Discover the Hidden Benefits of Sarbanes-Oxley

Sarbanes-Oxley requires firms to assess the risks related to business processes that affect financial reporting. Reuters advocates an approach based on workflow and adaptor technologies that enables processes to be monitored throughout the organization. "The idea," says the head of operational risk practice at Reuters, "is to map and model each process all the way from inception to the boardroom so that the directors can have some extra assurance over the financial disclosures they are signing off on."

Signed into law by President George W. Bush in July 2003, the Sarbanes-Oxley legislation (known as SOX) turns the spotlight on corporate governance and aims to reduce the chances of another debacle like Enron.

The new rules apply to all companies listed on a U.S. stock exchange—including those headquartered overseas whose shares are traded as American Depositary Receipts, or ADRs—and make it mandatory for them to demonstrate that they have proper controls in place. Other areas of SOX cover ethical behavior, board composition, and the independence of auditors. Senior executives are deemed personally responsible for compliance and must testify to the accuracy of their companies' accounts.

In the wake of the accounting scandals of 2001, Sarbanes-Oxley grew out of the premise that if corporate governance practices were made more transparent, it would restore investor confidence. Confident investors could then kick-start the economy by returning to the U.S. stock market.

Weighty Regulations

For many executives, however, SOX seems like one more onerous set of rules to comply with. Seventy percent of those polled by CFO magazine said the cost of compliance—AMR Research predicts that Fortune 1000 companies will spend a total of $2.5 billion this year—outweighs the benefits. CFOs and CEOs feel they're first in the firing line, but watching some of their peers get collared has showed CIOs that it's their responsibility as well.

"It needs to be a team effort," says Phil Strand, program director of corporate governance and financial intelligence at North Carolina-based SAS, which develops data management and business intelligence software. SAS also offers a SOX solution. "The CEO and the CFO sign off on the accounts, but only the IT department can help them find the information."

The trick is to embrace the need for regulatory compliance and turn it into competitive gain, Strand argues. CIOs should not be shy about using Sarbanes-Oxley as a justification for new projects if those efforts can improve internal controls and deliver the required data.

Julian Fisher, head of operational risk practice at Reuters, agrees. "We should be trying to turn the regulatory directives into a competitive advantage that will eventually affect the bottom line," he says. "It means looking at the intent rather than the letter of the law. Much has been happening in the U.S. accounting space, where they are moving from a rules-based approach to one that is led by principles.

"Regulatory issues are interrelated," he continues. "They should be treated holistically, from both a business and an IT standpoint."

For example, as a result of newfound efficiencies, many financial firms expect to reduce costs or losses by 20 to 30 percent as they work on Basel II compliance. Similar gains can be made from compliance with SOX—not least of which are lower bills from auditors and risk insurers, whose prices have risen steeply following the scandals.

The Right Information

The challenge lies in creating an infrastructure that can collect the important data from many distinct reporting systems—purchasing, sales, general ledger, and so on, running on a variety of computing platforms—and presenting it in comprehensible form to the board of directors.

SOX requires firms to assess the risks related to business processes that affect financial reporting. Reuters advocates an approach based on workflow and adaptor technologies that enables processes to be monitored throughout the organization. "The idea is to map and model each process all the way from inception to the boardroom so that the directors can have some extra assurance over the financial disclosures they are signing off on," says Fisher.

Such a system can also provide more information up front for auditors, reducing their costs. "We can grab information at a transactional level, and wrap controls and key risk indicators around it," Fisher says. "So instead of your external auditors taking a sample of, say, 30 transactions out of 10,000, you can have 200 to 300, which provides a much richer pool of information from which to do the year-end audit."

At the boardroom level, new visualization tools are emerging to make compliance a whole lot easier for directors. Using these tools, CEOs and CFOs can combine different views to see whether the company is getting better or worse at certain processes. A securities firm could probe the causes of trade failure, for example.

Concludes Fisher: "By combining the transactional data you need for SOX with self-assessment and risk indicators, you can begin to improve the way you run your business."

Additional Information: Connecting the Dots

Do the figures in your management reporting systems accurately reflect the numbers flowing through your transaction systems? In the absence of precise technology guidelines for Sarbanes-Oxley compliance, that is the first question to ask.

"Companies need to ensure there is an umbilical cord between their reporting and source systems," says Nigel Woodward, global segment manager for capital markets at Sun Microsystems.

A firm with, say, a fixed-income system in Asia, an equity system in New York, and a trade-finance system in London must examine its messaging infrastructure. "If it's not touching all those endpoints, they need to think about how to extend it," Woodward explains. "Is it cost-effective to extend the existing design or would it be better to investigate new technologies such as Web services?"

Components of the Sun Java Enterprise System can help firms address the integration issues "below the water line," while Sun's Sun Partners have applications such as data-mining tools that sit on top. "Firms need to access data and transport it to a central point, then convert it to a common standard and report on it," says Woodward. "We can design an infrastructure to do that—and help you meet the Basel II risk management requirements as well."