VideoWhen last we looked at the Overtime Guarantee Act known as Sarbanes-Oxley (see "Sarboxing," February 2004), finance managers were busy tapping out distress signals from Documentation Hill. At the time, the compliance deadline for Section 404 of the act was fast approaching. While Section 302 had garnered most of the media's attention, 404 was proving to be the real compliance bear. Among other things, it requires companies to identify key business processes, the controls overriding the processes, and any vulnerabilities in the controls overriding the processes. Summarizing the 404 project at Public Service Co. of New Mexico, Carl Seider, analysis programming lead at the Albuquerque-based utility, says: "It was like, 'OK, stop the world while we take care of this.' "
Instead, officials at the Securities and Exchange Commission stopped the clock, repeatedly pushing back the drop-dead date for implementing Section 404. That gave most accelerated filers a reprieve in 2004, but the deadline is once again looming for most companies (March 15 for dozens of large companies; April 15 for scores of smaller ones). And many finance managers say they will not willingly spend another year in compliance purgatory.
That's understandable. Preparations for 404 have exacted a heavy price. Software maker Micros Systems Inc., for one, has spent roughly $4 million in the past two years on its compliance program for Section 404. And the Columbia, Maryland-based company, with revenues of $487 million, hardly qualifies as a corporate giant. "We've spent an enormous amount of money," says controller Cynthia Russo. "More than we had planned."
Micros is hardly alone. AMR Research vice president John Hagerty estimates that total corporate outlays for overall Sarbox compliance this year will exceed $6 billion. All indications are that Section 404 will account for the vast majority of that. According to Financial Executives International, U.S. companies with revenues of $5 billion or more could spend more than $4.6 million this year getting in compliance with 404. And in a recent study of large companies conducted by law firm Foley & Lardner LLP, the majority of respondents cited 404 compliance as their single biggest expense stemming from governance reform (see chart, page 57). Despite assurances from officials at the Public Company Accounting Oversight Board (PCAOB) that Sarbox-related costs will diminish over time, anecdotal evidence suggests that costs will rise before they fall.
Enter the Software Vendors
To date, the bulk of business expenditures on controls assessment has gone toward additional manpower, what Theodore Frank, president of enterprise compliance software company Axentis Inc., calls the "muscling of 404." One corporate IT manager notes that his department has already logged 10,000 man-hours readying his employer's systems for 404 compliance. Not surprisingly, that's led scores of managers in search of a means to automate at least some of the blocking and tackling involved.
Until recently, however, their calls for technological help went largely unanswered. By all accounts, first generation Sarbox applications, often rushed out the door by sales-happy vendors, were usually little more than collections of compliance best-practices. "A few of the vendors we saw didn't know what COSO was," recalls Greg Buccarelli, director of Sarbanes-Oxley compliance at drugmaker Novartis, referring to the risk-management principles formulated by the Treadway audit-industry commission in the mid-1980s. "Some weren't even familiar with the sections of Sarbanes-Oxley."
But as the law has come to dominate the governance landscape — and Section 404 the Sarbox landscape — vendors retooled and refined their internal-controls offerings. And now, fortunately enough, new versions of Sarbox software programs represent big improvements over earlier offerings. Certainly, recent releases from Axentis, Hummingbird, OpenPages, Virsa Systems, and Approva reflect a more realistic understanding of the burdens. Some of the programs compare a company's current controls to compliance best-practices, offering solutions on how to shore up weaknesses and better segregate duties. Others help managers document policies and procedures, creating electronic archives of those policies along the way. Several programs flag internal transactions that look suspicious.
Not surprisingly, improved software has led to improved software sales, and AMR now predicts that spending on Sarbox-aimed programs will jump 52 percent this year. "There was no big and compelling reason to buy software a year-and-a-half ago," claims Robert Kugel, vice president and research director (FPM) at Ventana Research in Belmont, California. "Besides, managers wanted to see what the processes looked like before buying software."
And that's just what they did. Ask any compliance manager or controller what he spent his time on last year, and the answer is invariably the same. Early on, he attended weekly controls documentation meetings. A few months later, he created spreadsheets filled with key business processes for all departments. After that, he spent untold hours compiling gap flowcharts and fashioning elaborate models out of control matrixes. Says Pedro Carrera, SAP manager at Boca Raton, Florida-based freight carrier RailAmerica Inc.: "The documentation is what kills you."
Reader Comments» Post a comment