Analysis: High Speed ComplianceBy Jeffrey Rothfeder | Posted 05-01-2004
Analysis: High Speed Compliance
No one would confuse Crown Media Holdings Inc. with media giants like Time Warner Inc. and Viacom Inc. With only $208 million in 2003 sales, the Greenwood Village, Colo. owner of the family-friendly cable station Hallmark Channel competes for advertising and distribution agreements with some of the best-known corporations in the U.S. Still, over the past year, Crown Media has been undertaking a dogged self-analysis that may, to some degree, reduce the gap between the company and its much larger rivals.
Credit the effort to the Sarbanes-Oxley Act. Passed in the summer of 2002, the legislation sets a series of deadlines for public companies to certify that their financial results are accurate, that all material information is reported in a timely fashion, and that they have ironclad process controls to protect the integrity of their financial data. Otherwise, they risk having their CEOs experience the indignity of a perp walk out of company headquarters. In demanding these guarantees, the act is arguably responsible for the most thorough going facelift among U.S. businesses since the founding of the Securities and Exchange Commission in the wake of the Great Depression.
To accommodate Sarbanes-Oxley, Crown Media, which must produce its compliance report by the end of this year, mapped every major process in its balance sheet used to handle incoming and outgoing revenue and expenses. Much of this data had been consigned to simple, stand-alone, Excel spreadsheets, often without any safeguards to ensure that the numbers weren't tampered with before being consolidated into overall company results. To aid in this effort, Crown Media purchased a software package called Movaris Certainty, one of many programs offered in the wake of Sarbanes-Oxley (others include SAS Corporate Compliance, Oracle Internal Controls Manager and OpenPages' SOX Express).
Crown Media uploaded its Excel data into Certainty, and input the processes used for recording each financial transaction. The software, in turn, produced a hierarchy of preventive controls for every division and for every type of financial activity in the company. With these controls, when there is noncompliance or a possible misuse of internal dataa purchase order filled out by someone not authorized to do so, for instance, or a number changed in an accounts-payable record without sign-off from a chain of supervisorsexecutives receive an alert that pinpoints the problem and triggers possible disciplinary or mitigating action. "The program is analogous to an IT monitoring system that tracks a network for glitches, intrusions and other anomalies," says Mark Thompson, Crown Media's senior vice president of finance and IT.
That should satisfy the Sarbanes-Oxley requirements. But there's an added potential benefit emerging from Crown Media's compliance project that its executives are just beginning to appreciate: Much more than before, the new system has made internal financial data instantly available and transparent throughout the company. Information such as advertising contracts is no longer locked away in spreadsheets. That lets Crown Media pursue the kind of nimble campaigns, involving sales and other strategic operations, that larger corporations with expensive, proprietary company-wide networks traditionally enjoy as a business advantage. "We're not approaching Sarbanes-Oxley as purely a compliance process," says Mary Dzabic, Crown Media's director of reporting and compliance. "Automation generates cost savings and cross-team activities that allow us to focus more on analysis and adding value to our jobs."
Welcome to the new, post-Sarbanes-Oxley corporate America. As U.S. companies face deadlines for conforming with the act, a picture is beginning to emerge of what the Sarbanes-compliant company will look like, and how its technology, operations, networks and databases will be affected by the legislation. Ironically, Crown Media's financial controls application, while quite simple, is well ahead of the curve. Most businesses, scrambling this year to satisfy the law's Section 404which requires companies to issue a management report, signed by their outside auditor, attesting that they have adequate controls on their financial systems to protect against fraud and sabotagehave not turned to new technology to monitor financial operations. Instead, they're making do with the systems they have, cataloguing processes as best they can, closing loopholes and potential security breaches manually, and putting off the distraction of major technological fixes.
"Companies don't need technology to meet the standards in Section 404," says Stan Lepeak, vice president of professional services strategies at META Group Inc. "Most organizations have already invested in ERP and financial management software, and right now they're trying to figure out how to use what they've got to suit Sarbanes-Oxley. It's a lot of nuts-and-bolts activity.
Each company's experience with Sarbanes-Oxley complianceand the technology used to meet the legislation's demandswill depend upon the particular DNA of the organization. Companies with uncomplicated business modelsChiquita Brands International, a $2.6 billion fruit company with one basic product line and very little inventory, comes to mindcould probably get along by implementing simple audit controls over financial processes, avoiding an all-out monitoring system that tracks every individual piece of financial data throughout the system. By contrast, a company that thrives on acquisitionsCisco Systems Inc., for example, which has acquired about a dozen companies in the past two and a half yearswould need a transparent tracking system to ensure that the financial data from each of its new partners is integrated with the company's existing corporate files, with no leakage into renegade applications that could be used to alter and pollute quarterly numbers.
Corporate culture, set by management, is another key consideration driving the type of technology and internal processes companies adopt over the next few years to respond to Sarbanes-Oxley. Companies with CEOs who persistently view new technology as an opportunity to improve productivity and enhance the use of data as a strategic edge are more likely to take risks with Sarbanes-Oxley applications in hopes that they produce ancillary benefits. As a result, say experts, the Sarbanes-Oxley bell curve is made up of about 10 percent to 20 percent early adopters, like Crown Media, who are already implementing aggressive compliance systems; 60 percent to 70 percent pragmatists, who are slowly scoping out their compliance needs and will make their technology decisions in the next 24 to 36 months; and about 10 percent skeptics, who would prefer to use existing technology to improve controls or whose business models are simple enough not to require an ambitious compliance effort.
"Any decision you make about Sarbanes-Oxley compliance technology, you'll have to live with it for at least three years," says Vani Kola, CEO of Nth Orbit Inc., a maker of corporate governance software. "That's about the time frame when all technologies, architectures and applications go through a significant revision. So you need to map out what you know about your business now and for the immediate future to determine your compliance technology requirements. That can range from a lot to a littleor almost nothing."
Sarbanes-Oxley may be just the first of a series of regulatory mandates that federal agencies produce over the next few years to manage the darker side of business behavior. In addition to increased financial disclosure, new health and safety requirements, environmental standards, recycling guidelines and security and encryption rules are likely to leave companies aiming at a constantly moving compliance target. So viewing Sarbanes-Oxley as part of a larger company-wide effort to question the ethics and attitudes that underlie operations throughout the organization could be the most apt strategy.
"Regulation is determining what is good for society in more and more aspects of business behavior," says John Parkinson, chief technologist for the Americas at consultants Capgemini. "Companies need what we call a compliance services model to address this new reality. This model says here are the regulatory rules that I have to meetor will have to meetand here's how I automate these rules to demonstrate that I met the standards."
Among the applications Parkinson sees as a part of the compliance services model are digital rights management programs that monitor content for copyright and identity protection; software that reads binary code as it is running to ensure that programs written by third parties conform to specifications; and pollution control systems that monitor factory waste output second by second.
At the very least, most companies in the post-Sarbanes environment will need programs that impose controls on financial systems to produce an audit trail that shows, among other things, where data originated from, the number of times it was altered and by whom, and whether all necessary approvals have been obtained throughout the process of handling and incorporating data. Companies may also want to stay on top of financial data in something close to real time, in hopes of more rigorously tracking performance for disclosure purposes, acquisition integration, business unit analysis and determining if goals are being met. If so, they might go a step further and install a business dashboard.
Such systems come in many varieties. CXO Systems, for instance, offers a dashboard that serves as an overlay to any major business-intelligence program, while leading suppliers of business-intelligence software, such as Oracle, SAP, Cognos and Siebel, offer dashboards that integrate with their own proprietary applications. Either way, the goal is to be able to sift data from all corners of the corporate network, thereby producing an easy-to-read series of metrics that track key areas of corporate performance, such as sales-to-inventory ratios and average customer wait-time at the call center, as well as goals and benchmarks. With this view, a CEO, CFO, business-unit head or sales manager could watch minute-to-minute changes in daily shipments of a product on a color-coded chart that compares the results with benchmark metrics such as company average, industry average and industry best practice. If shipments drop precipitously, for instance, executives can make sure that information is publicly disseminated as being material to operationsas Sarbanes-Oxley requiresand attempt to fix the problems in the supply chain that led to the shortfall.
Dashboards typically work hand-in-hand with business process management programs that control financial information and document management, workflow and, in a post-Sarbanes environment, compliance data warehouses. Some dashboard-like programs, however, delve into relatively obscure aspects of company operations. Typical of these is NetWeaver, a so-called integration platform from SAP. By situating NetWeaver in the middle of financial applications that cross organizational boundaries, it acts like a magnifying glass on a company's financial activities that are usually not readily visible among traditional balance-sheet datacustomer relationship management files, for instance, or travel and entertainment expenses. NetWeaver and similar programs could track product credits and exchanges and stack this information directly against product-line revenue to determine the soundness of specific brands, or it could monitor employee expenditures related to promoting specific products, thus enabling the integration of T&E costs into brand overhead.
The result: a picture of true product value that often gets lost in a traditional P&L report. "Financial guidance numbers require a full understanding of the sales pipeline as well as its related costs," says Chris Eldredge, SAP's director of solutions strategy. "This includes factoring in the activities that sales, service, and marketing are engaged in, which are related to specific products."
Dashboards serve another key function as well. Under Sarbanes-Oxley, outside auditors are required to approve the controls companies implement to safeguard data, and these auditors are expected to be more honest and independent than, well, Arthur Andersen was with Enron in signing off on quarterly financial reports. Some auditors have complained that it's difficult to get inside the head of a company from an external perch. Dashboards and process monitoring programs can be shared with auditors, thus opening a window through which accounting firms can examine the financial activities and transactions that are often buried deep within corporate operations.
't That Special?">
Isn't That Special?
Well beyond dashboards and monitoring programs, a curious cottage industry of more specialized compliance-related software has emerged in the wake of Sarbanes-Oxleyand many of these programs are likely to end up as part of the applications mix in the post-Sarbanes era. For example, Boardroom Software Inc.'s Equity Manager manages the administration of company stock, stock options, debt and warrants, and provides automated audit trails and up-to-the-minute reports about every transaction. Management can avoid, or quickly be alerted to, unwanted transactions such as restricted trades, insider activity and issuances of stock or options above board-authorized levels. Without a program like Equity Manager, most companies track purchases and sales of equity by insiders and other high-stake shareholders with spreadsheets and manual filesand too often lose control of the data. "That is no longer acceptable now that we have to certify quarterly financials, which requires knowing exactly where we stand on every bit of stock activity," says Rich Connelly, chief financial officer at Citadel Security Software Inc., a maker of network protection software and an Equity Manager purchaser. "We have about 200 stakeholders to monitor, representing more than 25 percent of our fully diluted outstanding shares."
E-mail protection is another potential hot-growth area propelled by Sarbanes-Oxley. Many companies already protect inbound e-mails and instant messages from spam, viruses, obscene language and other irritations, but programs such as MessageGate, from Boeing spin-off MessageGate Inc., and Frontbridge Technologies Inc.'s TrueProtect stress extensive outbound e-mail security. To guard against fraud and monitor suspicious behavior, for instance, rules can be written that say if "internal use only" appears in a message or an attachment, then the e-mail should be blocked or traced to see if it's a symptom of illicit activity.
The Looking Glass
The Looking Glass
Once equipped with all this financial information technology, the Sarbanes-Oxley-compliant company will symbolize a huge cultural shift among U.S. businesses: After years of frequently being stingy about providing information, companies will become much more transparent. Hiding data in corners of balance sheets under obscure headings, and retrofitting numbers to meet sales and profit goals will be virtually impossible, because the new technology will ensure that the information is freely and comprehensively available to top executives, and a lengthy list of approvals will be required before information is altered.
Some experts argue that these new levels of visibility would have occurred naturally, even if the recent round of financial scandals had not transpired and no legislation had been passed. As they see it, the combination of increasingly open, worldwide markets, spreading communications technology, aggressive 24-hour media coverage, activist consumers and unforgiving shareholders has conspired to make corporate transparency not only a business advantage but a critical priority. Shoppers are more loyal, suppliers are more willing to share data, prospective partners are more keen to sign agreements, and investors are more eager to provide capital to companies that can demonstrate honesty and integrity and that disclose material information, good and bad.
"Sarbanes-Oxley is not the cause of better behavior, it's a symptom of it," says Don Tapscott, author of The Naked Corporation. "Sociopolitical, demographic and technological factors are increasingly leading to companies being scrutinized closely by their stakeholders. It's the death agony of the old model, of the insular, opaque corporation that lacked integrity."
That may be so, but for many companies the data visibility they've gained as a result of Sarbanes-Oxley initiativesand not market forceshas provided the first hints of the operational efficiencies and productivity improvements that can be gleaned from heightened transparency. Although a large number of company executives initially balked at Sarbanes-Oxley regulations, claiming that a few dishonest corporations were forcing onerous rules on all public businesses, a February 2004 survey by META Group found that 41 percent of companies agreed that their efforts as a result of the law would make them more competitive.
It's tempting to compare the Y2K scare to Sarbanes-Oxley. Like Y2K, compliance with the act will depend on technology fixes to overhaul old, inefficient and potentially deleterious systems. But there's also a big difference between the two. Y2K had a drop-dead date, whereas the profound changes in systems, operations, processes, controls and technology brought about by Sarbanes-Oxley will evolve over an indefinite period.
"Sarbanes-Oxley is Y2K without end," says Wes Rehm, SAS Institute Inc. strategist for financial intelligence and Sarbanes-Oxley compliance. "Companies are even more afraid to fail than they were four years ago. Failure would not only harm a company's reputation and its pocketbook, but it would put it a step behind the competition at a time when every advantage is an absolute necessity."
Jeffrey Rothfeder writes frequently about business, security, environmental and technology issues.