Managing content for compliance
The Sarbanes-Oxley Act, signed into law in July 2002, was enacted in response to a series of corporate failings centered around deceptive financial reporting in publicly owned companies. Geared toward protecting investors and employees, the law addresses a wide range of issues, including: the conflict of interest that arises when an accounting firm takes on the dual role of advising and auditing a company, the proper role of boards of directors, and the personal responsibility of chief executives.
In addition, the Sarbanes-Oxley Act places several specific requirements on companies that relate to information management, including:
- requiring companies to establish, document and test internal financial controls in order to prevent fraud (Section 404) and
- maintaining records associated with audits for a specified length of time, to provide enduring evidence of documents and transactions associated with business operations (Section 802).
The clock started ticking on Nov. 15, 2004, for "accelerated filers," (businesses with more than $75 million in market capitalization), which have 75 days after their fiscal year end to bring their firms into compliance with Sections 404 and 802. An additional 45-day extension was granted in December 2004 to the smaller firms in that group to comply with Section 404.
Argosy Gaming operates entertainment complexes that include riverboat casinos, hotels and restaurants in six Midwestern and Southern locations. The company began looking at software options for compliance with Section 404 in 2003. Like many other companies, Argosy initially opted for a manual process using Microsoft Word and Excel in 2004, the first year that compliance with Section 404 was required. Manual processes were feasible because all six sites followed a similar business model, so testing models for one unit could be applied to the others. Nevertheless, the work required was significant.
"We wanted to be sure we were more than prepared," says Craig Robinson, VP of internal audit for Argosy, "so we were very aggressive in our documentation and testing." Although pleased with the outcome of its efforts, Argosy sought a less labor-intensive and more user-friendly solution for future years.
After exploring a number of options, Argosy settled on the Stellent Sarbanes-Oxley Solution. "Stellent was willing to commit resources to developing a solution tailored to our vertical," comments Robinson, "and we also felt we would get good support from their local office." Protiviti, a company that partners with Stellent and specializes in compliance, is working with Argosy on the application, which is in the process of being implemented.
Once the Sarbanes-Oxley solution is in place, Argosy may consider extending the Stellent infrastructure to other uses. "The gaming industry is incredibly paper-intensive," adds Robinson, "and subject to state regulations that require extensive documentation." The company generates 100,000 pieces of paper per day, he notes, so it would make sense to use the Stellent system for managing digital document retention as well, by adding other modules.
"Content management for compliance is a very compelling issue right now," says Dean Berg, director of business development/compliance at Stellent, "but over time, companies will migrate from this near-term focus to a broader enterprise view."
Many elements will eventually work into the compliance framework. Berg believes that the current corporate mindset on compliance is that despite the cost and effort to implement a solution, good governance is the right way to run the business.
"Compliance is going to be part of business forever," he says. "Having a solid platform in place will allow companies to take on compliance as a strategic initiative rather than being reactive, because the solution can be modified as the details of compliance evolve."
A unified platform will also help with records management compliance as mandated by Section 802. FileNet, a leader in ECM and business process management (BPM), expects customers to use its FileNet P8 ECM platform for compliance in the future.
"It's a natural leap to extend an existing content management platform for Sarbanes-Oxley compliance," says Craig Rhinehart, director for compliance markets and products at FileNet. "Companies are realizing that compliance is not like the one-time expense of Y2K, but is an ongoing effort, and they need to figure out ways to reduce the costs." Using a content- and process-based platform is one way to leverage previous IT investments.
"Compliance has both explicit and implicit requirements," adds Rhinehart. "There is a stated requirement to map out and test processes for internal controls, but in addition, there is a burden of proof to demonstrate that the process was followed." A content and process infrastructure that keeps images of checks, invoices and other documents associated with transactions offers an efficient way to provide that evidence to auditors.
Nothing in Sarbanes-Oxley mandates automation, but manual processes are much harder to document and test. In this respect, compliance will have some benefits that extend beyond that of staying within the law.
"Once a company maps out and automates its processes, they can be modeled and made more efficient," Rhinehart says. "In fact, not automating is going to prove costly, especially in terms of risk." He cites e-mail management as a good place to start. The FileNet Email Manager, announced in January 2005, is designed to make e-mail content part of an organization's business processes by using an intelligent method of determining whether an e-mail is a record and automating the classification process.
As with any business process, the difficult part is not the actual automation itself, but determining who owns each process and how it should flow.
"It is important for companies to develop standards of excellence and understanding around the various sections of Sarbanes-Oxley," says Garth Landers, director of content management strategies at Mobius Management Systems . "For some sections of Sarbanes-Oxley, the ultimate responsibility is with the auditors, while for others, it's with officers of the company." Landers recommends having one focal organization for compliance that is plugged into legislative changes, new technology and best practices. That organization is responsible for creating synergies among corporate counsel, IT and business operations.
Routing a financial report to the CFO for certification on schedule is an important step in compliance, but rather basic, according to Landers. "Compliance systems should go beyond process and content management. They should also be able to validate the content," he says.
Integration with key business systems is vital. The Mobius ViewDirect-ABS product, which is part of the ViewDirect TCM suite and has been available for 17 years, can compare figures in a created report derived from data in an accounts-payable module and with data housed in other accounting applications.
"If an out-of-balance element is detected between two different applications or a threshold is exceeded," Landers says, "a notification is sent." Problems can be pre-emptively detected and solved farther upstream, saving trouble later on.
Companies are best served by taking a broad view of compliance issues, rather than settling for tactical solutions. "Sarbanes-Oxley is not about IT, but about processes," says John Van Decker, senior VP at Meta Group. "A major pitfall is that companies don't understand what the Section 404 issues are, and where they might have weaknesses."
When companies do bring IT in to support their compliance initiatives, they should be thinking about holistic strategies and how compliance will fit in with their overall infrastructure. Otherwise, the result could be costly upgrades and a more expensive infrastructure.
Sarbanes-Oxley: Are we there yet?
Because not all of the provisions of the Sarbanes-Oxley Act have been in force for a full accounting cycle, making absolute statements about progress is difficult. However, the process of implementing the law has moved steadily forward. Within a few months after Sarbanes-Oxley was enacted, the Securities and Exchange Commission (sec.gov) had issued proposed rules, solicited comments and issued final rules for numerous provisions in the law.
The Sarbanes-Oxley Act established the Public Company Accounting Oversight Board (PCAOB) to oversee the auditors of public companies to ensure fair and independent audit reports. As of August 2004, the PCAOB had published reports on "limited inspections" of the big four: Deloitte and Touche, Ernst & Young, KPMG and PricewaterhouseCoopers. Those reports identified some deficiencies in the audits with respect to Sarbanes-Oxley and provided a foundation for broader inspections in the future.
Meanwhile, on the corporate front, surveys indicate that most executives are optimistic about meeting the requirements of Sarbanes-Oxley, but some worry that the effort required will divert attention from overall corporate strategy and performance.
"It will be a year or so before we know how well companies are complying," says Jesse Jacobs, spokesperson for U.S. Sen. Paul Sarbanes, who co-sponsored the bill. "We have heard from a number of large companies that they do not expect to have difficulty in meeting the requirements of the law, although some smaller companies have expressed concerns. In the long run, the improvements will be beneficial to industry, since everyone is best served by honest books and records."
Judith Lamont is a research analyst with Zentek Corp., e-mail jlamont@sprintmail.com.