2. Use technology to enforce and monitor compliance rules and processes.
Most companies recognize that even the most effective processes can't be monitored or sustained over time without technology to automate them and provide structure. "We have made significant use of technology in the last 18 months to automate and bring greater efficiencies to our processes," Worrall says. "The technology brings more reliability and predictability to the processes we've designed."
Of course, a key element of any company's compliance efforts is establishing and maintaining effective control of access to information, especially financial data. "Access to data must be based on what the employee needs to look at," AMR's Hagerty says.
The reason is obvious-you don't want a "fox guarding the henhouse" situation that could expose the company to internal fraud. "For example, the person responsible for setting up the list of payers can't also be able to authorize a payment," Hagerty says. "There should be a preventive control in place, such as someone with the ability to say no-someone who can reject the payment."
One company that uses software to provide automated checks against such abuses is Macerich Co., an $830 million real estate investment trust and operator of shopping malls. The company uses Oracle Corp.'s Internal Controls Manager, as well as Oracle's financial, human resources and project management applications.
On the one hand, Macerich relies on the software to restrict access to key systems and parts of systems according to each employee's role. "For instance, an accounts payable clerk cannot cut a check as well as create an invoice," says Sean O'Donoghue, vice president of business applications and technology at Macerich. "That one person does not have full control of a transaction."
Of course, the system has to be set up by each company in a way that fits its employees' duties and functions. "It's a matter of thinking through and doing the homework up front," O'Donoghue says. "Otherwise, it can be a daunting task when you look at all the functions of the software that are available."
The system also gives Macerich another piece of compliance functionality by providing the company with an IT audit capability. "We use it to monitor our e-business suite," O'Donoghue says. "The software provides controls around our day-to-day processes, ensuring that someone cannot change the approval signature and the amount of a check, and then change it back as if nothing happened. The system gives us a full record of who changed something."
Sarbanes-Oxley was actually a plus for IT, O'Donoghue says. "IT always wanted these controls, and Sarbanes was the stick we were given to implement some things we'd wanted to do." He admits, though, that "sometimes the pendulum swings too far, and you can have too many controls. But I think that overall, having the controls in place has definitely helped us. Sure, it's more work on the front end, but less work later on."
Sun has developed its own product, Sun Identity Manager, to assign and track employee access to information. "It allows people to define critical access roles," Worrall says. "It also allows us to provision access dynamically, so when employees change roles and their authority changes, we're able to provision or de-provision accounts. In this way we can regulate access to our application environment."
When it comes to change management, though, Sun uses a third-party software package (which Worrall didn't disclose). "We needed a safe, reliable method for deploying new applications into production," Worrall says. "This way we have a database of all program requisitions into IT, and we also capture the impact on Sarbanes-Oxley that the demand for new applications and changes will have. This gives us a beginning-to-end view of changes in the IT environment."