Company/organisation: Clear Channel (UK subsidiary of a US parent)
Compliance issue: Sarbanes-Oxley
Old system: Frango Consolidator (company bought by Cognos a year ago)
New system: Cognos Controller
Shortlist: The company considered a wide range of specialist Sarbanes-Oxley compliance products but decided to stay with Cognos’s upgraded product “because we knew the product and knew the people”.
Perceived benefits: The old system had critical weaknesses in the context of Sarbanes-Oxley that had been highlighted by the company’s internal audit function. Specifically, the password controls and audit trail were considered too weak to be compliant. The new system fixed this and also offered the possibility of collecting more information without compromising speed of closure of financial reporting periods.
Actual benefits: SarbOx compliance and the ability to close in 24 hours, despite collecting 40% more information from business units.
Unforeseen issues: Minor snags with programming, some bugs with the new system, but no “show stoppers”.
Comment: “We are under pressure, not just to implement SarbOx coherently across the organisation but also to meet ever-sharper US reporting period closure demands,” says Mark Thewlis, group finance director of Clear Channel UK. “Under the old Frango system, it would have taken us a week to do what we now do in 24 hours collecting 40% more detail.
“We have now produced our first SarbOx report and have had no deficiencies highlighted by internal or external audit, which is pleasing. This was very much a pathfinder year. Next year, we will be going into the process with a much better understanding of what it all entails.
“We can already see some ways of finetuning the process, but we now have all the documentation and procedures in place, with the appropriate controls at all levels of reporting. One has to remember that for non-US business units, SarbOx is an entirely foreign concept, so getting everyone up to speed and keeping them motivated was a challenge.”
Company/organisation: Britannia Building Society
Compliance issue: Basel II, IFRS
Old system: A management information system based on a mixture of reports from mainstream operational business applications and paper reports
New system: A management information system built on an Oracle database, using IBM’s data extract tool and Business Objects to do the reporting for a range of business, statutory and compliance purposes
Shortlist: The IT team gave consideration to a range of specialist Basel II compliance systems but formed the view that these were ‘Rolls-Royce’ approaches to a specific challenge, when that challenge could best be treated by a generic data warehouse approach capable of meeting a range of compliance issues.
Perceived benefits: The old combination of systems and processes could not meet the new compliance challenges of either Basel II or IFRS.
Actual benefits: Basel II and IFRS compliance, enhanced business analysis and reporting.
Unforseen issues: The first attempt to build the data warehouse began with user input and then made the mistake of having the IT people going off to build the system with the users out of the loop. The delivery stage generated considerable user disquiet, so the next and subsequent data warehouse builds made a virtue of incorporating user views at every stage of the design, build and delivery process. The results were vastly higher user acceptance and a system with a much tighter fit to the business requirements as well as to compliance demands. v Comment: “In the past four years, we have taken care to ensure that the management information function, which is central to compliance, has very tight links with both the business units and the IT specialists and sits between them,” says Dave Watson, group management information manager. “Much of our business intelligence capability is seeded out in the business across a range of functions – from treasury to marketing and so on. So we have devised a structure that captures the company’s business intelligence skills and makes certain they are central to ensuring we respond to a range of regulatory and compliance demands in a coherent fashion.
“Key for us has been to ensure that all our business intelligent experts are drawing their information from a single, accurate data source. In the past, we had a management information system and a separate statutory reporting system that generated a lot of paper reports. Now the management information data warehouse is the source for everything. It takes information from our core operational systems, many of which have been updated and refreshed. We are now excellently positioned to respond as the requirements for Basel II and IFRS firm up over the next year.”
Company/organisation: Coors Brewers Ltd (UK subsidiary of a US parent)
Compliance issue: Sarbanes-Oxley
Old system: Finance and line of business systems, including Geac
New system: Risk Control Tracking System (RCTS) from Deloitte
Shortlist: RCTS came with Deloitte, which was appointed as consultants to Coors’ US parent to help with compliance.
Perceived benefits: Sarbanes-Oxley compliance
Actual benefits: Sarbanes-Oxley compliance was achieved after completion of a strenuous 18-month programme. However, the company also found that a spin-off benefit of implementation was a much tighter grip on all its control and compliance activities.
Unforseen issues: Christine Copestake, audit services and business conduct manager, points out that because Sarbanes-Oxley was new it was a case of the blind leading the blind. “Our external auditors, PricewaterhouseCoopers, refused to give any guidance, saying we would have to wait for their official compliance review of our finished project. Moreover, the standard the external auditors had to work to was only finalised in June 2004, which meant we could not look to it at the start of our project. We knew what the big picture was, but we had to work out all the detail for ourselves,” she says.
Comment: Copestake, the manager in charge of the Sarbanes-Oxley compliance project, says: “SarbOx is all about documenting controls over access to our financial systems and the controls within the system, as well as within our IT function generally. We also had to look at all the systems that fed information into the financial systems. In the main, what we were checking was change control and access control – these are key for SarbOx. We found that, for the most part, people were doing the right thing, the right practices were in place, but there was no focus on documenting those processes in a way that would allow an external auditor to feel confident everything was operating as it should. This was part of what we had to put in place for compliance. It was all about building evidence for the fact that controls were in place and operating. It took 18 months to get it right. Everyone was on a learning curve.
“The nearest thing we had to SarbOx in the past was ISO 9000, which replaced BS 5750. This is all about documenting business processes. It is about how you make your beer, and how you know that your beer is going to be right every time. SarbOx is almost an exact parallel in that it is about how you do your reporting and how you know that you are getting it right each time.
“Key for us is the fact that SarbOx compliance is not a one-off exercise. You have to prove that your controls are working each time round. A real benefit is that it helps you focus on being more rigorous and making fewer mistakes. It puts the focus back on doing things right the first time. We are also now more confident that we would be able to spot a material fraud at a much earlier stage.”
Company/organisation: Bradford NHS Trust
Compliance issue: Data Protection Act (DPA)
Old system: Variety of NHS applications and manual systems, all containing potential DPA related information
New system: Compliance system based on Microsoft Content Management Server 2002
Shortlist: Due to time pressure, the shortlist was extremely short. It consisted of a Java-based compliance system from Terminal Four, a Dublin-based company with 95% of the Irish healthcare market and MS Content Server.
Perceived benefits: By staying within a Microsoft Windows environment rather than moving to Java, the need for a big training initiative for staff to use the system would be avoided. The goal of the system was to enable the Bradford NHS Trust to meet its obligations under the DPA within the deadlines set out in the Act and the Trust’s budget constraints.
Actual benefits: DPA compliance was achieved, but the solution is regarded as an interim one with the ultimate solution being a move to a full-scale, Trust-wide document management system, as and when the Trust acquires a budget for such a system.
Unforseen issues: Minor snags with programming and the interim nature of the project, with its limited objectives, was well signposted by the project team from the outset.
Comment: “My group was working on a content management system to improve internal communications in the Trust when we were approached by the IT leaders of various Trust operations and asked to build a system that could deal with DPA disclosure requests effectively,” says Mervin Silva, e-services manager for the NHS in Bradford. “We have information stored in manual files and electronic databases, and operational servers in many different systems scattered across seven NHS Trusts in Bradford, spanning 130 square miles and involving in excess of 7,000 staff.
“The mission was to ensure that DPA disclosure requests could be met accurately without missing out relevant information. Our preliminary study showed that the right answer would be a full-scale document management system on a budget of about half a million pounds, but there was no resource for this.
“The interim solution involves the IT group leaders in the various trust organisations doing a full audit on the locations, sources and types of information held in their jurisdiction. Our solution leaves the physical files in place but offers a record management and data access request logging capability, allied to workflow. With a clock in place that tracks time to completion against the statutory deadline, this interim solution meets the compliance requirements and produces all the necessary management reports to enable the Trust to prove compliance. The drawback is the amount of manual intervention required. However, further automation can be achieved by moving to a full-scale data management system.”