View

There are two basic sets of information companies must collect to monitor Sarbanes-Oxley compliance. One set looks at the accounting numbers or operational data to determine if there is some compliance metric out of tolerance. A jump in days sales outstanding in a business unit might be the result of poor credit management, channel stuffing at the end of a period to make the results appear better or simply poor credit management. Monitoring ratios, actuals versus forecast, and so on, is one way to test accounting and operational data. As important as these numbers are as a direct measure of whether there may be an out-of-control condition, they represent the easiest information to collect because they come directly out of the company's financial and other IT systems.

The second set of data companies must collect is about how the process is being executed. For example, have all of the managers with periodic attestation requirements signed off on their accounting results and have all of their supervisors accepted their statements? Have responsible parties assessed all press releases and determined their materiality for an 8-K filing? Has the appropriate individual reviewed that determination and an 8-K filed within the time required? Have internal auditors performed required tests of control systems and found them in working order? Senior managers and audit committees must have this information (and be able to rely on the quality of the information) in order to discharge their responsibilities under the Act, in our judgment.

Collecting information about the process, however, is more difficult because systems must connect and coordinate specific activities by people in particular roles and the specific processes individuals must execute. The system also must track what has been accomplished, when, and by whom.

Alternatively, because much of the Sarbanes-Oxley compliance process involves creating and reviewing documents (e.g., assertions and attestations), companies may elect to use workflow-enabled content management software as the key "platform" for process automation and tracking. These documents might automatically combine written material (e.g., assertions), financial information (e.g., an income statement and balance sheet of the business unit generated through a reporting system). This approach would make the most sense if the company used existing software licenses and internal skills to fashion a solution, but would require the user organization to develop and maintain the compliance process definition pieces.

A third approach is to use partly automated or manual systems involving existing e-mail systems, checklists, spreadsheets, and so on. Although the up-front cost of these approaches is substantially less than the other two, we estimate they will be far more costly (involving considerably more staff time), and less safe over the long run.

Ventana Research continues to believe that Sarbanes-Oxley will have a limited impact on the enterprise software business until companies have passed the design and implementation phase. We assert successful companies will automate their compliance efforts to make resources available for more strategic activities. They should attempt to enhance the effectiveness of their finance/IT environment as they retool processes to improve the maturity of their control systems and improve performance.

To address the process challenges, companies have several options for automating their compliance efforts, ranging from full featured to relatively simple. Hyperion recently announced it will begin offering a Sarbanes-Oxley compliance dashboard, created in conjunction with its partner, Axentis, which develops governance, compliance and risk management solutions. The software allows users to create dashboards that aggregate information about the status of financial control elements - typically the status of a control metric (e.g., are the DSOs at operating units within tolerances?) or the compliance process itself (e.g., what is the status of individual financial statement assertions?). Where an issue exists, users can to drill down through to determine the specifics and causes.

Other vendors such as Approva offer software packages that manage multiple elements audit systems (e.g., whether appropriate segregation of duties are in place; internal process documentation exists and is up to date, etc.) that also go beyond simple documentation, offering ongoing status monitoring as well as incorporating best practices in their design (e.g., controls test methodologies).

The Axentis approach is a system that allows users to map people (e.g., employees, outside auditors) to compliance-related roles/responsibilities, connect these people to the processes that must be executed, and monitors events as they occur. The key advantage of the Hyperion/Axentis, Approva, and other process management systems like Fuego and Lombardi for Sarbanes-Oxley compliance is their "out of the box" capabilities.

Assessment

Ventana Research strongly advises corporations with more than 5,000 employees governed by the Sarbanes-Oxley Act to automate their compliance monitoring efforts. They should begin their evaluation process soon even if they have not yet completed the definition and configuration of their financial control systems, since it will likely take them a year to evaluate options, execute the selection process, and implement the software.

In our judgment there is no general approach to compliance monitoring that is inherently "the best" (this depends on the company's circumstances and resources), but having a formal automated monitoring system is better than relying on manual methods. We expect many outside directors on audit committees will demand such a system be in place to enable them to exercise due diligence without having to spend too much time confirming the nitty-gritty. Under these circumstances, an automated system will not be an option, and senior finance people should be ready to address this question of how the company will deliver this capability before their Board of Directors raises it.