Lacking such input, a number of vendors have built their governance programs around the COSO framework. PeopleSoft Enterprise Internal Controls Enforcer, for one, utilizes portal technology, and includes (among other things) a repository for control policies and procedures. QuadraMed Corp., a software development company, deployed the PeopleSoft application last summer. One of the strengths of the program, says Kevin Haggerty, senior director of internal audit at Reston, Virginia-based QuadraMed, is its deft handling of company procedures. "An employee or an auditor can easily go in and look at a policy," he says.
The digital bread crumbs could prove invaluable for companies when their attesters come calling. In an age of regulatory zeal, experts say just the appearance of running a tight ship is a plus. Ventana's Kugel believes if an auditor can quickly get a piece of 404-related information, it'll be less likely to dig deeply into a company's internal controls. "But if they walk in and see boxes of papers lying around," he warns, "they're not going to be sure they won't miss something. Then they're going to be around longer."
That may well put the squeeze on companies already behind the 404 eight ball. As Haggerty points out, it's hard enough for managers to get through their own documentation and testing. Dragging out the attestation process will shorten the time filers have to fix material weaknesses, which is the whole point of 404 to begin with. Indeed, some filers, pressed for time, are apparently having their auditors conduct only one test of their internal controls. That strategy has investor-relations disaster written all over it. Novartis, for example, conducted four internal tests and four auditor tests of its internal controls last year. "If anybody has their auditor coming in just once," says Buccarelli, "they're in real trouble."
John Goff is technology editor of CFO.
The Devil's in the E-mails
With the deadline for Sarbanes-Oxley's section 404 compliance looming for some companies, corporate controllers continue to search for gaps in their financial-reporting systems. But experts say a nonfinancial system may well be the trouble spot for 404 compliance in coming years.
While the section does not specifically address electronic mail, the Securities and Exchange Commission requires publicly held companies to retain 404-related documents for a "reasonable" length of time. And it appears scores of companies are using E-mail as their de facto system for retaining those documents. Searching through mountains of E-mail files could prove to be the compliance version of a scavenger hunt. "E-mail is better than paper," says Robert Kugel, vice president and research director (FPM) at consultancy Ventana Research. "But five years from now, are you certain you'll be able to find a file?" To better the odds, Kugel advises companies to invest in E-mail archiving systems. "You need to keep a discrete library of this stuff."
The problem is, few companies appear to be setting up such libraries. While statistical evidence is hard to come by, many executives who spoke to CFO said their employers do not currently have E-mail archiving software in place.
The situation at Public Service Co. of New Mexico is typical. "We're getting to E-mail," notes Carl Seider, analysis programming lead at the Albuquerque-based utility. "It's on the map for this year." The holdup, he says, is figuring out exactly what gets archived. "Do you save everything, or does the user choose what's to be saved?"
Dealing with external E-mail could prove to be a bigger dilemma: the vast majority of viruses are transmitted via E-mail. Loose inside a corporate network, digital pathogens could bring down a business's internal computer systems. A material weakness? Hard to say, but executives at Anchor Bank in Madison, Wisconsin, aren't taking any chances. Management at the thrift recently installed antiviral software from Sybari Software as part of its overall 404-compliance effort. Notes Peter Bachman, first vice president (technology) at the bank: "Having a strong antivirus system at the door is crucial. A virus in the net could mess with any financial-reporting system." —J.G.
Reader Comments» Post a comment