At the heart of CA's overhaul is a $100 million-plus, multiyear project to establish the company's first single instance, global ERP system, being supplied by SAP AG, which Davis is co-managing with the company's CIO. The investment is considered one of the good governance initiatives CA agreed to in its 2004 federal settlement, but as Davis is quick to point out, it is also a key component of his strategy to make Computer Associates more efficient and more profitable. "CA was a company aggregated as a result of a lot of acquisitions over the last 25 years," says Davis. "There were disparate systems not strung together for robust [processing]." The new ERP system will replace dozens of separate systems worldwide that were seen as seriously flawed, a situation that was not thoroughly addressed as the company grew. "We're using SOX and the whole compliance effort as groundwork to avoid garbage-in and garbage-out," Davis adds. "Laying the groundwork for a new ERP system will give us a huge payback [beyond compliance]."

Unfortunately, the attitude that compliance-related efforts should generate business process paybacks has yet to catch fire. Many companies have yet to advance from the documentation-driven crisis management that dominated year one to something more beneficial and sustainable. "Year two got moved into year three," says Lee Dittmar, a principal at Deloitte Consulting LLP and leader of its enterprise governance consulting practice. "The compliance management process in most companies gets put on top of what [they] do rather than baked into it, and that's inefficient."

But if more CFOs adopted Davis' strategy, they would find that there are substantial efficiencies and opportunities to be garnered–with the biggest potential payback to be found in exactly what Computer Associates has identified as its initial mission: standardizing key systems across the organization. "Why have multiple payroll systems, unless there is a specific reason?" says Deloitte's Dittmar. "And why have multiple supply chains? The biggest value for companies can come from biting the bullet and standardizing."

MORE SPEED, FEWER RISKS

No doubt, however, this is also among the most costly projects. Still, companies should consider not only the often significant short-term costs of major system overhauls but also the compliance and financial risks inherent in using outdated systems strung together for core functions.

For instance, there may be no more sensitive, and risky, process than the ways companies aggregate financial data and close their books at the end of a reporting period. "As companies took on this government-mandated introspection of control processes, many found their corporate reporting processes were fragmented, manual, labor intensive and fraught with a lack of control," says Doug Barton, vice president of product marketing at business performance management (BPM) vendor Cognos Inc. This was particularly true in such areas as foreign currency translations, intercompany reconciliations and cross-ownership accounting. The lack of reliable, standardized automation led to many of the material weaknesses unearthed in year one compliance. "A lot of this work was being done on spreadsheets, offline. That can compromise both the speed and integrity of the results," says Barton.

With automation and standardization, however, companies can address both compliance and performance issues simultaneously. After a company automates its accounting processes, internal users gain more confidence in the data being generated and the need for extensive internal and external audit reviews is reduced, Cognos' Barton explains. The next step is where the real efficiencies kick in, as the use of better forecasting methods builds in more actual data on a continuous basis and allows a company to respond faster to changes in business conditions or budgetary targets. Barton cites the example of a major credit card issuer that used the Cognos system to reforecast budgetary outlays by department on a monthly basis. The practice allowed the company to reallocate funds into new card growth at a crucial time, resulting in an 8% year-over-year rise over the original forecast that otherwise might not have occurred.

Behind Computer Associates' global ERP standardization–which is taking place over a 36-month period, with new releases being added every 90 to 120 days–is a similar appreciation for the intersection of compliance and performance. Parts of the system already in place include global real-time spend analytics, office supply procurement and global finance consolidations of income statements, the balance sheet and funds flow. Later will come overhauls of its core financials, integrated end-to-end sales processes and data cleansing and mapping. Under CA's old model of multiple systems, essential business processes such as price quotes, procurement and collection were taking too much time. "We want to procure supplies on a more real-time basis and provide a lot more information to our sales force and product development group," says Davis. With key elements of the new system still to come, it is too early to measure what the benefits will be in terms of efficiencies or cost savings. But CA will clearly see faster turnarounds through better automation and more sharing between departments–elemental factors in business processes at large and small companies alike. "We'll have a more streamlined system and won't need a lot of manual workarounds," says Davis.

He adds that getting such a big job done was made far easier because of support from the board of directors on down that such a costly overhaul was necessary. This is where Section 404 actually helped by providing more incentive. Besides the ERP project, Computer Associates has instituted a long list of compliance improvements, including an anti-fraud program, new management-level duties and segregations and more thorough documentation of key controls in tax, financial reporting, software development, accounts payable and others.

Adding more standardization to a process can take many forms. Some companies are finding benefits by focusing first on the process and then identifying the inefficiencies in their approach. "If a company is processing accounts payable at five different locations, they should look at each one, take the best practices from each and develop standards that they can roll out across the organization," says Anne Marchetti, practice director at Parson Consulting LLC. The idea is that it doesn't take massive amounts of new spending to overhaul a process in ways that can improve compliance and produce efficiencies for the business.

A more dramatic overhaul that companies could consider is setting up a shared services approach, where a particular process is centralized in one location within the company rather than occurring in numerous business units. "We're seeing more clients thinking about the cost benefits around shared services," says Marchetti. An elimination of redundancy, monitoring and testing from a SOX perspective are added benefits to greater centralization, as well as the likely need to have fewer full-time employees. But establishing a shared service center for a large company can involve considerable costs and it is not the answer for every company. "There is definitely an investment involved and it's not something you do overnight," says Marchetti.

THE NEXUS BETWEEN IT AND FINANCE

Many companies continue to struggle with setting IT and security controls that do not interfere with crucial business processes. Much of the problem can be cultural within a large organization. "Information security kind of grew up the wrong way," says Evan Tegethoff, practice manager for strategic security solutions at Forsythe Solutions Group Inc., a technology consulting and leasing firm in Skokie, Ill. "A lot of times it was in the orbit of IT staffs," who remained isolated from broader finance or operational efforts. SOX has forced companies to replace that siloed mindset with a more flexible, holistic one that can produce "soft ROI returns," according to Tegethoff. "Now there is direct communication between CFOs, compliance and privacy officers, where before there wasn't that at all. A good outcome of that is having an enterprise security policy." That can extend to one of the newest focuses for compliance, identity management, the processes and controls that set the standard within an organization for access to sensitive financial data, password protections, segregation of duty and similar functions. Returns on such fixes may prove to be measurable less in dollars and cents than in the comfort companies can take in the establishment of safeguards and the knowledge that potential hazards to key processes have been reduced, if not eliminated.

In pure financial functions, there are also sizable savings to be had through compliance-related automation efforts. Those looking for a fresh approach built around process efficiencies can start with working capital management, especially accounts payable and accounts receivable. These liquidity-centered processes tend to be ripe for improvement at many companies, so dollars can be more efficiently generated (or saved) while the controls around them are girded for audit review. The level of change needed, however, ranging from organizational tweaks to massive technology overhauls, varies greatly from company to company.

Although TELUS Corp., the $6.3 billion telecommunications company, is not U.S.-based, it does have a listing on the New York Stock Exchange and will be subject to Section 404 requirements in 2006. While that has provided extra time and allowed Vancouver-based TELUS to monitor the experience of U.S. companies, it has not sat idle. Already, it has added a continuous controls monitoring application from ACL Services Ltd. to its payments systems, which addresses many of the compliance issues that TELUS will need to face next year. But like Computer Associates, TELUS is not judging this system against compliance needs alone; the company is looking for–and finding–bottom-line results.

Continuous controls monitoring is increasingly regarded as an effective way to build a tighter compliance environment around employee segregation-of-duties controls or to monitor suspicious transactions submitted by employees and vendors. The applications monitor 100% of the transactions going through an ERP system, so from a controls perspective, auditing an automated process is far simpler than auditing one that requires a lot of manual input.

With the ACL solution, however, TELUS has also saved considerable money by identifying duplicate vendor invoices and other expenses so early in the process that it recouped the system's $285,000 price tag in its first six months of operation. "There have been 20 to 30 duplicate vendor transactions identified by the system, which have resulted in recoveries, to the direct benefit of TELUS' bottom line," says Gary Silsbe, director of operations excellence for TELUS' finance operations. There have also been a smaller number of duplicate employee travel invoices found as well, but most of those transactions tended to be on the small side. That wasn't the case when the system caught a single duplicate vendor invoice valued at more than $160,000. Upgrading an A/P system can also allow a company to take better advantage of vendor discounts that it may be missing because of a slow, heavily manual process. TELUS is not stopping with A/P: It is already building a similar tight controls-focused environment around its billing and accounts receivable processes.

Process paybacks can also be found in areas of risk management and assessment. In May, the Public Company Accounting Oversight Board issued valuable guidance on internal control audits, including a suggestion to focus audit attention on areas in a company that are of high risk to impact financial statements. This was seen as a way to offer companies relief in their year two documentation and testing, after what most everyone saw as a difficult year one. The next step is for companies to build "key risk indicators" around their most high-risk processes. "If a company wants better risk management, it should build metrics and measures that give it an idea if its control environment is under strain," says Steven Beattie, a partner and banking and capital markets segment leader at Ernst & Young LLP.

20/20 HINDSIGHT

The right set of risk-based measures can anticipate difficulties before they happen. One way it can be done is to trace back from a company's loss data, like that involving write-offs or losses as a result of operational breakdowns, including instances when a member of a team fails to perform the right function when needed, says Beattie. It can also be used on an operational level to track, for instance, the experience of a business unit coping with heavy turnover just as sales volume is picking up. The right set of risk measures can tell managers when they may run the risk of falling behind on orders or service delivery to customers or other departments within the enterprise. It may take a new level of discipline to set controls that not only improve a process but anticipate a problem down the road, but the benefits will no doubt be worth it.