with Sarbanes-Oxley compliance offerings, based on Boise Cascades specifications, Martin said.
As part of the compliance initiative, IT was then given ownership of certain business processes involving design, testing and implementation of software so that all software applications involved in compliance are running as they were intended to, Martin said. "The internal auditors test the financial controls and the IT auditors test the IT controls," he said.
Like Viasys, commercial real estate developer The Rouse Company consolidated its financial planning applications. But instead of Cartesis, the company turned to SRC Software Inc. and its SRC Budgeting product.
Robert Edwards, vice president and CIO at Rouse, said the consolidation ensured the companys finance software was easier to administer and organize around a set of common business rules, which helps in the compliance process.
"We have less gaps in our Sarbanes-Oxley process, so theres less of a chance well have a compliance issue because someone didnt understand the disparity of systems," said Edwards, in Columbia, Md.
Edwards agreed that Sarbanes-Oxley compliance was costly, although he declined to discuss how much Rouse was spending on compliance efforts. However, he said he expects Rouse to realize benefits in the long term.
"We think a lot of the upside will be long-term, not an immediate payback," Edwards said. "The long-term effect should be that we produce higher-quality business processes throughout the organization with higher-level awareness and controls."
Ultimately, the Sarbanes-Oxley Act will change the way the business world works, for the better, Edwards said.
"Companies will have higher-quality staff, automation and processes," he said.
There could, however, be casualties along the way. While smaller-cap companies will have longer to comply, they are otherwise bound by the same standards as larger companies. Edwards said he is not sure thats the right way to go and predicted that Sarbanes-Oxley could drive many smaller public companies out of business or at least into the arms of private financiers.
"If you have to pony up $1 million a year in ongoing compliance costs, and youre only making $100 million a year, thats a lot of money to spend on a non-revenue-generating activity," Edwards said.
The Hackett Group, of Atlanta, predicts costs of annual compliance at most companies will be in the range of $5 million to $7 million.
While Rouses IT department is heavily involved in Sarbanes-Oxley compliance, Edwards stressed that all departments in an organization need to take ownership of business processes for compliance to succeed. He advocated that each department have its own compliance team leader to oversee department-level compliance efforts.
"If companies are just getting their accounting department or auditors involved, then I can guarantee you theyll have an opinion rendered against them," Edwards said.
"Sarbanes-Oxley compliance is a lot like Six Sigma or TQM [total quality management], where everyone in the organization has to be aware and own their own processes," he said.
(Editors note: This story has been changed since its original posting to more accurately reflect the cost of Sarbanes-Oxley compliance to Boise Cascade. eWEEK.com regrets the earlier error.)