Risk & Compliance

Sarbox and IT: The Long Haul

Many CFOs are still looking for long-term solutions to ensure that their control structure remains effective as their organizations grow and change...
Randy MyersJanuary 19, 2005

With the last of the requirements of the Sarbanes-Oxley Act finally taking effect, it would have been easy to suspect that corporate America’s drive to comply with corporate governance rules would be nearing completion. Yet finance executives who are leading the compliance charge say they do not expect to complete this work any time soon.

More than 60 percent of respondents to a recent survey by CFO Research Services and Capgemini identify regulatory compliance as a long-term rather than a short-term issue. True, many companies are wrapping up their initial efforts to meet the requirements of Section 404 of Sarbanes-Oxley, which requires that companies document and attest to the effectiveness of their internal financial controls. But many CFOs are still looking for long-term solutions to ensure that their control structure remains effective, recognizing that compliance promises to be an ever-evolving process as their organizations grow and change over time.

“Even if a business is relatively static, you have to guard against complacency to make sure your talent and your skills are sharp, to make sure that you are alert to possible breakdowns in controls, and to ensure that you pursue continuous improvement in controls and documentation,” says Dan Farell, senior vice president for energy company TXU Corp., who is overseeing a broad-based business process outsourcing contract the utility recently entered into with an outside vendor. “We look at it as a continuous process,” concurs Brendan Condon, senior vice president of finance and operations for America Online Media Networks (a unit of Time Warner). “Our view is to never assume that what you’re doing is the best you can do.”

Investments Lead to Compliance —
and to Improved Performance

As part of this effort, it is not surprising that CFOs plan continued steady investments
in people, systems, process improvements, and organizational redesign to reach acceptable levels of regulatory compliance and lower G&A costs. Here, too, leading CFOs appear to have intuitively understood the relationship between regulatory compliance and G&A performance opportunities.

For example, nearly 80 percent of survey respondents say that enhancing the security and integrity of corporate data — a critical component of any internal control system — is a high priority within their organization. But more than 70 percent also give a high priority to reducing IT infrastructure costs and more than 60 percent accord the same priority to reducing IT headcount.

This concern with IT security is dead-on; Chrisan Herrod, chief security officer for the Securities and Exchange Commission, announced in September that, while Sarbanes-Oxley does not specifically address the reliability of a company’s information systems, the SEC is now encouraging public accounting firms to look closely at the information security controls of its audit clients.

While it is safe to assume that ongoing investment in compliance initiatives may be
costly and may even exceed budget allowances at some organizations, finance may
be able to justify compliance initiatives by arguing that current resource levels are
simply not adequate to meet the unique and unrelenting challenges companies face.
It is not, after all, just Sarbanes-Oxley that is weighing on public companies. Many
firms also labor under increased regulatory legislation aimed at specific industries.

The Health Insurance Portability and Accountability Act (HIPAA), for example,
requires that health-care organizations now safeguard the privacy of personal data
about patients and also apprise consumers of their privacy policies. The Graham-
Leach-Bliley Act imposes similar requirements on financial services institutions.
The Food and Drug Administration, meanwhile, has been pushing for pharmaceutical firms to switch from paper to electronic filing of reports to that agency. “The systems changes we’ve had to go through in the last two years have been enormous,” observes Brian O’Brien, vice president of finance at Yamanouchi Pharma America Inc. “The costs to the company to keep up with the changes on the regulatory side are enormous.”

Warren Beck, director of finance at Vanderbilt University Hospital and Clinic in Nashville, says many of the initiatives his organization has undertaken to comply with HIPAA and to ensure that its billing processes are accurate were, in fact, funded on an ad hoc basis. “We just went ahead and made those investments and hoped we’d be able to manage the cost through unexpected revenue opportunities,” Beck says. “Fortunately, we have been successful in growing our volume, and to that extent these investments have not hurt our financial performance.”

For better or worse, there is little reason to believe that the regulatory storm will
subside anytime soon. Privacy concerns, in particular, are expected to drive the passage of new legislation in the years ahead — and not necessarily at the federal level alone. California, for example, passed Senate Bill 1386 last year requiring companies with customers in the state to notify California residents whenever their firms suffer a security breach that might result in disclosure of personally identifiable information. The potential cost of making such a notification — both in hard dollars and damaged reputations — is just another reason for companies to provision their IT infrastructures with the highest possible defenses against accidental or intentional misuse. Indeed, CFOs say that, in total, the changing regulatory and legal environment is among the principal external forces driving change in finance and IT.

Internally, the mandate for change is coming principally from executive management, followed closely by business unit management.

This article is excerpted and adapted from Compliance: Finance’s Bridge to the Enterprise, a report that summarizes the findings of a mail survey of 256 senior financial executives supplemented with interviews of executives at 12 companies. CFO Research Services and Capgemini — a global provider of consulting, outsourcing, and technology services — developed the hypotheses for the research jointly. Capgemini funded the research and the publication of the findings; CFO Research Services produced the final report. You may download a copy of the full report by filling out a brief form.