Welcome to the new, post-Sarbanes-Oxley corporate America. As U.S. companies face deadlines for conforming with the act, a picture is beginning to emerge of what the Sarbanes-compliant company will look like, and how its technology, operations, networks and databases will be affected by the legislation. Ironically, Crown Media's financial controls application, while quite simple, is well ahead of the curve. Most businesses, scrambling this year to satisfy the law's Section 404which requires companies to issue a management report, signed by their outside auditor, attesting that they have adequate controls on their financial systems to protect against fraud and sabotagehave not turned to new technology to monitor financial operations. Instead, they're making do with the systems they have, cataloguing processes as best they can, closing loopholes and potential security breaches manually, and putting off the distraction of major technological fixes.
"Companies don't need technology to meet the standards in Section 404," says Stan Lepeak, vice president of professional services strategies at META Group Inc. "Most organizations have already invested in ERP and financial management software, and right now they're trying to figure out how to use what they've got to suit Sarbanes-Oxley. It's a lot of nuts-and-bolts activity.
Each company's experience with Sarbanes-Oxley complianceand the technology used to meet the legislation's demandswill depend upon the particular DNA of the organization. Companies with uncomplicated business modelsChiquita Brands International, a $2.6 billion fruit company with one basic product line and very little inventory, comes to mindcould probably get along by implementing simple audit controls over financial processes, avoiding an all-out monitoring system that tracks every individual piece of financial data throughout the system. By contrast, a company that thrives on acquisitionsCisco Systems Inc., for example, which has acquired about a dozen companies in the past two and a half yearswould need a transparent tracking system to ensure that the financial data from each of its new partners is integrated with the company's existing corporate files, with no leakage into renegade applications that could be used to alter and pollute quarterly numbers.
Corporate culture, set by management, is another key consideration driving the type of technology and internal processes companies adopt over the next few years to respond to Sarbanes-Oxley. Companies with CEOs who persistently view new technology as an opportunity to improve productivity and enhance the use of data as a strategic edge are more likely to take risks with Sarbanes-Oxley applications in hopes that they produce ancillary benefits. As a result, say experts, the Sarbanes-Oxley bell curve is made up of about 10 percent to 20 percent early adopters, like Crown Media, who are already implementing aggressive compliance systems; 60 percent to 70 percent pragmatists, who are slowly scoping out their compliance needs and will make their technology decisions in the next 24 to 36 months; and about 10 percent skeptics, who would prefer to use existing technology to improve controls or whose business models are simple enough not to require an ambitious compliance effort.
"Any decision you make about Sarbanes-Oxley compliance technology, you'll have to live with it for at least three years," says Vani Kola, CEO of Nth Orbit Inc., a maker of corporate governance software. "That's about the time frame when all technologies, architectures and applications go through a significant revision. So you need to map out what you know about your business now and for the immediate future to determine your compliance technology requirements. That can range from a lot to a littleor almost nothing."
Sarbanes-Oxley may be just the first of a series of regulatory mandates that federal agencies produce over the next few years to manage the darker side of business behavior. In addition to increased financial disclosure, new health and safety requirements, environmental standards, recycling guidelines and security and encryption rules are likely to leave companies aiming at a constantly moving compliance target. So viewing Sarbanes-Oxley as part of a larger company-wide effort to question the ethics and attitudes that underlie operations throughout the organization could be the most apt strategy.
"Regulation is determining what is good for society in more and more aspects of business behavior," says John Parkinson, chief technologist for the Americas at consultants Capgemini. "Companies need what we call a compliance services model to address this new reality. This model says here are the regulatory rules that I have to meetor will have to meetand here's how I automate these rules to demonstrate that I met the standards."
Among the applications Parkinson sees as a part of the compliance services model are digital rights management programs that monitor content for copyright and identity protection; software that reads binary code as it is running to ensure that programs written by third parties conform to specifications; and pollution control systems that monitor factory waste output second by second.