There are two basic sets of information companies must collect to monitor Sarbanes-Oxley
compliance. One set looks at the accounting numbers or operational data to determine
if there is some compliance metric out of tolerance. A jump in days sales outstanding
in a business unit might be the result of poor credit management, channel stuffing
at the end of a period to make the results appear better or simply poor credit
management. Monitoring ratios, actuals versus forecast, and so on, is one way
to test accounting and operational data. As important as these numbers are as
a direct measure of whether there may be an out-of-control condition, they represent
the easiest information to collect because they come directly out of the company’s
financial and other IT systems.
The second set of data companies must collect is about how the process is being
executed. For example, have all of the managers with periodic attestation requirements
signed off on their accounting results and have all of their supervisors accepted
their statements? Have responsible parties assessed all press releases and determined
their materiality for an 8-K filing? Has the appropriate individual reviewed
that determination and an 8-K filed within the time required? Have internal
auditors performed required tests of control systems and found them in working
order? Senior managers and audit committees must have this information (and
be able to rely on the quality of the information) in order to discharge their
responsibilities under the Act, in our judgment.
Collecting information about the process, however, is more difficult because
systems must connect and coordinate specific activities by people in particular
roles and the specific processes individuals must execute. The system also must
track what has been accomplished, when, and by whom.
Alternatively, because much of the Sarbanes-Oxley compliance process involves
creating and reviewing documents (e.g., assertions and attestations), companies
may elect to use workflow-enabled content management software as the key “platform”
for process automation and tracking. These documents might automatically combine
written material (e.g., assertions), financial information (e.g., an income
statement and balance sheet of the business unit generated through a reporting
system). This approach would make the most sense if the company used existing
software licenses and internal skills to fashion a solution, but would require
the user organization to develop and maintain the compliance process definition
A third approach is to use partly automated or manual systems involving existing
e-mail systems, checklists, spreadsheets, and so on. Although the up-front cost
of these approaches is substantially less than the other two, we estimate they
will be far more costly (involving considerably more staff time), and less safe
over the long run.
Ventana Research continues to believe that Sarbanes-Oxley will have a limited
impact on the enterprise software business until companies have passed the design
and implementation phase. We assert successful companies will automate their
compliance efforts to make resources available for more strategic activities.
They should attempt to enhance the effectiveness of their finance/IT environment
as they retool processes to improve the maturity of their control systems and
To address the process challenges, companies have several options for automating
their compliance efforts, ranging from full featured to relatively simple. Hyperion
recently announced it will begin offering a Sarbanes-Oxley compliance dashboard,
created in conjunction with its partner, Axentis, which develops governance,
compliance and risk management solutions. The software allows users to create
dashboards that aggregate information about the status of financial control
elements – typically the status of a control metric (e.g., are the DSOs at operating
units within tolerances?) or the compliance process itself (e.g., what is the
status of individual financial statement assertions?). Where an issue exists,
users can to drill down through to determine the specifics and causes.
Other vendors such as Approva offer software packages that manage multiple
elements audit systems (e.g., whether appropriate segregation of duties are
in place; internal process documentation exists and is up to date, etc.) that
also go beyond simple documentation, offering ongoing status monitoring as well
as incorporating best practices in their design (e.g., controls test methodologies).
The Axentis approach is a system that allows users to map people (e.g., employees,
outside auditors) to compliance-related roles/responsibilities, connect these
people to the processes that must be executed, and monitors events as they occur.
The key advantage of the Hyperion/Axentis, Approva, and other process management
systems like Fuego and Lombardi for Sarbanes-Oxley compliance is their “out
of the box” capabilities.
Ventana Research strongly advises corporations with more than 5,000 employees
governed by the Sarbanes-Oxley Act to automate their compliance monitoring efforts.
They should begin their evaluation process soon even if they have not yet completed
the definition and configuration of their financial control systems, since it
will likely take them a year to evaluate options, execute the selection process,
and implement the software.
In our judgment there is no general approach to compliance monitoring that
is inherently “the best” (this depends on the company’s circumstances and resources),
but having a formal automated monitoring system is better than relying on manual
methods. We expect many outside directors on audit committees will demand such
a system be in place to enable them to exercise due diligence without having
to spend too much time confirming the nitty-gritty. Under these circumstances,
an automated system will not be an option, and senior finance people should
be ready to address this question of how the company will deliver this capability
before their Board of Directors raises it.