Sarbanes-Oxley has far-reaching implications and, in the long term, even those companies that are not obliged to comply could find their approach to internal audit and controls affected by the changes it will bring.
So why does it feel like the lull before the storm? CFOs in the US are in a panic over implementing the Sarbanes-Oxley Act, but their colleagues in Britain are taking a more laid-back approach.
One reason for the relaxed approach to its implementation is that UK companies caught by the act have longer to comply – the law comes into effect for non-US companies with year endings after 15 April 2005, almost a year after the 15 June 2004 kick-off date for US companies.
Richard Brown, partner in the information security practice at Ernst & Young, says most UK companies are using the extra 10 months’ grace to see how companies in the US handle its implementation; to learn from the experience of others. But Brown warns, “The amount of work they need to do is not insubstantial.”
That work will involve changes to IT systems, but it will also mean a new look at business and financial processes, and the whole internal audit piece. Because most of the current action is in the US, it’s worth picking up on the early findings of other companies.
A survey by Financial Executives International (FEI) found that the average large-cap company will spend about 6,000 person-hours of work getting its internal controls to a state where they match up to the needs of section 404 of the act, which describes the need for an internal control report in each annual report. The control report must set out information on the effectiveness of internal controls and procedures for financial reporting.
The FEI survey claims that external audit fees are rising by about 35% as a result of implementing the act. In addition, the average spend on extra software and IT consulting is $480,000. Whether these figures are replicated in Britain is too early to say, but there is certainly more cost down the track.
Similarly, most of the Sarbanes-Oxley software action has been in the US, where at least a dozen companies have made specific announcements of toolkits designed to help companies deal with compliance issues.
The companies include global giants such as PeopleSoft and Oracle, as well as less well-known players, such as OpenPages and Fuego.
But the word on the street is that, while software may help with Sarbanes-Oxley compliance, there is no out-of-the-box solution. “Most of the solutions I’ve seen focus on capturing information from multiple subsidiaries, accounts or business processes,” says Brown. “But it’s the strategisation piece where management needs to make the hardest decisions. They need to look at how they’re controlling the business and what the controls are that enable them to do so.”
Even so, Sarbanes-Oxley generally, and especially 404, requires companies to collect and monitor financial information in what Brown calls “a greater level of granularity than they may have been used to in the past”. So software tools that help to collect and document relevant information more thoroughly could play a key role. “They need to be able to document all of the material for a business,” says Brown. “If you’re a multinational, that means capturing information not just in one country, but right across the globe, where different companies might have different significant accounts. You’re building a huge repository of information.”
So what does that mean in terms of practical software? Sheree Fleming, head of financial solutions at SAP, points to four key areas of functionality that will be needed to manage 404. The first is internal control, so a system will need a set of structured programmes to help internal and external auditors look at transactions within the system. Second is consolidation.
“In the case of SAP, a 404 system would need to consolidate information from other SAP systems as well as non-SAP systems, and check that those transactions were recorded from known systems,” says Fleming. The third element is risk management, which is partly about setting parameters so that systems can flag up early warning signs. The fourth is management cockpit – a kind of business intelligence system that provides management with a high-level view of what’s happening.
It’s early days yet, but the frustrating thing for many companies is that they already have bits of this software functionality in place. That’s frustrating because they will also need to look closely at how they can use existing software in different ways to meet Sarbanes-Oxley compliance.
In some cases, major software companies are looking to plug those holes. SAP, for example, is looking at new functionality for its audit portal. “At present, our systems deliver a whole range of reports, but there is not one specifically on internal controls,” says Fleming.
Oracle, too, is beefing up its offering to help companies handle Sarbanes-Oxley. It has announced an internal controls manager, targeted specifically at 404, as part of its E-Business Suite. It aims to help companies test internal controls and their adherence.
So what are those companies that have started on Sarbanes-Oxley systems compliance actually doing? “Most companies are working with some kind of outside help,” says Deborah Hamilton, senior product marketing manager in the financial management solutions division of PeopleSoft in the US.
“Companies are using their external auditor, or another auditor if they’re concerned about conflict of interest.
“I think a good approach is to make sure you start with a solid architectural foundation to your systems, which supports real-time reporting so you can track financial and operational changes. In fact, we’re finding that Sarbanes-Oxley is providing an opportunity for companies to standardise some of their systems.”
Fleming also believes that consulting with auditors is a good starting point. “Look at your internal controls and see what is provided by business systems, and what changes to the systems are regarded as necessary.”
She points out that compliance penetrates right to the heart of corporate culture. “Companies need to look at whether their controls and the systems that support them are in line with their culture and attitude to risk.”
Systems can also be used to make sure all staff adhere to procedures. “You can use systems to make people more diligent in document preparation,” says Fleming. “For example, if they’re creating a customer record, you make sure they complete specific fields before it’s possible to save the record.”
Brown points out that Sarbanes-Oxley reverses the traditional approach to risk management in many British companies. “They have a top-down approach that asks what the big risks are and then drills down to see what controls are needed to manage those risks,” he says. “Sarbanes-Oxley … documents all the systems, processes and controls, and then works out which of them feeds up to being a key control. It is more bottom-up.”
When to start work? “Start now, start yesterday,” Brown says. “That’s especially important if you have finance and IT departments that never meet. Sarbanes-Oxley is all about processes cutting across the business.” But Brown warns, “The concerns we’re finding is that the skills around understanding business processes, being able to capture appropriate information and identify relevant controls, is not something that comes naturally to a some organisations.”
With so many challenges ahead, it looks as though that lull before the storm won’t last.
ALL SYSTEMS GO
With the deadline for Sarbanes-Oxley implementation put back, detail on specific regulations still emerging and software houses struggling to announce toolkits, it’s no surprise that few FDs are ready to stick their heads above the parapet and announce they’ve got the problem licked.
Most are still coming to terms with the scope and complexity of what they have to do. Although systems and software will play a key role in compliance, moulding financial processes will also be important.
In the US, 71% of CFOs in a PeopleSoft survey thought section 404 – which requires business process audits and documentation to support internal controls certification – is the key part of the act. Anecdotal evidence suggests that’s also the case among those British companies caught in the Sarbanes-Oxley web.
John Coombe, CFO of GlaxoSmithKline, told Accountancy Age, Financial Director’s sister title, that the company had adopted a system of judgement reports to enable him and other company officers to sign off on the so-called ‘oath of honesty’, attesting that the company’s accounts are accurate and backed by evidence.
Coombe explains that executive team leaders study segments of the profit and loss account, and confirm they are accurate as far as their section of the business is concerned. The segments cover US, Europe and international geographies, but also corporate entities such as manufacturing and R&D.
The team leaders must confirm they’ve reviewed the figures with their management teams and that they’ve used sound judgements to arrive at them.
“In the judgement reports, the executive leaders confirm that their share of the group’s profits represent a true and fair result of their work,” says Coombe. He believes extra work is having a positive effect by giving managers more confidence in the figures.
Most of the companies that have moved to install new technology to aid compliance are in the US. One is Volt Information Sciences, a $2bn business services provider.
Volt CFO James Groberg chose Sarbanes-Oxley Express, a programme that can be used to set up ‘management dashboards’ so that managers can look at reports and disclosures more easily. The system provides audit trails so it is possible to check different versions of documents in a central repository.
Groberg says his compliance team chose the system to achieve three main objectives – document existing corporate controls, shorten reporting cycles and work toward business process improvement. “The system provides a guided collaborative approach to complying with section 404. It provide a real sense of ownership to local field officers and managers,” he says.