February 16, 2004

Standards research

Sarbanes-Oxley: Road to Compliance

As the initial June deadline for complying with the Sarbanes-Oxley Act nears, publicly traded companies across the United States are scurrying to deploy software packages that will put them in compliance.

Not surprisingly, IT departments view the act as an opportunity to show their impact on the company's bottom line by helping forge tighter links between business processes and technology. However, the compliance process is turning out to be more costly and time-consuming than originally expected, and in many cases, according to at least one study, companies are not turning to their IT departments to manage compliance.

The law, officially known as the Public Company Accounting Reform and Investor Protection Act and enacted in July 2002, requires companies to make new disclosures on internal controls, ethics codes and the makeup of their audit committees on annual reports.

The act is better known by its nickname, after its co-sponsors, Sen. Paul Sarbanes, D-Md., and Rep. Michael Oxley, R-Ohio, who chair the House-Senate conference committee meeting on corporate accounting reform. The initial phase of the act focuses on Section 404, which requires companies to perform a self-assessment of risks for business processes that affect financial reporting.

Public companies with market capitalizations of $75 million or more must be in compliance with Section 404 for their fiscal year ending on or after June 15. Smaller companies have until the fiscal year ending on or after April 15, 2005, to comply.

But according to several large companies embroiled in the process, compliance isn't turning out to be quick or cheap.

Tom Martin, audit operations manager for Boise Cascade Corp., in Boise, Idaho, estimates that his company will spend about $7 million a year on Sarbanes-Oxley compliance, including 20,000 auditor-hours this year, after recording 17,000 auditor-hours on Sarbanes-Oxley compliance last year.

"We should be in compliance by the end of the year," Martin said. "Then we'll have to do it all again next year."

Boise Cascade began an implementation of Movaris Inc.'s Certainty product late last year to build a repository of accounting controls that share the same framework across the company's multiple divisions.

"We have to have a description of our controls and evaluate our controls on an ongoing basis and be sure they're in place and work," Martin said. "We needed something that could be accessible throughout the U.S. and the world. And we knew we needed a Web-based system, something that was very easy to use, since folks would only be doing it once a year."

To Martin, Sarbanes-Oxley compliance is a five-phase project: planning; scoping, which is determining what's material to the company and needs to be documented; looking for information gaps; and implementation, evaluation and monitoring.

Boise Cascade is now in the implementation, evaluation and monitoring phase and expects to be audit-ready by Sept. 30, Martin said. The company is doing a pilot project at its distribution centers, then will roll out Certainty to its other business units.

"The product has enabled us to look at our controls environment in one package," Martin said. "We knew our controls were similar, but not the same, so we look for opportunities to standardize the process."

Forming a central repository of documented controls for multiple business units is also the task at hand at Volt Information Sciences Inc. The New York-based company needs uniform, complete documenting of controls, business processes and risks, according to its chief financial officer and senior vice president, James Groberg.

"The basic task may not be that difficult, but it's extraordinarily difficult if you have many business units," said Groberg. "We need to be able to get at [the controls] quickly in a format the business units themselves can understand. We want an audit trail."

Volt is using OpenPages Inc.'s Sarbanes-Oxley Express product to build its controls repository. Groberg agreed that the process was expensive but described it as a "wake-up call," one that his company could benefit from in the long run.

"[Section] 404 [compliance] is extremely difficult and very expensive, but in the long run, it's a benefit for the management of the company," Groberg said. "We'll be more certain that we have the internal controls in place that we need to have so we'll avoid the costs of finding errors."

Having the right financial controls in place is nothing new at Volt and most other companies, Groberg said.

"We've always had these controls in place," he said. "It's a question of organizing them properly so that we have a better monitoring overview from the management standpoint and can prove to the public that we have the controls in place that can prevent a material misstatement."

Sarbanes-Oxley compliance requires more than just a new documentation system.


John Imperato, vice president of finance at Viasys Health Care Inc., saw compliance as an opportunity to get a standardized financial reporting system in place at his company's multiple business units. Until recently, each unit had its own reporting system, with nonstandard processes and consolidations done manually by e-mailing Microsoft Corp.'s Excel spreadsheets back and forth.

Viasys is now in the final stages of implementing Cartesis Inc.'s Magnitude financial reporting software companywide for internal and external reporting.

"The same general product categories [at different business units] did not update together," said Imperato. "Every one of the companies had their own reporting systems."

Keeping up with Sarbanes-Oxley

Five steps to compliance

# Planning Form compliance committee, select software to assist in compliance process

# Scoping Determine what information needs to be documented and is material to company

# Documentation Document business processes and controls in place to ensure information is accurate

# Gap analysis Identify and remediate inadequate controls

# Implementation, evaluation and monitoring of controls Document and update controls as needed, then turn them over to audit team, which evaluates depth and effectiveness of controls; develop ongoing process for monitoring controls

With Magnitude deployed throughout the company, all accounting systems update at the same time and link to a central consolidation system, Imperato said. Magnitude also allows Viasys to drill down into reports to get general ledger and sales information on specific products.

"Compliance was a big issue, but there were management issues as well," Imperato said. "Now we'll have a lot more confidence that our information and numbers are complete and accurate."

At Viasys and other companies, Sarbanes-Oxley compliance is spearheaded by and is the ultimate responsibility of the finance department. But as the examples illustrate, compliance ties into typical IT department challenges, such as application and data integration, particularly when different divisions and companies are involved

IT can't shy away from playing an important role in compliance. Yet a recent Hackett Group survey indicates that more than 50 percent of public companies aren't getting IT involved in the process.


"IT can be a huge, huge enabler," said Scott Holland, senior director at the Hackett Group, an Answerthink Inc. company. "Technology and processes need to be in the same room. One cannot be successful without the other."

Hackett analyst David Oppenheim said Sarbanes-Oxley could make the public company CIO a "superstar."

"Having an understanding of what different technologies are in an organization and how they're connected to each other is critical to the analysis associated with Sarbanes-Oxley compliance," said Oppenheim in Philadelphia. "The business users may think they understand the system, but that's a false sense of security."

IT is heavily involved in the Section 404 compliance process at Volt, according to Groberg.

As part of the compliance process, Volt IT personnel needed to document security and application access as well as know when the company's PeopleSoft Inc. financial system is not functioning properly. IT works closely with financial and operational personnel, Groberg said. "They look to you to give them what they need to do their job."

At Boise Cascade, IT was first actively involved in screening companies with Sarbanes-Oxley compliance offerings, based on Boise Cascade's specifications, Martin said.

As part of the compliance initiative, IT was then given ownership of certain business processes involving design, testing and implementation of software so that all software applications involved in compliance are running as they were intended to, Martin said. "The internal auditors test the financial controls and the IT auditors test the IT controls," he said.

Like Viasys, commercial real estate developer The Rouse Company consolidated its financial planning applications. But instead of Cartesis, the company turned to SRC Software Inc. and its SRC Budgeting product.

Breaking it down

The average billion-dollar public company ...

# Manages 48 disparate financial systems

# Manages 2.7 enterprise resource planning systems

# Uses stand-alone spreadsheets for financial reporting (47 percent)

Robert Edwards, vice president and CIO at Rouse, said the consolidation ensured the company's finance software was easier to administer and organize around a set of common business rules, which helps in the compliance process.

"We have less gaps in our Sarbanes-Oxley process, so there's less of a chance we'll have a compliance issue because someone didn't understand the disparity of systems," said Edwards, in Columbia, Md.

Edwards agreed that Sarbanes-Oxley compliance was costly, although he declined to discuss how much Rouse was spending on compliance efforts. However, he said he expects Rouse to realize benefits in the long term.

"We think a lot of the upside will be long-term, not an immediate payback," Edwards said. "The long-term effect should be that we produce higher-quality business processes throughout the organization with higher-level awareness and controls."

Ultimately, the Sarbanes-Oxley Act will change the way the business world works, for the better, Edwards said.

"Companies will have higher-quality staff, automation and processes," he said.

There could, however, be casualties along the way. While smaller-cap companies will have longer to comply, they are otherwise bound by the same standards as larger companies. Edwards said he is not sure that's the right way to go and predicted that Sarbanes-Oxley could drive many smaller public companies out of business or at least into the arms of private financiers.

"If you have to pony up $1 million a year in ongoing compliance costs, and you're only making $100 million a year, that's a lot of money to spend on a non-revenue-generating activity," Edwards said.

The Hackett Group, of Atlanta, predicts costs of annual compliance at most companies will be in the range of $5 million to $7 million.

While Rouse's IT department is heavily involved in Sarbanes-Oxley compliance, Edwards stressed that all departments in an organization need to take ownership of business processes for compliance to succeed. He advocated that each department have its own compliance team leader to oversee department-level compliance efforts.

"If companies are just getting their accounting department or auditors involved, then I can guarantee you they'll have an opinion rendered against them," Edwards said.

"Sarbanes-Oxley compliance is a lot like Six Sigma or TQM [total quality management], where everyone in the organization has to be aware and own their own processes," he said.

Posted by Craig at February 16, 2004 10:35 PM