How hard is it to comply with the Sarbanes-Oxley Act’s Section 404? Just ask Neal Barnard, CFO of Dana Commercial Credit Corp. and head of the Section 404 compliance project at his Toledo-based auto parts-maker parent Dana Corp. Section 404 requires a company’s top management and its auditors to attest to the reliability of the organization’s internal controls on financial data gathering and reporting. That involves extensive documentation on what controls exist and how they work, and so far at Dana, five people have been working full-time on the project for six months.”That’s roughly 10,000 people hours just from the five of us,” Barnard says.
Another 300 finance employees attended two-day training sessions that $9.5-billion Dana held four times: twice in North America, once in South America and once in Europe. Barnard estimates that 1,000 employees will be involved in the effort to document internal controls and says Dana has translated its web-based self-assessment tool into five different languages. “It will be a significant investment to be compliant,” Barnard says. “Not because I think we have weaknesses, but the process has to be documented in a fashion that has to be auditable so that if the SEC comes in, you can lay it all out in front of them. There’s just a lot of work involved in documenting the controls.”
Companies selling financial software know that and have been trying to seize upon the new law as a marketing opportunity, developing new solutions for Sarbanes-Oxley reporting and repackaging older products to promote their potential application. Beyond 404 compliance, vendors are also offering up technology to meet the law’s tighter deadlines for filing 10-Ks and 10-Qs with the SEC and reassure CEOs and CFOs about the accuracy of the data that they now have to personally sign off on. So far, though, Sarbanes-Oxley has not turned out to be the next Y2K for technology sales.
Why? Part of the reason is timing. Executives at companies had been running so fast to get ready to meet the original Sept. 15 deadline for 404 compliance that for most, buying and implementing a new system have been out of the question. Take Dana’s rival and would-be acquirer ArvinMeritor Inc., which has a fiscal year that ends Sept. 30. If the Securities and Exchange Commission had not recently postponed the compliance deadline until June 15, 2004, ArvinMeritor would have had to have documented internal controls in its 150 facilities in 27 different countries by this summer to provide outside auditors enough time to test them before the company’s yearend. Given the tight deadline, the Troy, Mich.-based manufacturer decided that the safest approach was to tackle the project internally. “We were looking at this freight train coming at us with very little time,” recalls Diane Bullock, controller and vice president.
With the extended deadline, however, companies are once again able to consider bringing in outside technology. The SEC has “given people a breather in terms of having to invest in a technology-based solution,” says Jennifer Chew, a senior analyst at Forrester Research in Cambridge, Mass. But down the road, she expects Sarbanes-Oxley to result in new spending on technology. “There is certainly an opportunity here for smart CFOs to take advantage of the increased attention to financial controls and risk management to put in place some technologies that help facilitate all of the good intentions executives have around financial reporting and controls and compliance,” she notes.
Chew predicts that vendors and corporate finance departments will move toward what she calls an “electronic controls library,” which will not only store the company’s information on its rules and controls, but provide analytics that help companies access detailed financial information and workflow tools that automate decisions based on the controls. For example, the workflow tool could automatically notify the appropriate executive when something occurs that violates the company’s rules, she says.
John Van Decker, senior program director for application delivery strategy at Meta Group in Stamford, Conn., expects companies eventually to undertake “a number of projects” related to Sarbanes-Oxley, with a sizable number of IT and finance executives saying they plan to rework current financial management processes to support Sarbanes-Oxley. They need to be able to get access to the details underlying their financial reports more quickly, Van Decker argues, in part because CEOs and CFOs are now on the spot to certify their companies’ numbers.
For this reason, he predicts they will start buying more financial technology later this year and “will really ramp up in the second half of next year.” He cites the hypothetical of a company that usually sees $1 million in revenue from one of its lines of business each period and then one period finds that the business brought in $1.5 million. “You want to understand why it’s $1.5,” Van Decker says. “In a lot of cases, [for] firms that are operating on multiple ERP systems, or multiple general ledgers, it’s not as easy to bring this information together and drill down to the particular detail.”
Van Decker anticipates that this need will encourage the use of business performance management systems, which combine access to business data, the development of business plans and the reporting of those plans. (See page 20) Companies are likely to enhance BPM systems with tools that allow them to “drill down into the transactions” so that “anomalies will ultimately be traceable back to a source,” Van Decker says.
It’s Raining New Solutions
To the extent that companies are already purchasing technology in response to Section 404, many have been buying systems that aid in the process of documenting the company’s internal risks and the controls used to mitigate those risks. New risk assessment systems have been popping up like mushrooms. Many of them involve web-based self-assessment questionnaires that companies can use to gather information about risks and controls from employees at all of a company’s locations and lines of business. The systems also store documentation and help track any projects initiated to bolster weak controls. For example, Craig Spielmann, the executive in charge of JP Morgan’s Horizon, an operational risk management system that involves a self-assessment tool, says he has seen a lot more interest in the product from corporations as a result of Section 404.
Therese Webb, managing director of Sarbanes-Oxley related services for Parson Consulting in Chicago, says given all the new risk assessment systems that have been put on the market recently, companies that are considering buying one should be sure that it has been tested and that it does what it says it does.
When Dana started planning its Section 404 efforts in late January, it considered–and quickly rejected–building software internally. “For us to do this, still assuming the 2003 deadline, it was best to go with an externally developed software package,” Barnard says.
Dana wanted a self-assessment questionnaire that would gather information on internal controls from employees at each of its 300 to 400 plants around the world. Barnard says that Dana was looking for a web-based solution that was relatively intuitive, because given the time constraints, employees would have to be able to respond to the questionnaire without much assistance or additional training. Dana chose Paisley Consulting’s Risk Navigator. Barnard says Dana also liked Risk Navigator’s flexibility in allowing the attachment of all sorts of documentation, including Word documents and Visio charts.
ArvinMeritor accomplished the same thing internally, taking a paper-based self-assessment questionnaire on controls that the internal audit group had been using and turning it into a web-based tool called Internal Control And Risk Evaluator, or ICare(TM). Rich Pegher, ArvinMeritor’s general auditor, estimates the entire process took 750 hours.
The group decided that the original questions were outdated and “tried to develop sort of a super questionnaire, one that dealt with issues not only directly involved with Sarbanes-Oxley, but that any good control environment evaluator would want to know,” explains Pegher. They identified 10 main business processes and 75 sub-processes and came up with 652 detailed questions, which were designed so that businesses could answer either yes or no to whether the control existed and whether it was important, he says. The questions were written as clearly as possible because planners were aware that some of those responding would not be native English speakers, and the questionnaire was tested at the company’s largest facility.
The controller at each of ArvinMeritor’s 150 facilities is responsible for the questionnaire, but Pegher says completing it will require the assistance of employees from the different business areas at each location. In addition, IT staff will fill out a questionnaire for each of the company’s many applications and operating platforms, bringing the total number of questionnaires to 300 or 400. “That’s the real complexity of this, the controls on shared IT environments,” Pegher says. “It’s very, very difficult to do.”
At Autodesk Inc., an $824.9 million vendor of computer-aided design software in San Rafael, Calif., CFO and senior vice president Alfred Castino decided to use a workflow and documentation tool, ProForma Corp.’s ProVision, that its IT staff was already using for systems projects in its effort to document its controls. Castino says he feels no need to upgrade his financial technology in response to Section 404 or other sections of Sarbanes-Oxley and notes that the SAP Financials the company uses “have been very helpful.” He argues that speeding up filing of reports to the SEC isn’t primarily about technology, but about cutting down on the time spent waiting for people to sign off on drafts. “I don’t need an enhanced system, I just need people to have tighter deadlines,” he says.
Todd Naughton, controller and vice president at Zebra Technologies Corp., a $475.6 million maker of bar code and plastic card printers and printing materials, says his company decided against buying software to document its internal controls, in part because nothing on the market at that point contained all the features that Zebra wanted. Instead, the company relied on tools that it had already–Excel, Word and Visio diagramming software. A group went through Zebra’s financial statements line by line and worked out for each item “what could go wrong, what controls do we have in place, [and] how will we test them,” Naughton says. After a week, the group had produced a 36-page long Excel spreadsheet documenting Zebra’s risks and internal controls.
He credits Zebra’s implementation last year of Hyperion Financial Management with having reduced the amount of time it takes to close its books, so that the company is already meeting the faster filing deadlines that the SEC will impose for 10-Ks and 10-Qs in coming years.
Controls Effort A Long-Term Plus
Even so, Naughton expects to go shopping for internal controls software down the road. “We’ll wait and let the market shake things out, and then a year from now, when we’re looking at a lot more mature product that has been through some cycles, it will be a lot easier for us,” he says.
Despite the work and expense involved in documenting their internal controls, the companies interviewed say they have benefited from the exercise. Pegher says the internal controls assessment that ArvinMeritor has set up will become a tool that changes the company’s risk management procedures and “adds a lot more value.” Dana sees its work to comply with 404 as an opportunity to identify best practices and “be able to drive a better financial operation” within the company, Barnard says.
At Zebra, Naughton says he didn’t find any material weaknesses, but did find areas where “we could be more efficient, we could have more consistent practices from one site to another, we could automate something and do it cheaper.” For example, its British operation hadn’t gotten the credit management software that has helped the U.S. operation monitor collections and track dispute resolution. While Zebra had planned all along to implement the system in the U.K. eventually, the documentation process provided data on how that software would benefit the U.K. operation. “Now it’s easier to say, ‘This is why it’s important,’” Naughton says. “When it comes time to go to get funding for that tool, it’s going to be easier.”
Michael O’Donnell, who leads technology risk services at Protiviti Inc. an internal audit and risk consulting firm, claims “it’s too early for companies to say, ‘We are going to have a major, major increase in IT spending.’” Companies almost have to complete the initial documentation of their risks and controls before making any major commitments to new technology, he says, and “I think they’re still involved in that assessment phase.”
O’Donnell suggests the spending that occurs will be directed toward making the assessment of internal controls in the future easier and more predictable. “The end game is a repeatable process,” he says.