SOX: answering the technology question

Meeting Sarbanes-Oxley compliance continues to be a seemingly never-ending and expensive challenge for the majority of companies. Since its inception, companies have faced the dilemma of adapting and upgrading their infrastructure to ensure they meet the needs of the anti-corruption regulations, or de-listing as publicly traded entities. Many claim that meeting compliance has far exceeded initial cost estimates and often comes at the expense of innovation and growth, particularly for smaller companies; opponents are also adamant that the legislation only tackles symptoms rather than causes, and therefore that the law’s long-term effect on improving corporate behavior is impossible to predict. Nevertheless, the legislation serves an important purpose in helping to ensure that a repeat of scandals such as Enron and WorldCom is avoided.

As a principal analyst with Forrester Research, Bob Markham is knowledgeable on all areas of compliance including SOX and eDiscovery, content lifecycles and how to best leverage content in the enterprise. Despite industry cynicism about the effectiveness of SOX, Markham is supportive of the new regulations, considering them essential for harmony in the future. “SOX is about creating business efficiency and transparency for the process of collecting, verifying, certifying and reporting on a businesses financial condition,” he says. “All businesses can benefit by automating and making this a repeatable process. The market has responded to the additional transparency that this process leads to for financial reporting – ultimately, SOX is about good business and this is very beneficial.”

One of the problems cited so far by companies attempting to meet Sarbanes-Oxley compliance has been a lack of adequate tools. With more than two decades of expertise in designing, integrating and implementing enterprise-scale systems, Markham has extensive experience of innovative technologies that provide solutions to customer business needs and believes technology is extremely important to the compliance process – and is essential to make the process repeatable.

“First and foremost, there must be a defined process that lends itself to technological automation,” he advises. “Technology can only be successful when the process has been defined that lends itself to automation. The basic functionality of SOX software, in most cases, is up to the job. Further advances allow for continuous monitoring, which brings in a level of compliance not obtainable through manual processes.”

The current market is littered with an enormous range of software products that address SOX compliance. However, according to Markham, the most useful will be those solutions that can tie into existing infrastructure for financial, content and records management. “A new silo of technology for compliance just increases the burden on IT and end-users,” he warns. “Most companies will find that integration with existing infrastructure will be key, and if their infrastructure is not supported then a solution flexible enough to be integrated will be the next best option. That said, it is an incremental process with getting the controls in place being the highest priority.”

With this in mind, how do the products on offer vary in their ability to help a company meet its compliance needs, and who are the leading vendors? “SOX compliance is a rapidly maturing software category that combines enterprise content management, analytics and enterprise applications. Three criteria provide significant differentiation among the SOX offerings evaluated: integration, collaboration, and reporting and monitoring. The user interfaces also vary widely in capability and ease-of-use,” he explains. As far as leading vendors, many have emerged in the last few years – although some have excelled over others. “OpenPages has emerged as the leading vendor, with IBM, Paisley Consulting, HandySoft and Oracle close behind. Enterprises seeking a single platform for enterprise risk management should give preference to IBM, OpenPages and Paisley Consulting because they provide a broader focus beyond SOX that encompasses additional compliance categories, including integrated enterprise risk management.”

The saturation of the market with vendors will mean that a number of trends will be apparent over the next year. “Consolidation will continue as the window of opportunity for SOX compliance shrinks by late-2006. Acquisitions among competing vendors will focus on combining customer bases to reach critical mass,” says Markham.

As a result, only a few specialized SOX applications vendors will remain within two years. In order to thrive, Markham believes they will have to expand their focus beyond SOX. An incentive to do so will be the growing demand for broader compliance and enterprise risk management capabilities. He cites expanded control frameworks such as COSO11 and COBIT – as well as compliance process support in areas like product safety, financial risk, human resources and environmental compliance – as some of these expanded offerings. “This expanding solution set will re-energize the market in 2006, opening opportunities for new entrants into an expanded compliance market and for existing vendors to acquire compliance domain expertise,” he adds. “In this way, support for existing infrastructure as well as long-term viability and product roadmap will be important for organizations to understand.”

Another issue is that meeting compliance requirements often results in regular system updates, and mitigating costs is an important aspect for companies. Markham suggests there are a number of steps organizations can take to help ease the cost of ongoing compliance projects.

“The umbrella of risk management and IT security is broader and, in some cases, out of scope for what is necessary to meet SOX compliance obligations,” he says. “The goal of internal controls is to provide reasonable assurance to minimize errors and reduce fraud related to financial reporting. To optimize and monitor internal controls to support SOX compliance efforts, focus on solutions that support the business context. This includes solutions that address key business processes, including those related to payments, revenue recognition, cash and fixed assets. It also includes access and use controls related to enterprise applications (including ERP). Beware of vendors touting SOX-related silver bullets for controls compliance whose solutions are unproven or so narrowly focused that they do not address the key material risks related to financial reporting.”

So, what does the future hold for compliance? Markham believes that SOX compliance efforts will evolve to increased levels of sophistication and sustainability in 2006. He identifies five trends and developments likely to shape the compliance landscape over the next 12-18 months.

Certainly, he thinks that control software vendors will ‘shake out’. The market for software to support the internal controls evaluation process emerged in 2003 and matured rapidly through 2005. And this year, Markham expects to see a significant consolidation down to a handful of viable choices. “These remaining vendors will expand to support other governance, risk management and compliance requirements to maintain momentum, as well as looking to international markets to support similar requirements.”

He also envisions that controls automation and monitoring solutions will solidify (“2006 will be the year of acceleration for software tools to continuously monitor and automate controls. Companies will adopt these tools to detect errors, monitor transactional integrity and prevent fraudulent or unauthorized activities”), while
companies will invest more in financial management and reporting systems “to consolidate and standardize accounting systems for better controls, faster closing and more useful management reporting.”

Elsewhere, Markham foresees that SOX will emerge as a foundation for broader governance and risk strategies. “Software implemented for SOX compliance will be used for broader governance and risk management frameworks, and also for certain regulatory compliance requirements beyond SOX,” he says. “Beyond the scope of internal controls, the expanded COSO framework, COSO ERM, can be used for enterprise risk management programs. In addition, IT governance will be managed using frameworks, such as COBIT.”

Ultimately, however, he foresees that SOX will move from an event to an ongoing program within companies. “The notion of SOX compliance as a journey is overused, but it is clear that SOX compliance is progressing in stages,” he concludes. “As companies achieve better levels of standardization of processes, controls and systems, they will be in a better position to move toward controls automation and optimization.”