U.S. public companies have been paying for the financial scandals at Enron Corp., Global Crossing Ltd. and WorldCom Inc. for months—and another large bill is about to come due.
The Sarbanes-Oxley Act, enacted last year in response to Enron, et al., requires companies to make new disclosures on internal controls, ethics codes and the makeup of their audit committees on annual reports. The requirements will challenge IT managers with a Y2K-like task that AMR Research Inc., in Boston, estimates will cost as much as $2.5 billion.
Of particular interest is Section 404 of Sarbanes-Oxley, which requires companies to perform a self-assessment of risks for business processes that affect financial reporting.
Last week, the Securities and Exchange Commission—which is charged with enforcing the act—voted unanimously to adopt the rule and form amendments to implement Section 404 requirements so that publicly traded companies with a market capitalization of $75 million or more will have to comply with these regulations for fiscal years ending on or after June 15, 2004. Smaller businesses and foreign-owned companies have until the fiscal year ending on or after April 15, 2005, to comply.
The requirements are forcing companies to be more thorough about ensuring the validity of their financial numbers and documenting internal controls and procedures used to arrive at those numbers.
Some IT managers are nervous.
“I dont think we as an IT organization understand everything we need to do … what has to happen or what will be tracked by these tools,” said Gary Bronson, director of IT enterprise operations at Washington Group International Inc., in Boise, Idaho, and an eWEEK Corporate Partner. “Last month, our [chief financial officer] addressed the leadership of the IT organization to say, Heres what Sarbanes-Oxley means to us in laymens terms: I go to jail if this information is not accurate or if anything is inappropriate. The message is clear: We need to do everything necessary to keep our CFO and CEO out of jail.
“Thats whats scary about this,” Bronson said. “Its an aftermath of Enron. Government comes in, shoots from the hip and tries to cover everything in one fell swoop. Its probably pretty open-ended.”
WGI, a construction and engineering company, is still working with its accounting team to decipher the Sarbanes-Oxley requirements and has appointed a vice president whose sole responsibility is to head the companys compliance efforts.
The good news for technology managers is that there are several solutions available to meet these requirements and that more are on the way.
Last week, Oracle Corp., of Redwood Shores, Calif., announced its Internal Controls Manager, developed in consultation with PricewaterhouseCoopers, to help companies document and test internal controls and monitor ongoing compliance, using Oracle Workflow, a process-modeling tool built into Oracle E-Business Suite.
Nth Orbit Inc., a San Jose, Calif., start-up launched to help companies tackle Sarbanes-Oxley, last week announced its flagship product, Certus, which can design, document and implement internal and disclosure controls as well as certify and monitor compliance and perform routine assessments of compliance.
HandySoft Corp. and Plumtree Software Inc. last week announced Sarbanes-Oxley Accelerator, which combines business process management and portal software to create a platform for customers to establish internal controls and reporting procedures, while supporting collaboration with auditors and board members and building best practices for the collection and reporting of financial data.
To make financial data more uniform and easier to handle, some enterprises and their software vendors are beginning to use the Extensible Business Reporting Language data format, which was developed for financial reporting (see story).
While Sarbanes-Oxley is imposing financial and manpower constraints on corporations, executives are finding that its enforcing good business practices and validating initiatives already in place.
“Its something weve always done anyway—were just doing it a little bit differently now and doing it sooner,” said Irving Tyler, CIO of Quaker Chemical Corp., in Conshohocken, Pa. “Its not a system change; its a process change.”
Tyler, a certified public accountant, said giving management better views of information and putting better controls in place is essential to making companies business processes more cost-effective.
“This isnt unique because of Sarbanes-Oxley,” said Tyler. “We would have done this anyway. All of our systems are in compliance—they always have been. Its just a matter of going through the review process.”
To help with its reporting, Owens-Illinois Inc., of Toledo, Ohio, has turned to Hyperion Solutions Corp.s Financial Management product to do its financial consolidations and reporting, replacing an unwieldy home-grown system, said Vice President and CIO Earl Newsome.
Newsome said he regards Sarbanes-Oxley as an opportunity to improve financial processes and make sure they conform with managements intent. “We want to use Sarbanes-Oxley as a leverage point to do process improvement,” he said.
Quaker Chemical has turned to SAS Institute Inc.s business analytics applications to achieve similar goals. “Business analytics helps us manage the company more intelligently and make sure everyones following the strategy and the business processes,” said Tyler.
Another key system for Sarbanes-Oxley compliance is Quaker Chemicals knowledge management system, developed by Intraspect Software Inc., which stores documented business practices, processes and intellectual property, key to any compliance report.
Owens-Illinois uses software from FileNet Corp. for similar purposes. Newsome compared Sarbanes-Oxley compliance to ISO 9000 compliance. “Theyre both very document-centric. ISO 9000 is focused on manufacturing processes; Sarbanes-Oxley is focused on financial processes,” said Newsome.
Tyler agreed: “The whole time people were finding ways to make us compliant [with ISO 9000], they discovered we were already doing that; we just had to do an assessment. Its definitely achievable.”
Another process Quaker went through before Sarbanes-Oxley that will help the company comply with the law was standardizing its back-office systems on J.D. Edwards & Co. software.
“We wanted to make sure we understand our results, make sure our business activities are in compliance with our management objectives,” said Tyler. “We were doing all these things anyway, so there are no hurdles in terms of having compliant systems.”
Standardizing systems makes it easier for management to feel confident in the numbers it reports, said Mark Kelly, chief technology officer of ACT Teleconferencing Inc., of Golden, Colo. ACT, formed from the merger of several regional phone companies around the world, chose MetraTech Corp.s MetraNet billing software for its global operations.
“We had a complicated situation with nonstandard billing and nonstandard financial management systems,” said Kelly, who is based in Ottawa. “If we really wanted to grow, we had to put some regimented processes in place.”
Some finance experts say companies should see Sarbanes-Oxley not as a chore but as an opportunity. “If you put an extra paragraph into your annual report that will satisfy those 200 [institutional investors] who drive your stock price,” said a former CFO at a Fortune 500 company, who spoke on the condition of anonymity, “that would help the stock price a lot.”
Additional reporting by John S. McCright and Lisa Vaas
More on the Sarbanes-Oxley Act: