TechnologyBy CIOinsight | Posted 08-05-2005
SarbOx Complications Overwhelm Preparations
Compliance has been a moving target, and costs have piled up early and often.
It was January 2004, and Bob Travatello, CIO of Blue Rhino Corp., the largest independent supplier of propane gas cylinder exchange for backyard grills in the United States, was feeling upbeat as he chatted with CIO Insight about his company's aggressive dive into compliance with the Sarbanes-Oxley Act of 2002 ("Better Safe Than Sorry," CIO Insight, February 2004).
With the deadline looming six months ahead, the Winston-Salem, N.C.-based company had substantially slowed its business processes in order to make compliance a top priority. Travatello was confident, even cocky, about his company's preparedness. Because it had acted quickly after the law was passed, he said, Blue Rhino was well on its way to compliance and expected no negative financial impact on the business. "I'm not sure that every company is taking it as seriously as we are," he said.
Fast forward about 18 months and Travatello is considerably less cheery. A lack of clarity around the scope of the law has led to massive overspending at virtually every publicly traded company in the United States. And Blue Rhino, now a division of Overland, Kan.-based Ferrellgas Partners Ltd., has spent the past six months in the testing and remediation phase of its Sarbanes-Oxley effortsfar longer than the company expected. Travatello is sick to death of auditors. "I see them in my sleep now," he said.
On top of that, the hope that SarbOx compliance would somehow result in a more efficient operation throughout the company has gone by the boards. "I thought SOX was going to help us, but it's only hurt our bottom line," Travatello said. Although he can't disclose actual figures, Ferrellgas's 2004 annual report is very telling. Net earnings dropped to $28.6 million from $56.7 million in 2003, and its stock price is down slightly since April 2004, when Blue Rhino was acquired. Though the slump can't be attributed entirely to SarbOx costs, "I don't think I can look a shareholder in the face and say the amount of money we've spent [on SarbOx] was worth it," Travatello said.
Of course, complaining about federal regulation is corporate America's national pastime. And there are, in fact, examples of companies that have seen business benefits to Sarbanes-Oxley compliance above and beyond avoiding jail.
As painful as it's been, SarbOx does seem to have some upside. Companies are reporting that their efforts have helped them weed out fraud, improve security and optimize business practices. Even Travatello admits that having to slow down business processes forces the company to think harder about the risks it is taking.
"We trust our people, but on some projects that deal with major systems, it's good to have different sets of eyes. And we feel better that we are doing the right thing," he said.
The one thing all companies agree on is the need to reduce the costs of compliance. Companies have two choices when it comes to their second year of compliance, and neither is pretty: They can continue to rely on their audit teams, or they can look to the already strapped-for-cash IT department to buy software that effectively manages compliance. Both options can lead to enormous cost overruns if not managed properly. The question is, which is the lesser of two evils?
"IT is the only way to bring these costs down," said Bob Tillman, director of public affairs for ARMA International, a trade group in Lenexa, Kan., for records managers. "You can't have auditors with their green eyeshades going over every line."
But software vendors have their own drawbacks, said Ted Frank, who leads the Open Compliance and Ethics Group's Technology Council and is also president of Axentis Inc. in Warrensville Heights, Ohio, which offers hosted SarbOx solutions. "Everywhere you turn, there's another compliance solution. It's terribly confusing."
Overspending is the norm, leaving lots of room for improvement.
The cost of complying with Sarbanes-Oxley in 2004 was roughly 30 percent higher than companies estimated. But a high compliance bill is nothing new for U.S. companies, many of which already adhere to a slew of regulations. According to a 2001 U.S. government report entitled "The Impact of Regulatory Costs on Small Firms," companies spent roughly $800 billion annually on federal compliance issues before Sarbanes-Oxley was even drafted.
So why weren't companies better prepared for the new law? "It implies that proper auditing wasn't really being done before," said Lane Leskela, an analyst at Gartner Inc. "If auditors had been doing significant deep audits for the past few years instead of merely genuflecting over the numbers, would we have seen this escalation of costs for SarbOx? We have a huge gap in the willingness to enforce a lot of the laws already on the books." That, of course, is the very problem that Sarbanes-Oxley is meant to solve.
Compounding the catch-up costs is the fact that the Securities and Exchange Commission has provided little leadership over exactly what the scope of SarbOx should be, and as a result, "the audit firms have jumped in and decided what they want," Tillman of ARMA said. "The CEO doesn't want to go to jail, so he says, 'Pay the auditor.' It's a recipe for disaster."
Because internal and external audit teams have different definitions of complianceand methodologies for achieving ita costly and time-consuming tug-of-war ensues. "Auditor A does it one way, auditor B does it another, and they will never admit the other is right, because then the billable hours go down," Blue Rhino's Travatello said.
According to Financial Executives International, an association for accounting and finance professionals, companies spent more than half of the money that went toward SarbOx on auditors$2 million on average. Gartner estimates that audit fees are up as much as 35 percent from a year ago.
As it turns out, those who sat back and waited to see how SarbOx would develop have fared betterand spent lessthan those, like Blue Rhino, that charged ahead. "In retrospect, the minimalist approach at the onset of SOX was more acceptable than we thought it would be," said John Hagerty, a vice president at AMR Research.
IT can help mitigate costs; so can some common sense.
Many companies that were focused on meeting the primary requirements for compliance haven't even begun to think about incorporating SarbOx into their ongoing business processes. Yet that was the goal at Irving, Texas-based Kimberly-Clark Corp., the $15 billion health and hygiene products manufacturer, when it installed automated control testing software from Virsa Systems Inc. The software automates a key portion of the SarbOx efforttesting the controls to make sure they work properly, said Jayne Gibbon, team leader of the North America security support team for Kimberly-Clark.
Virsa's tool helps automatically check processes to ensure that the segregation-of-duties portion of Section 404 of Sarbanes-Oxley is being met. "For example, the most common segregation-of-duties issue you want to prevent is that you don't want someone to do purchasing who also does receiving. So you can configure a rule that outlines that conflict and run your population of users against it to see if there are any issues."
Gibbon estimates that the software saves roughly 40 hours of staff time annually for each of the company's 120 locationswhich translates into hundreds of thousands of dollars. "But I think that's an understatement," she said. "You couldn't humanly perform this; it's too convoluted."
At Volt Information Sciences Inc, a $1.9 billion, New York-based global provider of staffing and telecom services, CFO James Groberg agreed that technology is key for compliance.
"You need a software application that will let you store the documentation, the testing and everything that goes with it in a manner that makes it easily available to your outside auditors, but also lets your own people search that database quickly and make alterations to your controls as needed."
According to its 2004 annual report, the company spent $400,000 just on external SarbOx-related costs, and Groberg said he expects that new software will significantly cut costs going forward. "Certainly our costs will come down," he said. "They'd better." The software, from OpenPages Inc., starts at roughly $65,000 for 25 users.
Gartner's Leskela warns companies to stop relying so heavily on outside parties for guidance. Auditors are in no hurry to be automated out of existence. "Don't listen to the deceptive advice of auditors," he said. "Everyone has their own agenda. Get rid of these people. They are taking up space and providing no value."
According to a former internal auditor who spoke on the condition of anonymity, "Audit firms don't want you to buy your own software. They want to manage this process from the cradle to the grave, and they have developed their own in-house tools that they let their clients usefor a fee."
Keep in mind, though, that software vendors have just as much interest in making money off your Sarbanes-Oxley woes and are flooding the market with products that may or may not be of any value to you, as Travatello can attest. "We could have done it in Microsoft Word and stored it somewhere special, and it would have been the same bang for the buck," he said.
Use the investment in SarbOx to weed out fraud and optimize business processes.
Analysts say it will take at least another year or two before companies can expect to see significant reductions in their SarbOx investments. Until then, says Frank of the Open Compliance and Ethics Group, "The fundamental question is: If you're going to make this investment anyway, how do you do it so it reaches some broader corporate objective?"
Though it is difficult to find concrete examples of companies leveraging the investment in SarbOx to achieve some greater business benefit, analysts say companies are often able to optimize the business processes they've documented.
One manufacturing company, for example, used the information it had gathered through its SarbOx documentation process to evaluate the performance of each of its plants. The company discovered that while most plants had a product rejection rate of 5 percent, one plant's rate was as high as 15 percent. Further investigation revealed that the problem was not mechanicalemployees were stealing products off the line and selling them on the black market.
SarbOx supporters say examples like this prove the need for Sarbanes-Oxley. Controls at many companies have been lax for decades, a trend that led to the corporate fiascos like Enron, WorldCom, et al. But Gartner's Leskela, who readily admits that SOX has tightened up corporate controls, isn't so sure that it has improved investor confidence. "I don't think SOX has done anything to restore confidence in the market; that's not clear at all," he said.
For smaller companies like Blue Rhino, the impact that high compliance costs can have on shareholder value can be more threatening than an SEC investigation, said Travatello. "Say a stockholder is looking to invest some money. He sees that Company A's shares went up 20 percent per year but didn't pass SOX, while Company B's stock dropped but passed with flying colors. What's the better value for him? I don't have confidence that the SEC can pull this off properly for everyone. The bottom line is that a couple of jerks at Enron have screwed up the whole world."