Cutting the Sarbanes-Oxley red tape

Just as with the Y2K crisis of four years ago, IT workers are being called upon to don superhero suits and save the enterprise from impending technology trouble. But this time, IT will be sifting through the complexities of the federal Sarbanes-Oxley Act of 2002 (SarbOx).

Overseen by the U.S. Securities and Exchange Commission, SarbOx attempts to sew up corporate financial accountability by implementing safeguards against accounting errors and fraudulent procedures brought to light during the high-profile Enron and WorldCom scandals. In response, IT executives at publicly traded companies will be taking a hard look at what is necessary to become compliant, and potentially overhaul their corporate infrastructure, software, and processes.

As they did during the Y2K dust-up, technology vendors from all sectors are actively peddling solutions, fixes — and fear. But unlike Y2K, which turned on a single event, meeting SarbOx requirements is a continual, complex corporate process, says Lindsey Sodano, research analyst at Boston-based AMR Research. “It keeps on going, unlike Y2K [which had] a solid deadline. This has a lot of different hurdles that will keep popping up,” Sodano says.

Although it is still unclear exactly how deep an overhaul IT will need to undertake, AMR predicts that publicly traded Fortune 1000 companies will spend as much as $2.5 billion this year in compliance-related projects. Fifty-one out of 60 companies AMR surveyed say they will make moderate to major changes to IT and application infrastructure in support of SarbOx.

Putting this fear of failing to meet pending SarbOx deadlines into perspective, some analysts say IT managers should begin with relatively small compliance efforts such as turning on controls within existing systems and standardizing processes, but also should consider longer term and more expensive projects such as upgrading systems and consolidating multiple ERP instances. In fact, SarbOx is emerging as an opportunity to push strategic upgrade projects that have been in a hold pattern for months. Sixty-five percent of the companies surveyed by AMR are strongly considering ERP instance consolidation.

Redefining Financials

Financials lie at the heart of SarbOx. From an IT perspective, the reporting of financial results presents a challenge because financial data comes from multiple sources and the final consolidation may actually have to be done on one PC.

Complicating matters is that Sarbanes-Oxley changes the very nature of what is considered financial information. Where it once was a revenue or cost metric, now every aspect of a company’s business operations that might impact the financial outcome must be reported upon as well, says Ulysses Knotts, CEO of Tampa, Fla.-based CommerceQuest, which has developed SarbOx compliancy software.

The act brings together all the financial functions that vex even a CFO, says Tom Malone, CEO and president of Portland, Ore.-based SRC Software, which designs financial reporting and planning software. “A CFO needs to know what data to trust, whether it is from the general ledger system or the CRM system. It has to be consolidated and compared to a budget,” Malone says. “What is needed is one system with a single source-code base with the same look and feel on everybody’s desktop so you have one truth.”

Most experts agree that an entirely new type of software that can retrieve data from multiple sources in an automated fashion must be developed for most companies to be SarbOx compliant. The software will have to allow for relevant executives from numerous departments to input and exchange data easily. In addition, that software would also need sufficient tracking capabilities so it can show that each executive signed off on the data and the reporting has occurred at the appropriate levels and at the appropriate times.

“To be compliant, the software must provide an adequate audit trail that shows where data came from, to whom it went, and who approved its accuracy as it traveled through the system,” Malone says.

But compliance doesn’t end with good tracking. In the past, financial reporting software was retrospective, focusing on what had already happened. SarbOx requires reporting any change in earnings forecast or an event that could affect the final results — within 48 hours.

Controlling Content Compliance

Because much of the legislation hinges on tightening information and records management, ECM (enterprise content management) and related technologies are emerging as critical compliance links. “[SarbOx] is more than just managing content. Under [many] requirements you have to declare certain data and content as records. Then you have different rules and policies governing the life cycle, retention, access, and distribution of that data,” says Charles Brett, senior program director at Meta Group in Reston, Va.

In the past year, the once separate worlds of records and content management have joined, giving ECM systems the power to establish rules and policy for the security and retention of content.

SarbOx will require ECM functionality that goes beyond documenting processes to establishing automated, repeatable processes, says David Cornelius, vice president of financial services solutions at ECM vendor FileNet in Costa Mesa, Calif. “[It is] important to have the content but also the process by which the content gets manipulated. Auditors will sign off not just on the data but on the way it was transformed.”

Content is all interrelated and has an entire life cycle, so a key step toward compliance is tying multiple repositories together, even from different vendors. “The fundamental issue is the need to have control over content, to know where it is and [be able to] get rid of it or keep it as required,” says Armonk, N.Y.-based IBM’s Vice President of Content Management Brett MacIntyre.

New York-based Volt Information Sciences, an information services company with nine different business units, looked to a SarbOx-specific content-management application from Open Pages, in Westford, Mass., to achieve compliance.

“The problem is not developing internal controls — they are there,” says James J. Groberg, CFO and senior vice president at Volt. “The problem is making certain they were documented in such a way [that] it permits an organized look at all controls.”

Because its multiple business units lacked uniformity in documentation and processes, Volt sought a single, digital repository to provide better visibility. “The most important thing we needed was a tool that would allow us to assemble all the data in a format that would permit us to understand, find, and compare controls, and link crucial accounts and activities,” Groberg says.

Pushing Storage Expansion

No further proof of the far-reaching effects of Sarbanes-Oxley is needed than the fact that the SEC ruling determines the kind of hard disk or optical storage IT should be installing in these systems. Meeting SarbOx requires storing greater and greater volumes of electronic records with accessibility to these records measured in hours rather than weeks or months. Therefore the need for managing storage devices becomes more challenging. Data must not only be retrieved quickly, a company must also demonstrate that the documents are authentic.

“If you go through all of the new reporting requirements that the CEO is signing off to, IT must be sure that where they are storing this information has content authentication,” says Roy Sanford, vice president of content address storage at EMC in Hopkinton, Mass. EMC offers EMC Centera, a SarbOx storage solution that creates a digital fingerprint to authenticate that content has not been changed.

In addition, because companies believe they are obligated to save everything including e-mails and instant messages, massive amounts of additional storage space is about to be consumed. If this is the case, setting retention periods to automate the deletion of data that goes past its expiration date becomes critical. Today, most storage platforms, whether they are platters in a hard-disk drive or CD-ROM and DVD optical drives, don’t have the management software to set retention levels, Sanford says.

Sarbanes-Oxley suggests best policies and practices, but it does not lay out a step-by-step blueprint of how to achieve them. With SarbOx deadlines looming and rules still to be implemented by the SEC, enterprises are preparing for the worst-case scenario, and vendors are applying the FUD (fear, uncertainty, doubt) factor in potential buyers, according to Alex Veytsel, a research analyst at Aberdeen Group in Boston. “As with any regulatory action, you never understand the full impact until the punishment hammer drops,” Veytsel says. And the hammer can drop — leaving the CEO and CFO personally liable for certain failures to comply with SarbOx.