Risk & Compliance


Finance executives continue to grapple with Section 404 of Sarbanes-Oxley. So far, it's unclear who's winning.
John GoffFebruary 3, 2004

When last we left Mark Thompson (“Drowning in Data,” November 2003), the senior vice president of finance and information technology at Crown Media Holdings was shopping for software. Specifically, he was looking for an application that would help him manage the company’s international contract rights. Crown Media, which owns the Hallmark Channel, operates in more than 120 countries, where it buys and sells thousands of broadcast rights to more than a thousand films. Overseeing the contracts that govern the payment schedules for those programs is a herculean task. Says Thompson: “International rights is a huge portion of what we have to manage.”

Three months later, the finance executive still hasn’t found what he’s looking for. “I haven’t come across the right fit yet,” he says.

He may have to settle on one soon, however. Handling contract rights is one of the 25 or so activities Crown Media’s management deems key to the company’s business. As such, the process is subject to the provisions of Section 404 of the Sarbanes-Oxley Act of 2002—meaning Crown Media must demonstrate sound financial controls governing that business process and then test those controls quarterly. Manually documenting and testing those controls, while doable, would be a real pain. Consequently, says Thompson, “the reporting deadlines and 404 are leading us down the path of automation.”

Finance executives at other companies are headed down a similar path. Despite the fact that the Securities and Exchange Commission pushed back the filing deadline (accelerated filers must be in compliance after June 15), many corporate managers are fast discovering just what a bear Section 404 really is. The biggest hurdle: few businesses operate off a single information platform. In fact, The Hackett Group estimates that the average $1 billion company maintains 48 financial programs, along with nearly three enterprise resource planning (ERP) systems. So it’s little wonder, says Randy Whitchurch, CFO at bar-code maker Zebra Technologies, that “if you’ve got a lot of far-flung locations on disparate accounting systems, [documenting controls is] a problem.”

Not surprisingly, business-software makers—many of which see Sarbox as the next Y2K—have flocked to Section 404 like alley cats to albacore. John Van Decker, vice president (technology-research services) at Stamford, Connecticut-based Meta Group Inc., reckons there are now 50 or more vendors flogging software aimed at Section 404 (see our vendor directory). The long list includes ERP vendors, content-management and business-process-management specialists, start-ups, upstarts, and industry giants (read: IBM and Microsoft). And in a survey conducted by Meta, fully 92 percent of those IT product and service vendors said they expect Sarbox to boost their year-over-year sales.

To date, however, companies haven’t fully embraced the vendor offerings. In fact, in the same Meta survey, 57 percent of the vendors said that sales of Sarbox products so far had not met their expectations. Part of the problem is that the early work on Section 404 is a decidedly in-house affair, with many companies tapping controllers and internal auditors to handle the initial documentation. What’s more, of the $5 billion or so that publicly traded companies will spend on Sarbox projects this year, only about 20 percent will go toward software purchases, with the rest spent on staff and consultants.

Eventually, however, that percentage is bound to increase. CFOs, the senior executives generally charged with wrestling Section 404 to the ground, say they’d just as soon not go through this exercise every year. And deciding among the various software offerings that promise to alleviate some of the Section 404 drudgery will undoubtedly become a priority. Says James J. Groberg, senior vice president, director, and CFO at New York-based Volt Information Sciences, of the 168 words that make up Section 404: “It’s a small section. But it’s creating a large amount of work.”

Papered Over

Software should eliminate much of the documentation work going forward. It is possible, says Steve Biskie, assistant vice president (internal control) at insurer Great-West Life & Annuity Insurance Co., for many businesses to rely on Word and Excel files to document internal controls, but he points out that such an approach would result in hundreds, if not thousands, of files. “That may be OK for the first year of 404 compliance,” he asserts. “But on an ongoing basis, it will be tough to maintain controls using those products.”

Deciding which product to use long term, however, is not cut-and-dried: there is no clear market leader. Greenwood Village, Colorado-based Great-West, for example, opted for a program called Certus, marketed by Nth Orbit, an interesting decision, considering Great-West is also an SAP customer. But Biskie says senior managers at the life insurance company weren’t overly worried about using a relatively new product from a small software company (one that started out as a supply-chain specialist, no less). “The older products were designed for other purposes,” he argues. “Besides, any product that is out there for 404 is new.”

He has a point. While Van Decker warns against purchasing software from companies that have “arisen specifically because of Sarbanes-Oxley,” Section 404 compliance products from such niche vendors as Movaris Inc. and Nth Orbit (plus programs from Paisley Consulting and OpenPages) do offer certain advantages over apps from better-known ERP and business-software companies. As Biskie points out, “Certus is geared toward doing this work. It’s not a bolt-on product that’s designed for something else.”

Moreover, smaller software vendors can ill afford to lose any customers—a fact that often translates into gold-plated service. “Large companies don’t give you the same level of service,” claims Kyle Didier, vice president of finance at Minneapolis-based Regis Corp., which recently purchased Certainty, a compliance-management program, from Campbell, California-based Movaris. Buyers of compliance software from niche vendors also can negotiate price reductions, flexible contracts, and service enhancements. Another perk: Groberg reports that programmers at OpenPages consulted with Volt when designing an upgrade to its Sarbanes-Oxley Express (SOX) program, and ultimately incorporated some of those suggestions in later versions of the software.

Let’s Play Twister

Of course, service tends to suffer when the service provider goes out of business. And make no mistake, a number of companies currently flogging Section 404-related products will be gone by the end of the year. As John Hagerty, vice president of research at AMR Research, states: “The market simply can’t sustain a dozen independent vendors.”

While it’s tough to tell which companies will capsize, Van Decker says several in the contract-management sector are already foundering. Likewise, the crowded enterprise content-management space appears headed for a shakeout. In December, for example, Documentum was acquired by data-storage giant EMC Corp. Around the same time, Interwoven, which recently merged with rival content-management vendor iManage, reported a net loss of $35.1 million for the first nine months of 2003. That’s a sizable hit, considering the Sunnyvale, California-based Interwoven generated revenues of only around $78 million during the same time period.

The prospect has clearly spooked some prospective purchasers of Section 404 software and has bolstered the case for dealing with larger—more stable—software vendors. But staying power doesn’t necessarily mean the products of top-tier vendors are up to snuff. Doyle Arnold, executive vice president and CFO at Salt Lake City-based Zions Bancorporation, says he looked at all sorts of Section 404-related software before settling on a program from Providus (a company Zions spun out of Lexign, another software company it had acquired). “All the software [I looked at] was built for another purpose,” explains Arnold. “It would have to be twisted to do 404.”

Generally speaking, twisting software is not good. That’s why most experts say it’s unwise to purchase a Section 404-targeted program without considering if the application plays well with others—particularly ERP systems. As part of Crown Media’s compliance efforts, for instance, Thompson bought an online purchase-order system called eRequester (from Paperless Business Systems). In making the buy, he says, he was mindful of Crown Media’s plan to eventually swap out the company’s Best Software general ledger. “We wanted a [PO] system that was open,” he explains, “one that would work with whatever general ledger we went with.”

Such an approach, while prudent, raises the obvious question: Why not simply use deployed enterprise software for Sarbox compliance? Indeed, at San Jose, California-based Aspect Communications, controller Bruce Ruberg says the company is addressing Section 404 compliance in tandem with a reimplementation of Oracle 11i. “We’re redefining all our business flows, which ties in to the 404 sweet spot,” he explains. “It makes sense to do them together.”

Turned On

Certainly, integrating Section 404 reporting with a company’s financial systems would seem to be an ideal approach to Sarbox. ERP vendors have not been shy about playing up the angle, either. Early on, vendors claimed that business users need only turn on the existing controls within their ERP systems to satisfy much of Section 404.

The pitch hasn’t gained a whole lot of traction in the marketplace, however. First off, as Van Decker points out, ERP systems can help with the assessment of financial controls—a big task, admittedly—but not necessarily the documentation of controls. And as Hagerty notes, ERP systems come with both inherent controls and configurable controls. Those configurable controls offer a dizzying number of choices. Says Biskie: “There can be a million control options within each process [in an ERP system]. Which one do you choose?”

Even the ERP vendors appear to have backed off their initial “just turn ’em on” approach: in recent months, the major players have unveiled new modules designed specifically for Section 404 compliance. In May, for example, Oracle announced the development of its Internal Controls Manager, an application aimed squarely at Section 404 compliance. Then, in October, PeopleSoft launched its own Section 404 product, called Enterprise Internal Controls Enforcer. And SAP began shipping a similar offering, its Compliance Management for Sarbanes-Oxley Act (part of mySAP Financials), around the same time.

Yet while ERP vendors may be saying this is part and parcel of what they do, they’re going to have to fend off some powerful rivals—rivals that are already well entrenched in the business-computing landscape. IBM, for one, has teamed with Big Four auditor KPMG to offer IBM Lotus Workplace for Business Controls and Reporting, a program designed to help businesses tackle the issues of documenting and dynamically assessing their controls and business processes.

Some industry watchers, however, say Big Blue competitor Microsoft may pose an even bigger threat to the Section 404 sales of ERP and niche vendors. Next month the company will release the Office Solution Accelerator for Sarbanes-Oxley, a software package built for the Office System platform (and one of a number of business “accelerators” the company markets). Essentially, the accelerator for Section 404 compliance sits on top of a company’s existing infrastructure and features a familiar Windows interface. As with many products from Gates & Co., Microsoft is relying on partners to extend and enrich the software.

And which of Microsoft’s raft of business partners will likely end up doing the extending and enriching? Says one industry watcher: “I think auditors will end up using this.” Just what Section 404 software vendors need: more competition.

John Goff is technology editor at CFO.

Auditors in the Ring

Section 404 of the Sarbanes-Oxley Act of 2002 has been good to the Big Four. Not only are the firms in line to pick up considerable attestation business this year, they’re also pitching 404 compliance tools to clients. Says Steve Barth, a partner at Foley & Lardner: “Audit firms are jumping all over this.”

Some corporate managers are availing themselves of their auditors’ tools—at least for this go-round. John Van Decker, a vice president at research firm Meta Group Inc., is advising corporations to “go through [the] first year with [your auditor’s] tool, understand how it works with 404, then replace that when you understand the nature of your 404 process.”

Other management teams, however, are choosing to talk to their auditors about the configuration of third-party Section 404 software. Volt Information Sciences CFO James J. Groberg says that his company gave auditor Ernst & Young a demo showing how Volt structured its 404 effort, which is encapsulated in a program from OpenPages. “The last thing we want in July is E&Y saying, ‘Oh, that’s not what we meant.’ “

There are other risks involved with using an external auditor’s Section 404 tool. At the top of the list: software development is not the core competency of accountants. Says Bruce Ruberg, controller at Aspect Communications: “The Big Four are not in the business of software, long term.” In addition, purchasing Section 404 software from external auditors may send the wrong message to shareholders. “An auditor firm is very involved in [a] 404 process, then it sells you a software tool, then it comes in and audits over this,” says Barth. “You can just see the cases coming up, can’t you?”

4 Powerful Communication Strategies for Your Next Board Meeting