Risk & Compliance

Automation and Sarbanes-Oxley Compliance

Companies that look to embed automated controls throughout their cross-enterprise business processes should enjoy the largest long-term benefits.
Eric LaursenOctober 18, 2005

Most companies are anxious for business unit managers to assume accountability for Sarbanes-Oxley compliance. Yet, they also realize that the biggest pain points in the compliance process — and the biggest opportunities for achieving savings and greater efficiency — lie not in the scramble for better documentation that they focused on in year one, but rather in fundamental areas of financial reporting such as testing, monitoring, and remediation or mitigation.

That’s where automation comes in. At Transaction Systems Architects, which develops E-payment software for companies, vice president of financial planning analysis David Konz says responsibility for process documentation, testing, and any remediation or enhancement activities resides with the process owners. Business processes and controls, supporting functions such as accounts payable, accounts receivable, receipt and setup of contracts — TSA is seeking to automate and standardize all of these functions across the organization.

“Only automate in such a way that would enhance and add to the existing control structure,” Konz advises. A survey of 180 finance executives by CFO Research Services (a sister organization to CFO.com) found that automating the compliance and control environment is a priority for 76 percent of companies. Those with over $1 billion in annual revenues, which typically have more complicated or geographically diverse organizations, rank it even higher. Similarly, 51 percent of all respondents say they would prefer to leverage automated controls with their ERP systems rather than streamline their manual controls, while the margin jumps to 56 percent for respondents who consider automation of compliance and controls to be a top-priority item over the next 12 months.

Going forward, most executives predict that automation will be essential to establishing a sustainable Sarbanes compliance framework. Manual processes that require the involvement of employees, consultants, or auditors are not sustainable. Automation of documentation, monitoring, testing, and enforcement are more stable and coherent than in the days when E-mail and Excel spreadsheets and sampling testing were managers’ and finance executives’ main methods of managing compliance. That’s in large part because they enable a repeatable, reliable, and predictable solution, while significantly lowering the cost of compliance.

Some companies, in fact, say that Sarbanes has been a catalyst for automation, pushing them to make changes sooner than they’d originally planned. At Olympic Health Management Systems, CFO Dick Warren says the control assessment tool that its corporate parent, Aon, put in place in response to Sarbanes to track required documents “has been a huge benefit from a corporate standpoint because it enables centralized review and control — from the ultimate SOX standpoint — all the way up to the chairman and CFO of Aon.”

Additionally, conversations with executives suggest that foreign companies are more anxious to push ahead with automated compliance. That’s because foreign issuers are not required to comply with Sarbanes until the end of 2006, giving them more time to put a definitive system into place while at the same time preparing to embark on their first year under the statute. ABB, the European power and automation technology company, is developing an internal tool and is also investigating online training programs, says Nadine Troccoli, leader of the company’s Sarbanes-Oxley effort.

Companies have different expectations for what they believe will be the most important uses of their new automated systems, however. Almost half of all companies in the survey — and over half of those with more than $1 billion in annual revenue — state that security and access controls are areas they currently automate or plan to automate in the future. Thus, security is the one area on which companies show the most agreement.

Some companies also place a great deal of emphasis on developing dashboards that will enable them to extract high-level reports on compliance for top management. Technology consulting company Kanbay International is integrating a reporting tool at the same time that it completes its first year of Sarbanes compliance — largely through manual efforts. By year’s end, corporate controller Bruce Fortelka expects it will have this reporting application completely up and running. A top priority, he adds, is “being able to extract high level summary reports from the tool — something that the CFO and CEO can rely on to know that controls are in place, have been tested and reviewed.”

Most companies, however, emphasize the importance of automation to them for achieving the greater command and control over data that successful Sarbanes compliance promises. “Through automation, the sites themselves are able to be more efficient operationally, and also the corporate office gains greater understanding of what’s going on,” says Craig Walczyk, CFO of the real-estate development, investment, and management firm Waterton Associates.

Automation and “Pervasive Compliance”

The biggest long-term gains from automation, however, are to be had by companies that look for ways to embed automated controls throughout their cross-enterprise business processes. Going forward, Warren says he would like to see workflow applications developed that link Aon’s automated control assessment tool directly to the actual Sarbanes reporting, control, and testing functions, so that these can themselves generate attestation and other data for the tool. The result would be an environment of pervasive compliance, where as much of Sarbanes and other compliance regimes as possible are fulfilled through enhanced controls located within the business processes themselves.

In year two, as we’ve seen, some companies are taking their first step in this direction by reviewing the compliance-related changes they made the first year in order to weed out process redundancies and, if possible, shift more of their controls from a detective to a preventive mode. An executive at one manufacturing company that asked not to be named calls it “controls transformation — transforming all the detective controls and trying to get them into the preventive quadrant.”

Switching to preventive controls lowers costs and improves accuracy in the long run, because they can be automated: “You’re not relying on a human being to look at a report in the back.” Controls transformation is an ongoing program at this company, where the executive says the goal is to shift about 10 percent of controls each year from a detective to a preventive mode.

Implementing the shift means having his team talk to owners of processes that are still relying on manual controls, further understanding their business processes, and figuring out how to automate the critical controls in order to move them to a preventive environment. “It could be getting our IT group involved in rewriting some coding, or it could be just changing processes around,” the executive says. Either way, “it’s a huge initiative and tremendously important to us.”

At many companies, more automation is the tool to achieve such a shift. Watch retailer Movado Group Inc. will be examining its secondary controls closely to determine their necessity or to eliminate redundancy, says Joe Nici, vice president of business controls. He says a larger issue will be, “Can I still maintain the control objective, but do it in an efficient way? Can we use software to perform such tasks as continuous intercompany reconciliations and posting of transactions to eliminate tedious manual reconciliations? Then you begin to really derive real value, because you’ve moved from a manual detective control environment to a preventive, automated environment. I think we have tremendous opportunities to do that.”

Companies are finding other ways to embed controls. Sony of Canada has just enhanced its ERP system with a module that enables it to automate segregation of duties by defining key roles, assigning them to individuals, and building security elements around them. “The software basically then analyzes all the access authorities and tries to highlight conflicts,” explains CFO Barry Hasler. “For example, having the same person — say, an order desk supervisor — set up master data and transaction data is probably a no-no. The software can comb through all the authorizations and accesses in the system and highlight where potential conflicts exist. Then the conflicts have to be either removed or expressly approved by somebody.”

Going forward, when a particular role receives a new level of authority, or when an individual changes jobs and wants access to a certain function, the system can simulate what conflicts this might create. Sony of Canada will also run a complete diagnostic once a quarter to make sure the software is spotting conflicts properly.

“It’s not that I’m particularly concerned that we will find a lot,” Hasler says, “because I don’t think we will. But to try to do this manually is just a horrid exercise — especially when you get to the supervisory level!” At the same time, he added, tools for performing this kind of analysis have become much more user-friendly: “They use an English phrase now. You don’t just get cryptic transaction codes.”

Sony is also moving to automate controls by creating a “hit list” of spreadsheets to be replaced by computer applications. “Any spreadsheets that feed into your financial statements are a risk area, because spreadsheets are really prone to error,” Hasler says. “We want a basic discipline that spreadsheets are tested, that only input fields can be input into, and that there have to be regular backups and tests of that.”

Like its segregation of duties software, the new application will be plugged into Sony of Canada’s ERP system. One key calculation for which this will reduce risk is for warranty reserves, the amounts the company has to keep on the books to maintain its warranties should it shut down. “We can calculate fairly logically what the reserve should be,” Hasler said. “But there’s a lot of data coming in, because for every product category, there are typically five or six subcategories. If we can take that into a computer application, it takes away one of the big risks of maintaining a multi-spreadsheet system.”

Some companies are starting to streamline the process of testing and adopting new software systems as well, which contributes directly to improving their overall business processes. At Insight Enterprises Inc., a software and IT services provider, “when we actually change software, we have to go through a fairly extensive test cycle where we do variations on test themes,” CFO Stanley Laybourne notes. “We have to do regression testing to make sure that we’ve not lost functionality as a result of our intended changes, for example.”

To cut down on the time this takes, Insight has built a set of automated test scripts that makes the process dependably repeatable. “This automation tool allows us to make sure we apply the same consideration each time we go through and test this environment. It moves away from the human element,” Laybourne says, and reduces the amount of time needed to make sure new programs remain standardized.

Like the efforts to embed controls at Sony of Canada to automate segregation of duties and eliminate spreadsheets for sensitive items, Insight’s larger goal is not just to remedy processes but to create new business advantages. Automated testing “serves two purposes,” said Laybourne. “It helps us on compliance; it also just helps us get better in terms of the way we run our business.”

This article is excerpted and adapted from Compliance and Technology: A Special Report on Process Improvement and Automation in the Age of Sarbanes-Oxley, which explores the role of automation in companies’ efforts to comply with the Sarbanes-Oxley Act of 2002. CFO Research Services, software provider Virsa Systems, and PricewaterhouseCoopers developed the hypotheses for this research jointly. Virsa Sysems and PricewaterhouseCoopers funded the research and publication of the findings; CFO Research Services produced the final report. You may download a copy of the full report by filling out a brief form.