Looking for Gaps
The latest generation of compliance software promises to do more to ease the burden of internal controls assessment.
John Goff, CFO Magazine
February 01, 2005
When last we looked at the Overtime Guarantee Act known as Sarbanes-Oxley (see “Sarboxing,”
February 2004), finance managers were busy tapping out distress signals from Documentation Hill. At the time, the compliance deadline for Section 404 of the act was fast approaching. While Section 302 had garnered most of the media’s attention, 404 was proving to be the real compliance bear. Among other things, it requires companies to identify key business processes, the controls overriding the processes, and any vulnerabilities in the controls overriding the processes. Summarizing the 404 project at Public Service Co. of New Mexico, Carl Seider, analysis programming lead at the Albuquerque-based utility, says: “It was like, ‘OK, stop the world while we take care of this.’ “
Instead, officials at the Securities and Exchange Commission stopped the clock, repeatedly pushing back the drop-dead date for implementing Section 404. That gave most accelerated filers a reprieve in 2004, but the deadline is once again looming for most companies (March 15 for dozens of large companies; April 15 for scores of smaller ones). And many finance managers say they will not willingly spend another year in compliance purgatory.
That’s understandable. Preparations for 404 have exacted a heavy price. Software maker Micros Systems Inc., for one, has spent roughly $4 million in the past two years on its compliance program for Section 404. And the Columbia, Maryland-based company, with revenues of $487 million, hardly qualifies as a corporate giant. “We’ve spent an enormous amount of money,” says controller Cynthia Russo. “More than we had planned.”
Micros is hardly alone. AMR Research vice president John Hagerty estimates that total corporate outlays for overall Sarbox compliance this year will exceed $6 billion. All indications are that Section 404 will account for the vast majority of that. According to Financial Executives International, U.S. companies with revenues of $5 billion or more could spend more than $4.6 million this year getting in compliance with 404. And in a recent study of large companies conducted by law firm Foley & Lardner LLP, the majority of respondents cited 404 compliance as their single biggest expense stemming from governance reform (see chart, page 57). Despite assurances from officials at the Public Company Accounting Oversight Board (PCAOB) that Sarbox-related costs will diminish over time, anecdotal evidence suggests that costs will rise before they fall.
Enter the Software Vendors
To date, the bulk of business expenditures on controls assessment has gone toward additional manpower, what Theodore Frank, president of enterprise compliance software company Axentis Inc., calls the “muscling of 404.” One corporate IT manager notes that his department has already logged 10,000 man-hours readying his employer’s systems for 404 compliance. Not surprisingly, that’s led scores of managers in search of a means to automate at least some of the blocking and tackling involved.
Until recently, however, their calls for technological help went largely unanswered. By all accounts, first generation Sarbox applications, often rushed out the door by sales-happy vendors, were usually little more than collections of compliance best-practices. “A few of the vendors we saw didn’t know what COSO was,” recalls Greg Buccarelli, director of Sarbanes-Oxley compliance at drug maker Novartis, referring to the risk-management principles formulated by the Treadway audit-industry commission in the mid-1980s. “Some weren’t even familiar with the sections of Sarbanes-Oxley.”
But as the law has come to dominate the governance landscape — and Section 404 the Sarbox landscape — vendors retooled and refined their internal-controls offerings. And now, fortunately enough, new versions of Sarbox software programs represent big improvements over earlier offerings. Certainly, recent releases from Axentis, Hummingbird, OpenPages, Virsa Systems, and Approva reflect a more realistic understanding of the burdens. Some of the programs compare a company’s current controls to compliance best-practices, offering solutions on how to shore up weaknesses and better segregate duties. Others help managers document policies and procedures, creating electronic archives of those policies along the way. Several programs flag internal transactions that look suspicious.
Not surprisingly, improved software has led to improved software sales, and AMR now predicts that spending on Sarbox-aimed programs will jump 52 percent this year. “There was no big and compelling reason to buy software a year-and-a-half ago,” claims Robert Kugel, vice president and research director (FPM) at Ventana Research in Belmont, California. “Besides, managers wanted to see what the processes looked like before buying software.”
And that’s just what they did. Ask any compliance manager or controller what he spent his time on last year, and the answer is invariably the same. Early on, he attended weekly controls documentation meetings. A few months later, he created spreadsheets filled with key business processes for all departments. After that, he spent untold hours compiling gap flowcharts and fashioning elaborate models out of control matrixes. Says Pedro Carrera, SAP manager at Boca Raton, Florida-based freight carrier RailAmerica Inc.: “The documentation is what kills you.”
The 404 project at Anchor Bank is typical of the slog. A $3.9 billion (in revenues) thrift that operates 60 branches in Wisconsin, Anchor commenced its 404 program midyear. Like most banks, Anchor relies heavily on its information systems, so management established a discrete 404 program for its technology group. Peter Bachman, who heads up the bank’s information systems department, says the project team followed standards promulgated by the IT Governance Institute (ITGI), an industry association based in Rolling Meadows, Illinois.
Using the ITGI guidelines, Anchor hived off its technology risks into 12 categories. Bachman says members of the compliance team then created “process narratives” for each risk. That is, workers sat in a room and verbally identified the risks in each category, the controls for those risks, and the processes governing, well…the processes. Eventually, Anchor ended up with 50 process narratives for information systems alone (as of press time, executives at the bank had completed their internal testing of documentation and were awaiting attestation by auditor Ernst & Young). “Lots of companies have good processes, but they’re not documented,” notes Bachman. “But if a process is not documented, it’s assumed [by the auditor] that it’s not being done.”
That’s where software can help. Micros purchased a Web-based product from OpenPages called Sarbanes-Oxley Express to help identify and store key internal controls (and the policies governing those controls) in a standard format in a relational database. That was no small task, considering the maker of enterprise applications for the hospitality industry operates more than 40 subsidiaries globally. Compounding the problem: many of the subsidiaries run separate accounting systems. In its first pass at 404, the compliance team at Micros identified more than 1,000 key internal controls. And controller Russo adds: “There’s no end point. You always see [another] existing control that needs to be documented.”
Finding a Platform
Like other controllers, Russo has worked closely with her employer’s independent auditor in testing the company’s internal controls. At many businesses, however, the documentation of those controls is scattered in Excel spreadsheets or, worse, lengthy paper printouts. And that can make it difficult for an auditor to help a client identify weaknesses that need shoring up.
Sources say the Big Four audit firms disagree about how much 404 advice they can dispense to clients prior to attestation. But many believe the firms will soon insist on more clearly marked audit trails, simply because of the time and effort they themselves spent helping clients anticipate 404’s requirements during their most recent audits. “The process the firms went through this first time is not sustainable,” claims an executive at a midsize software company. “They need a more consistent and reliable [documentation] system with clients.”
The biggest challenge is finding an appropriate compliance platform. With their built-in — and robust — controls, enterprise resource planning applications from SAP AG and Oracle Corp. would seem to be the obvious choices. Managers at Philadelphia-based Lannett Co., for one, decided to tie the company’s 404 project to a rollout of SAP for Pharmaceuticals. Explains Greg Liscio, SAP project manager at Lannett, a $64 million (in revenues) generic-drug maker: “SAP has a rich library of validation tests.” Those tests, he says, are applicable for both Sarbox compliance and Food and Drug Administration requirements.
Not all SAP clients are sold on the software as a 404 tool, however. “The controls are great,” notes Buccarelli of Novartis. “But there’s no framework for assessing those controls and housing them.” To fill the documentation gap, a number of third-party vendors market programs designed to run on top of the R/3 platform. One example: BizRights from Vienna, Virginia-based Approva Corp., which analyzes a user’s SAP system, compares the company’s internal controls against a set of best practices, then produces a report based on the findings.
New software may also be more effective than earlier versions in ensuring the efficacy of controls. With that in mind, RailAmerica, for instance, has deployed programs from Virsa Systems to augment the controls wired into the company’s SAP system. The short-line and regional rail operator, which began its 404 effort in the fourth quarter of 2003, uses the third-party software to monitor usage of financial and IT programs. One application, called Firefighter, enables managers to log onto systems they don’t routinely have access to. Another module, Compliance Calibrator, monitors segregation of duties, guaranteeing that users have no security-access conflicts to such sensitive transaction systems as accounts payable.
But software isn’t a cure-all. As some experts point out, it’s just about impossible to hermetically seal all information systems within a sizable company. Asks one technology manager: “How do you monitor what IT people do in a system when they have access to all the systems?”
A little more direction on what constitutes acceptable controls would no doubt ease the pain for finance executives. It would also help software makers better target their products. But so far, neither the SEC nor the PCAOB has offered up specific guidelines on 404 documentation.
Lacking such input, a number of vendors have built their governance programs around the COSO framework. PeopleSoft Enterprise Internal Controls Enforcer, for one, utilizes portal technology, and includes (among other things) a repository for control policies and procedures. QuadraMed Corp., a software development company, deployed the PeopleSoft application last summer. One of the strengths of the program, says Kevin Haggerty, senior director of internal audit at Reston, Virginia-based QuadraMed, is its deft handling of company procedures. “An employee or an auditor can easily go in and look at a policy,” he says.
The digital bread crumbs could prove invaluable for companies when their attesters come calling. In an age of regulatory zeal, experts say just the appearance of running a tight ship is a plus. Ventana’s Kugel believes if an auditor can quickly get a piece of 404-related information, it’ll be less likely to dig deeply into a company’s internal controls. “But if they walk in and see boxes of papers lying around,” he warns, “they’re not going to be sure they won’t miss something. Then they’re going to be around longer.”
That may well put the squeeze on companies already behind the 404 eight ball. As Haggerty points out, it’s hard enough for managers to get through their own documentation and testing. Dragging out the attestation process will shorten the time filers have to fix material weaknesses, which is the whole point of 404 to begin with. Indeed, some filers, pressed for time, are apparently having their auditors conduct only one test of their internal controls. That strategy has investor-relations disaster written all over it. Novartis, for example, conducted four internal tests and four auditor tests of its internal controls last year. “If anybody has their auditor coming in just once,” says Buccarelli, “they’re in real trouble.”
The Devil’s in the E-mails
With the deadline for Sarbanes-Oxley’s section 404 compliance looming for some companies, corporate controllers continue to search for gaps in their financial-reporting systems. But experts say a nonfinancial system may well be the trouble spot for 404 compliance in coming years.
While the section does not specifically address electronic mail, the Securities and Exchange Commission requires publicly held companies to retain 404-related documents for a “reasonable” length of time. And it appears scores of companies are using E-mail as their de facto system for retaining those documents. Searching through mountains of E-mail files could prove to be the compliance version of a scavenger hunt. “E-mail is better than paper,” says Robert Kugel, vice president and research director (FPM) at consultancy Ventana Research. “But five years from now, are you certain you’ll be able to find a file?” To better the odds, Kugel advises companies to invest in E-mail archiving systems. “You need to keep a discrete library of this stuff.”
The problem is, few companies appear to be setting up such libraries. While statistical evidence is hard to come by, many executives who spoke to CFO said their employers do not currently have E-mail archiving software in place.
The situation at Public Service Co. of New Mexico is typical. “We’re getting to E-mail,” notes Carl Seider, analysis programming lead at the Albuquerque-based utility. “It’s on the map for this year.” The holdup, he says, is figuring out exactly what gets archived. “Do you save everything, or does the user choose what’s to be saved?”
Dealing with external E-mail could prove to be a bigger dilemma: the vast majority of viruses are transmitted via E-mail. Loose inside a corporate network, digital pathogens could bring down a business’s internal computer systems. A material weakness? Hard to say, but executives at Anchor Bank in Madison, Wisconsin, aren’t taking any chances. Management at the thrift recently installed antiviral software from Sybari Software as part of its overall 404-compliance effort. Notes Peter Bachman, first vice president (technology) at the bank: “Having a strong antivirus system at the door is crucial. A virus in the net could mess with any financial-reporting system.” —J.G.