IT can help mitigate costs; so can some common sense.
Many companies that were focused on meeting the primary requirements for compliance haven't even begun to think about incorporating SarbOx into their ongoing business processes. Yet that was the goal at Irving, Texas-based Kimberly-Clark Corp., the $15 billion health and hygiene products manufacturer, when it installed automated control testing software from Virsa Systems Inc. The software automates a key portion of the SarbOx efforttesting the controls to make sure they work properly, said Jayne Gibbon, team leader of the North America security support team for Kimberly-Clark.
Virsa's tool helps automatically check processes to ensure that the segregation-of-duties portion of Section 404 of Sarbanes-Oxley is being met. "For example, the most common segregation-of-duties issue you want to prevent is that you don't want someone to do purchasing who also does receiving. So you can configure a rule that outlines that conflict and run your population of users against it to see if there are any issues."
Gibbon estimates that the software saves roughly 40 hours of staff time annually for each of the company's 120 locationswhich translates into hundreds of thousands of dollars. "But I think that's an understatement," she said. "You couldn't humanly perform this; it's too convoluted."
At Volt Information Sciences Inc, a $1.9 billion, New York-based global provider of staffing and telecom services, CFO James Groberg agreed that technology is key for compliance.
"You need a software application that will let you store the documentation, the testing and everything that goes with it in a manner that makes it easily available to your outside auditors, but also lets your own people search that database quickly and make alterations to your controls as needed."
According to its 2004 annual report, the company spent $400,000 just on external SarbOx-related costs, and Groberg said he expects that new software will significantly cut costs going forward. "Certainly our costs will come down," he said. "They'd better." The software, from OpenPages Inc., starts at roughly $65,000 for 25 users.
Gartner's Leskela warns companies to stop relying so heavily on outside parties for guidance. Auditors are in no hurry to be automated out of existence. "Don't listen to the deceptive advice of auditors," he said. "Everyone has their own agenda. Get rid of these people. They are taking up space and providing no value."
According to a former internal auditor who spoke on the condition of anonymity, "Audit firms don't want you to buy your own software. They want to manage this process from the cradle to the grave, and they have developed their own in-house tools that they let their clients usefor a fee."
Keep in mind, though, that software vendors have just as much interest in making money off your Sarbanes-Oxley woes and are flooding the market with products that may or may not be of any value to you, as Travatello can attest. "We could have done it in Microsoft Word and stored it somewhere special, and it would have been the same bang for the buck," he said.