Two Years Into the Reign of SOX: More to Do
You could be forgiven for thinking that as far as IT is concerned, the lion's share of Sarbanes Oxley (SOX) work has been done. After all, we are rapidly approaching the second anniversary of the original SOX deadline for fiscal years ending on or after November 15, 2004.
But you'd be wrong. You may have put in long hours and seen your organization invest millions in software, hardware and consulting fees to help you get SOX compliant, but in fact the job has only just begun.
That's because much of the IT spending over the past two years has been related to general IT infrastructure, including security and archiving: making sure that e-mails and instant messages are recorded and stored away in case they need to be produced later. That kind of thing.
Stage two has still to be completed. Put very simply, much of Sarbanes Oxley compliance revolves around internal controls to check that things are done right. Many of the controls relating to applications and processes - probably 60 to 80 percent in most companies - are currently being carried out manually, rather than in a more reliable and efficient automated fashion. This automation will require a great deal of IT intervention.
Paul Hamerman, a vice president at Forrester Research, proposes a maturity model for controls compliance procedures based on the Capability Maturity Model Integration (CMMI) developed by the Carnegie Mellon Software Engineering Institute. This proposes five levels of maturity: Informal, Documented, Standardized, Managed and Optimized. The vast majority of companies are at level 2 or 3, while a few which have invested heavily in IT may have got to level 4, according to a report Hamerman authored.
To reach levels 4 and 5 – which involve high degree of automation - companies will require several types of controls enablement software tools which Hamerman lists as:
- Transactional integrity analysis software, to enable testing and analysis of large volumes of data to detect errors and potential fraud situations
- Software to supplement application-level security, enhancing preventative controls by restricting access privileges and ensuring proper segregation of duties in transaction execution.
- Rules-based business process management tools which can be applied to manage the execution of business processes as they occur. These tools can help to ensure compliance with corporate control policies, such as dollar thresholds and approval procedures.
- Control tools for spreadsheets which can enhance audit trails, versioning, security, formula integrity, and cataloging of spreadsheets used in financial processes.
It's likely, Hamerman says, that this will involve buying packages rather than developing software in-house, and that companies will have to invest in a range of technologies rather than a single solution. In some cases, application vendors themselves will offer compliance modules for their applications – this explains SAP's acquisition of California-based compliance monitoring software maker Virsa Systems earlier this summer. But controls for other applications and processes may best be monitored by products from third party vendors.
Hamerman estimates that in a typical company there is still a great deal of work and investment to be done "Many companies have spent on hardening their infrastructure and security, but have perhaps underinvested on controls," he warns.
The good news for the board is that money spent on increasing SOX compliance program maturity and effectiveness is likely to produce an ROI by avoiding financial losses and by improving operational efficiency.
The bad news is that it's doubtful how practical it really is to automate financial controls in a company with a complex accounting and ERP environment. Worryingly, Hamerman warns that in many cases it's probably impossible. "An applications environment with disparate legacy systems and aging software packages is an environment with too many moving parts and manual controls," he says in his report. The only viable answer is probably to upgrade those accounting and ERP systems – and guess who is going to be doing the work!