VideoOracle Corp. is already producing a series of white papers and workshops built around the specific regulatory pressures facing various vertical industries; in many cases, Sarbanes-Oxley is just one of several new laws that companies must comply with.
Phase Value
Despite the uncertainty, there are enough information-oriented provisions within Sarbanes-Oxley, from Section 302 (corporate responsibility for financial reports) to Section 806 (accommodation of and protection for whistle-blowers), that the implications for IT are already becoming clear — at least to some companies. "It often comes down to whether companies are in the rationalization phase, the realization phase, or the optimization phase," says Brian Kinman, leader of the enterprise risk management practice at PricewaterhouseCoopers LLP.
Kinman says companies tend to evolve through all three phases, at first believing they already comply with Sarbanes-Oxley requirements, then realizing they have work to do, and finally moving on to optimization, in which they don't simply comply but put systems in place to make sure they remain compliant even as requirements change. "That often involves an IT investment," he says. "For example, putting in automated reporting systems to make sure you always have control over and visibility into current financial results."
Very few CFOs seem to be at that stage today. "Most are focused on creating an internal-control framework that allows auditors to attest to the validity of management assertions," says Steve Wagner, co-chair of the Sarbanes-Oxley internal-control committee at Deloitte Touche LLP. "IT tends to play into that via a 'controls repository,' a place to document your goals and activities."
While that could be as simple as a spreadsheet, many software companies — particularly ones that don't concentrate on financial software — see this as a ready opportunity to extend products that were originally developed for other purposes. Compli Corp. has offered software since 2002 that addresses employment practices, helping companies fend off lawsuits by communicating policies on, for example, sexual harassment, and then allowing them to track complaints and log actions taken by human-resources departments. The company says its software is well suited to issues of financial compliance, providing a Web-based means of creating and communicating policies, assessing their effectiveness, and providing well-documented follow-up.
Similarly, shareholder.com and CCBN Inc., among others, have expanded their Web-based investor-relations services to include corporate-governance issues. In a sense, this brings the practice of leveraging Sarbanes-Oxley for marketing purposes full circle: companies with solid governance policies and internal controls can let investors know all about them, possibly making their stock more attractive. (In fact, a survey by Parson Consulting found that companies that release financial results earlier than their peers achieve an average 15.5 percent premium in their P/E ratios.)
If to date there has been more talk than action regarding the role of IT in helping companies deal with regulatory pressures, there are signs that technology will eventually become a bigger part of the discussion. Last month, Nationwide Financial Services Inc. announced it had developed an internal system based on Lotus Notes technology that documents 178 "unique processes" pertaining to internal audit, so that the financial-services firm's CFO and CEO can be comfortable with its internal controls. Bohannon says products such as "electronic audit committees," audit dashboards, and E-learning systems designed to communicate ethics policies are being developed by a number of software companies.
And Bill Hurley, national practice leader at Parson Consulting, says the Sarbanes-Oxley marketing spin isn't coming just from technology vendors. "We have clients who have wanted to reengineer their internal controls for years," he says. "Now Sarbanes-Oxley gives them the justification to get the money they need to build better systems." United Technologies Corp. may go even further: having upgraded its internal whistle-blower system to be Web-based, it's considering whether to offer it commercially. Maybe regulations aren't so bad after all.
Sidebar: Confidence Check
In light of Sarbanes-Oxley, how confident are CFOs that spreadsheet-based reporting processes provide adequate central control?
- Not confident: 47%
- Somewhat confident: 42%
- Very confident: 11%
Reader Comments» Post a comment