Automatic Transmission

By Jeffrey Rothfeder  |  Posted 05-01-2004 Print Email

Automatic Transmission

Welcome to the new, post-Sarbanes-Oxley corporate America. As U.S. companies face deadlines for conforming with the act, a picture is beginning to emerge of what the Sarbanes-compliant company will look like, and how its technology, operations, networks and databases will be affected by the legislation. Ironically, Crown Media's financial controls application, while quite simple, is well ahead of the curve. Most businesses, scrambling this year to satisfy the law's Section 404—which requires companies to issue a management report, signed by their outside auditor, attesting that they have adequate controls on their financial systems to protect against fraud and sabotage—have not turned to new technology to monitor financial operations. Instead, they're making do with the systems they have, cataloguing processes as best they can, closing loopholes and potential security breaches manually, and putting off the distraction of major technological fixes.

"Companies don't need technology to meet the standards in Section 404," says Stan Lepeak, vice president of professional services strategies at META Group Inc. "Most organizations have already invested in ERP and financial management software, and right now they're trying to figure out how to use what they've got to suit Sarbanes-Oxley. It's a lot of nuts-and-bolts activity.

Each company's experience with Sarbanes-Oxley compliance—and the technology used to meet the legislation's demands—will depend upon the particular DNA of the organization. Companies with uncomplicated business models—Chiquita Brands International, a $2.6 billion fruit company with one basic product line and very little inventory, comes to mind—could probably get along by implementing simple audit controls over financial processes, avoiding an all-out monitoring system that tracks every individual piece of financial data throughout the system. By contrast, a company that thrives on acquisitions—Cisco Systems Inc., for example, which has acquired about a dozen companies in the past two and a half years—would need a transparent tracking system to ensure that the financial data from each of its new partners is integrated with the company's existing corporate files, with no leakage into renegade applications that could be used to alter and pollute quarterly numbers.

Section 302
Requires the CEO and CFO to certify that the content of quarterly and annual SEC filings is accurate and the controls that the company has designed to meet its periodic disclosure obligations are sufficient.

Section 404
Requires companies to provide a one-time internal control report to attest to the integrity of their processes for handling corporate financial-related data, and to stipulate that these processes are safeguarded from fraud and sabotage.

Section 409
Requires companies to disclose in "real time" material events and financial-related information.

Section 802
Requires companies to store in an accessible fashion audit documents and other financial-related data.

Corporate culture, set by management, is another key consideration driving the type of technology and internal processes companies adopt over the next few years to respond to Sarbanes-Oxley. Companies with CEOs who persistently view new technology as an opportunity to improve productivity and enhance the use of data as a strategic edge are more likely to take risks with Sarbanes-Oxley applications in hopes that they produce ancillary benefits. As a result, say experts, the Sarbanes-Oxley bell curve is made up of about 10 percent to 20 percent early adopters, like Crown Media, who are already implementing aggressive compliance systems; 60 percent to 70 percent pragmatists, who are slowly scoping out their compliance needs and will make their technology decisions in the next 24 to 36 months; and about 10 percent skeptics, who would prefer to use existing technology to improve controls or whose business models are simple enough not to require an ambitious compliance effort.

"Any decision you make about Sarbanes-Oxley compliance technology, you'll have to live with it for at least three years," says Vani Kola, CEO of Nth Orbit Inc., a maker of corporate governance software. "That's about the time frame when all technologies, architectures and applications go through a significant revision. So you need to map out what you know about your business now and for the immediate future to determine your compliance technology requirements. That can range from a lot to a little—or almost nothing."

Sarbanes-Oxley may be just the first of a series of regulatory mandates that federal agencies produce over the next few years to manage the darker side of business behavior. In addition to increased financial disclosure, new health and safety requirements, environmental standards, recycling guidelines and security and encryption rules are likely to leave companies aiming at a constantly moving compliance target. So viewing Sarbanes-Oxley as part of a larger company-wide effort to question the ethics and attitudes that underlie operations throughout the organization could be the most apt strategy.

"Regulation is determining what is good for society in more and more aspects of business behavior," says John Parkinson, chief technologist for the Americas at consultants Capgemini. "Companies need what we call a compliance services model to address this new reality. This model says here are the regulatory rules that I have to meet—or will have to meet—and here's how I automate these rules to demonstrate that I met the standards."

Among the applications Parkinson sees as a part of the compliance services model are digital rights management programs that monitor content for copyright and identity protection; software that reads binary code as it is running to ensure that programs written by third parties conform to specifications; and pollution control systems that monitor factory waste output second by second.



 

Submit a Comment

Loading Comments...