LOOKING FOR GAPS
The latest generation of compliance software promises to do more to ease the burden of internal-controls assessment.
By John Goff

At this time last year, finance managers were busy tapping out distress signals from Documentation Hill. At the time, the compliance deadline for Section 404 of the Sarbanes-Oxley Act was fast approaching. While Section 302 had garnered most of the media’s attention, 404 was proving to be the real compliance bear. Among other things, it requires companies to identify key business processes, the controls overriding the processes, and any vulnerabilities in the controls overriding the processes. Summarizing the 404 project at Public Service, a utility in New Mexico in the US, Carl Seider, analysis programming lead for the company, says: “It was like, ‘OK, stop the world while we take care of this.’”

Instead, officials at the US Securities and Exchange Commission stopped the clock, repeatedly pushing back the drop-dead date for implementing Section 404. That gave most accelerated filers a reprieve in 2004, but the revised deadlines all expire by this month. And many finance managers say they will not willingly spend another year in compliance purgatory.

That’s understandable. Preparations for 404 have exacted a heavy price. Software maker Micros Systems, for one, has spent roughly US$4 million in the past two years on its compliance program for Section 404. And the US company, with revenues of US$487 million, hardly qualifies as a corporate giant. “We’ve spent an enormous amount of money,” says controller Cynthia Russo. “More than we had planned.”

Micros is hardly alone. AMR Research vice president John Hagerty estimates that total corporate outlays for overall Sarbox compliance this year will exceed US$6 billion. All indications are that Section 404 will account for the vast majority of that. According to Financial Executives International, US companies with revenues of US$5 billion or more could spend more than US$4.6 million this year getting in compliance with 404. And in a recent study of large companies conducted by law firm Foley & Lardner, the majority of respondents cited 404 compliance as their single-biggest expense stemming from governance reform. Despite assurances from officials at the Public Company Accounting Oversight Board (PCAOB) that Sarbox-related costs will diminish over time, anecdotal evidence suggests that costs will rise before they fall.

ENTER THE SOFTWARE VENDORS

To date, the bulk of business expenditures on controls assessment has gone toward additional manpower, what Theodore Frank, president of enterprise compliance software company Axentis, calls the “muscling of 404”. One corporate IT manager notes that his department has already logged 10,000 man-hours readying his employer’s systems for 404 compliance. Not surprisingly, that’s led scores of managers in search of a means to automate at least some of the blocking and tackling involved.

Until recently, however, their calls for technological help went largely unanswered. By all accounts, first-generation Sarbox applications, often rushed out the door by sales-happy vendors, were usually little more than collections of compliance best-practices. “A few of the vendors we saw didn’t know what COSO was,” recalls Greg Buccarelli, director of Sarbanes-Oxley compliance at drugmaker Novartis, referring to the risk-management principles formulated by the Treadway audit-industry commission in the mid-1980s. “Some weren’t even familiar with the sections of Sarbanes-Oxley.”

But as the law has come to dominate the governance landscape – and Section 404 the Sarbox landscape – vendors retooled and refined their internal-controls offerings. And now, fortunately enough, new versions of Sarbox software programs represent big improvements over earlier offerings. Certainly, recent releases from Axentis, Hummingbird, OpenPages, Virsa Systems, and Approva reflect a more realistic understanding of the burdens. Some of the programs compare a company’s current controls to compliance best-practices, offering solutions on how to shore up weaknesses and better segregate duties. Others help managers document policies and procedures, creating electronic archives of those policies along the way. Several programs flag internal transactions that look suspicious.

Not surprisingly, improved software has led to improved software sales, and AMR now predicts that spending on Sarbox-aimed programs will jump 52 percent this year. “There was no big and compelling reason to buy software a year-and-a-half ago,” claims Robert Kugel, vice president and research director (FPM) at Ventana Research in the US. “Besides, managers wanted to see what the processes looked like before buying software.”

And that’s just what they did. Ask any compliance manager or controller what he spent his time on last year, and the answer is invariably the same. Early on, he attended weekly controls-documentation meetings. A few months later, he created spreadsheets filled with key business processes for all departments. After that, he spent untold hours compiling gap flowcharts and fashioning elaborate models out of control matrixes. Says Pedro Carrera, SAP manager at US freight carrier RailAmerica: “The documentation is what kills you.”

The 404 project at Anchor Bank is typical of the slog. A US$3.9 billion (in revenues) thrift that operates 60 branches in Wisconsin, Anchor commenced its 404 program mid-year. Like most banks, Anchor relies heavily on its information systems, so management established a discrete 404 program for its technology group. Peter Bachman, who heads up the bank’s information systems department, says the project team followed standards promulgated by the IT Governance Institute (ITGI), an industry association based in Illinois in the US.

Using the ITGI guidelines, Anchor hived off its technology risks into 12 categories. Bachman says members of the compliance team then created “process narratives” for each risk. That is, workers sat in a room and verbally identified the risks in each category, the controls for those risks, and the processes governing, well ... the processes. Eventually, Anchor ended up with 50 process narratives for information systems alone (as of press time, executives at the bank had completed their internal testing of documentation and were awaiting attestation by auditor Ernst & Young). “Lots of companies have good processes, but they’re not documented,” notes Bachman. “But if a process is not documented, it’s assumed [by the auditor] that it’s not being done.”

That’s where software can help. Micros purchased a web-based product from OpenPages called Sarbanes-Oxley Express to help identify and store key internal controls (and the policies governing those controls) in a standard format in a relational database. That was no small task, considering the maker of enterprise applications for the hospitality industry operates more than 40 subsidiaries globally. Compounding the problem: many of the subsidiaries run separate accounting systems. In its first pass at 404, the compliance team at Micros identified more than 1,000 key internal controls. And controller Russo adds: “There’s no end point. You always see [another] existing control that needs to be documented.”

FINDING A PLATFORM

Like other controllers, Russo has worked closely with her employer’s independent auditor in testing the company’s internal controls. At many businesses, however, the documentation of those controls is scattered in Excel spreadsheets or, worse, lengthy paper printouts. And that can make it difficult for an auditor to help a client identify weaknesses that need shoring up.

Sources say the Big Four audit firms disagree about how much 404 advice they can dispense to clients prior to attestation. But many believe the firms will soon insist on more clearly marked audit trails, simply because of the time and effort they themselves spent helping clients anticipate 404’s requirements during their most recent audits. “The process the firms went through this first time is not sustainable,” claims an executive at a mid-size software company. “They need a more consistent and reliable [documentation] system with clients.”

The biggest challenge is finding an appropriate compliance platform. With their built-in – and robust – controls, enterprise resource planning applications from SAP AG and Oracle would seem to be the obvious choices. Managers at US-based Lannett, for example, decided to tie the company’s 404 project to a rollout of SAP for Pharmaceuticals. Explains Greg Liscio, SAP project manager at Lannett, a US$64 million (in revenues) generic-drug maker: “SAP has a rich library of validation tests.” Those tests, he says, are applicable for both Sarbox compliance and Food and Drug Administration requirements.

Not all SAP clients are sold on the software as a 404 tool, however. “The controls are great,” notes Buccarelli of Novartis. “But there’s no framework for assessing those controls and housing them.” To fill the documentation gap, a number of third-party vendors market programs designed to run on top of the R/3 platform. One example: BizRights from US-based Approva, which analyzes a user’s SAP system, compares the company’s internal controls against a set of best practices, then produces a report based on the findings.

New software may also be more effective than earlier versions in ensuring the efficacy of controls. With that in mind, RailAmerica, for instance, has deployed programs from Virsa Systems to augment the controls wired into the company’s SAP system. The short-line and regional rail operator, which began its 404 effort in the fourth quarter of 2003, uses the third-party software to monitor usage of financial and IT programs. One application, called Firefighter, enables managers to log onto systems they don’t routinely have access to. Another module, Compliance Calibrator, monitors segregation of duties, guaranteeing that users have no security-access conflicts to such sensitive transaction systems as accounts payable.

But software isn’t a cure-all. As some experts point out, it’s just about impossible to hermetically seal all information systems within a sizable company. Asks one technology manager: “How do you monitor what IT people do in a system when they have access to all the systems?”

GUIDANCE, PLEASE

A little more direction on what constitutes acceptable controls would no doubt ease the pain for finance executives. It would also help software makers better target their products. But so far, neither the SEC nor the PCAOB has offered up specific guidelines on 404 documentation.

Lacking such input, a number of vendors have built their governance programs around the COSO framework. PeopleSoft Enterprise Internal Controls Enforcer, for one, utilizes portal technology, and includes (among other things) a repository for control policies and procedures. QuadraMed, a software development company, deployed the PeopleSoft application last summer. One of the strengths of the program, says Kevin Haggerty, senior director of internal audit at US-based QuadraMed, is its deft handling of company procedures. “An employee or an auditor can easily go in and look at a policy,” he says.

The digital bread crumbs could prove invaluable for companies when their attesters come calling. In an age of regulatory zeal, experts say just the appearance of running a tight ship is a plus. Ventana’s Kugel believes if an auditor can quickly get a piece of 404-related information, it’ll be less likely to dig deeply into a company’s internal controls. “But if they walk in and see boxes of papers lying around,” he warns, “they’re not going to be sure they won’t miss something. Then they’re going to be around longer.”

That may well put the squeeze on companies already behind the 404 eight ball. As Haggerty points out, it’s hard enough for managers to get through their own documentation and testing. Dragging out the attestation process will shorten the time filers have to fix material weaknesses, which is the whole point of 404 to begin with. Indeed, some filers, pressed for time, are apparently having their auditors conduct only one test of their internal controls. That strategy has investor-relations disaster written all over it. Novartis, for example, conducted four internal tests and four auditor tests of its internal controls last year. “If anybody has their auditor coming in just once,” says Buccarelli, “they’re in real trouble.”

John Goff is technology editor of CFO in the US.