Risk & Compliance

Under Pressure

Sarbox is just one of many new regulatory requirements companies face. Can IT help?
Scott LeibsMarch 17, 2003

Last year, in a speech before the American Society of Corporate Secretaries, the Securities and Exchange Commission’s Cynthia Glassman took the corporate-governance group for a not-terribly-invigorating walk down Memory Lane. “The public eagerly sought stocks of companies in certain ‘glamour’ industries…in the expectation that they would rise to a substantial premium — an expectation that was often fulfilled,” she said. “Within a few days or even hours after the initial distribution, these so-called hot issues would be traded at premiums of as much as 300 percent above the original offering price. In many cases, the price of a ‘hot’ issue later fell to a fraction of its original offering price.”

Then she delivered the kicker: she wasn’t quoting from an account of the dot-com bubble, but from an old SEC document about the mania for electronics stocks that dominated Wall Street in the late 1950s and early ’60s.

Her point was that the current raft of regulations is not new, and it’s high time that companies take corporate governance seriously. As part of that, she suggested they engage in “real self-examination and learning….”

All in the Timing

She meant it in the sense that the unexamined corporate life may ultimately be lived in jail, but other interpretations spring to mind. They especially spring to the minds of software companies and other purveyors of IT, which see in the Sarbanes-Oxley Act of 2002 and other recently enacted or proposed regulations a prime opportunity to sell products to their corporate customers.

Some of these efforts have to be chalked up to opportunism. As we noted in CFO in December 2002 (see “Partial Clearing“), there is nothing in Sarbanes-Oxley that unequivocally mandates a technology upgrade. While the technology sector would certainly benefit from another Y2K-like buying frenzy, this is not likely to trigger one. Longer term, however, regulatory pressure may have a substantial impact on a range of IT buying decisions.

Today most CFOs we spoke to agree with Terry J. McClain of Valmont Industries Inc., a designer and manufacturer of irrigation systems, utility poles, and other products. “Sarbanes-Oxley is a costly exercise for us, both in terms of time and money, but very little of that involves IT,” he says. Consultants and lawyers, he says, are the current beneficiaries. “I can see a role for IT in providing some systematized checks and balances,” he states, “and maybe we’d use software as a sort of checklist to keep us on track, but it’s really more about your processes and governance structure.”

Yet McClain also says the full implications of new regulatory requirements can be difficult to fathom because “they come out a spoonful at a time, and there haven’t been any test cases that can shed light on areas that are wide open to interpretation.”

That murkiness is at the heart of many IT companies’ marketing pitches, which essentially argue that companies shouldn’t focus too closely on the letter of the law, but rather on the spirit. And the spirit emphasizes visibility, accountability, and better governance. There’s a strong role for IT, they say, in all three areas.

“Half of all the calls I get involve Sarbanes-Oxley,” says John Van Decker, an analyst at Meta Group Inc. who focuses on financial applications, “so I’m certainly seeing signs that IT spending will get a boost from this.” Most likely, he says, companies will view Sarbanes-Oxley as a catalyst, making long-delayed upgrades to financial systems in order to meet the faster reporting times now mandated, and to give them greater confidence that the numbers their CEOs and CFOs are liable for are accurate.

Some software companies are making their own upgrades, tweaking products to meet new regulatory requirements. PeopleSoft Inc., for example, had already started down the road toward performance management before Sarbanes-Oxley came along, but is now adding an investor portal to its Financial Management Solutions Blueprint product suite, as well as new workflow and approval capabilities to its financials modules to speed the preparation of 10-K and 10-Q reports.

“One prospect had set aside three to four months to review potential IT solutions,” says Renee Lorton, senior vice president and general manager of PeopleSoft’s financial solutions group, “but then met with us and said, ‘We have to make a choice and begin implementation within a month — our board is demanding it.’ “

While she says that such top-level pressure will boost sales, particularly among the many companies that still use older, “legacy” applications, she also believes such forthcoming rules as Sarbanes-Oxley Section 404, which would require management to state in annual reports how it has addressed a range of internal controls and financial-reporting procedures, “could be a huge driver” for financial software.

“Could be,” because Section 404 is one of two provisions that have no specified deadline; the other, Section 409, concerns “real-time” disclosure of any material change in a company’s financial condition. Thus, two of the mandates with the most potential to demand IT fixes will trail behind other provisions of the legislation. “Software companies would love to offer ready-made products for internal control,” says Scott Bohannon, executive director of the Working Council for Chief Financial Officers, a membership organization that researches best practices in financial management. “But no one knows what the final rules are yet.”

Oracle Corp. is already producing a series of white papers and workshops built around the specific regulatory pressures facing various vertical industries; in many cases, Sarbanes-Oxley is just one of several new laws that companies must comply with.

Phase Value

Despite the uncertainty, there are enough information-oriented provisions within Sarbanes-Oxley, from Section 302 (corporate responsibility for financial reports) to Section 806 (accommodation of and protection for whistle-blowers), that the implications for IT are already becoming clear — at least to some companies. “It often comes down to whether companies are in the rationalization phase, the realization phase, or the optimization phase,” says Brian Kinman, leader of the enterprise risk management practice at PricewaterhouseCoopers LLP.

Kinman says companies tend to evolve through all three phases, at first believing they already comply with Sarbanes-Oxley requirements, then realizing they have work to do, and finally moving on to optimization, in which they don’t simply comply but put systems in place to make sure they remain compliant even as requirements change. “That often involves an IT investment,” he says. “For example, putting in automated reporting systems to make sure you always have control over and visibility into current financial results.”

Very few CFOs seem to be at that stage today. “Most are focused on creating an internal-control framework that allows auditors to attest to the validity of management assertions,” says Steve Wagner, co-chair of the Sarbanes-Oxley internal-control committee at Deloitte Touche LLP. “IT tends to play into that via a ‘controls repository,’ a place to document your goals and activities.”

While that could be as simple as a spreadsheet, many software companies — particularly ones that don’t concentrate on financial software — see this as a ready opportunity to extend products that were originally developed for other purposes. Compli Corp. has offered software since 2002 that addresses employment practices, helping companies fend off lawsuits by communicating policies on, for example, sexual harassment, and then allowing them to track complaints and log actions taken by human-resources departments. The company says its software is well suited to issues of financial compliance, providing a Web-based means of creating and communicating policies, assessing their effectiveness, and providing well-documented follow-up.

Similarly, shareholder.com and CCBN Inc., among others, have expanded their Web-based investor-relations services to include corporate-governance issues. In a sense, this brings the practice of leveraging Sarbanes-Oxley for marketing purposes full circle: companies with solid governance policies and internal controls can let investors know all about them, possibly making their stock more attractive. (In fact, a survey by Parson Consulting found that companies that release financial results earlier than their peers achieve an average 15.5 percent premium in their P/E ratios.)

If to date there has been more talk than action regarding the role of IT in helping companies deal with regulatory pressures, there are signs that technology will eventually become a bigger part of the discussion. Last month, Nationwide Financial Services Inc. announced it had developed an internal system based on Lotus Notes technology that documents 178 “unique processes” pertaining to internal audit, so that the financial-services firm’s CFO and CEO can be comfortable with its internal controls. Bohannon says products such as “electronic audit committees,” audit dashboards, and E-learning systems designed to communicate ethics policies are being developed by a number of software companies.

And Bill Hurley, national practice leader at Parson Consulting, says the Sarbanes-Oxley marketing spin isn’t coming just from technology vendors. “We have clients who have wanted to reengineer their internal controls for years,” he says. “Now Sarbanes-Oxley gives them the justification to get the money they need to build better systems.” United Technologies Corp. may go even further: having upgraded its internal whistle-blower system to be Web-based, it’s considering whether to offer it commercially. Maybe regulations aren’t so bad after all.

Sidebar: Confidence Check

In light of Sarbanes-Oxley, how confident are CFOs that spreadsheet-based reporting processes provide adequate central control?

  • Not confident: 47%
  • Somewhat confident: 42%
  • Very confident: 11%