How the Right Software Can Help Your Company Comply

Kyle Didier, vice president of finance at Regis Corp., the world’s largest operator of hair salonsu00e2u20ac”it has almost 10,000 of themu00e2u20ac”is placing a lot of faith in his company’s newest software system. So, by extension, is his boss, CFO Randy Pearce. You can count Paul Finkelstein, president and CEO of Regis, in that group too. The Certainty software Didier has purchased from Movaris Corp. is designed to help his company comply with Section 404 of the Sarbanes-Oxley Act. Didier estimates that Regis will spend $200,000 to $300,000 to install the software. That’s a relative bargain; companies with more complex operations are spending well over $1 million.

Section 404 requires public companies to include formal assessments of their internal financial controls in their annual reports, along with attestations by the external auditors as to the effectiveness of those controls. CEOs and CFOs have to sign off on the control systems as well.

Most companies must fulfill the new requirements in their annual reports for fiscal years ending on or after November 15, 2004. As the deadline draws near, the pressure is on to find software that will facilitate this potentially massive undertaking. Practically every accounting firm, law firm, and professional-services firm of any size is pushing a solution. John Hagerty, an analyst at Boston-based AMR Research, estimates that U.S. companies will spend about $1 billion this year on technology designed to help them comply with Sarbanes-Oxley rules. That’s almost 25% of Sarbanes-Oxley’s entire cost to business.

But big bucks don’t guarantee results. While some analysts estimate that more than 100 products are being offered, Hagerty counts just over a dozen that truly address the detailed requirements of Section 404, the part of the law that most readily lends itself to an automated solution. These, he says, can be divided into two subgroups: products aimed primarily at helping companies comply with Section 404, and products that seek to facilitate 404 compliance while adding broader applications to assist companies with other aspects of their business.

The earliest 404 programs came from the Big Four accounting firms, responding to demand from clients when no off-the-shelf products were available. The packages were largely based on programs that the accounting firms were already using in their audit work, and some lacked the flexibility or scalability Section 404 compliance requires, especially for complex companies with far-flung operations and multiple information-technology systems. Since then a variety of independent software concerns have come up with solutions, many of them newer generations of programs originally designed to help companies manage other aspects of their business. Some of the new packages are based on document- and content-management platforms, for example, while others are extensions of ERP (enterprise resource planning) systems from companies like Oracle and SAP Systems Integration.

Two of the Big Four have since formed partnerships with other outfits to come up with additional programs aimed more directly at Sarbanes-Oxley’s requirements. KPMG has teamed with IBM, and Ernst & Young with Paisley Consulting. Deloitte & Touche and PricewaterhouseCoopers continue to offer their own programs but will also work with clients that want to bring in software made by others.

Deloitte & Touche partner Lee Dittmar expects independent companies to win an increasing share of the market. “We’re not in the software business,” he explains. “Our long-term vision is that when there are other options available that are effective and efficient and supported, a lot of companies will migrate to those solutions. And we’ll help them do it.”

The software packages available today mostly focus on Section 404 and Sarbanes-Oxley’s related Section 302, which requires certification of financial reports by a company’s CEO and CFO. Section 301, which says that companies must set up systems enabling employee whistleblowers who want to remain anonymous to report suspicions of fraud or other scurrilous behavior, calls for additional software. Companies offering such programs include SAP of Germany and Ethicspoint of Portland, Oregon.

Before long companies may be able to buy software that does much more. LRN, a consulting firm in Los Angeles, says it is working with a number of Fortune 500 clients, including Dow Chemical, to develop what it promises will be a comprehensive Sarbanes-Oxley programu00e2u20ac”one that addresses not only Sections 301, 302, and 404 but also Section 409, which requires real-time disclosure of the financial data. According to Anthony Miller, LRN’s vice president of strategy, product marketing, and professional services, pilot installations of the product are scheduled to begin in June.

Many of the first companies to try the 404 software that’s now being sold have found compliance more complex, time-consuming, and expensive than they expected. In a survey of more than 70 businesses by AMR Research last year, two-thirds of the respondents said the scope of their Section 404 compliance activities had expanded beyond what they’d originally foreseen; none reported that the process was getting easier. “Auditors have always relied on a company’s internal controls, but their expectations today are much greater than they were in the past,” says Regis Corp.’s Kyle Didier. “Today you have to prove every key control is out there functioning as it should, and if it’s not, what mitigating controls you have in place to make the auditors comfortable that your financial statements are accurate.”

Credit not just Sarbanes-Oxley but also the weight of public opinion. “No external auditor wants to take the starring role in Enron 2,” says Glenn Davis, director of corporate governance services at Cohn Consulting Group in Parsippany, New Jersey. “So they are being very conservative in their approach and are generally insisting on extensive and comprehensive coverage by management.”

While software can help large, complex companies get a handle on their financial controls (see the box below), it also makes sense for smaller businesses that don’t have the manpower to segregate duties the way sizable companies do and auditors recommend. At a large organization, for example, it wouldn’t be appropriate for the same person who purchases goods and services to confirm receipt of those goods and services as well, nor for a second person to pay the resulting invoices too. This sort of overlap in responsibilities happens all the time at small outfits. Fortunately, the Public Company Accounting Oversight Board, which supervises auditing firms, has recognized that and suggested a workaround: The president or another senior manager may be able to provide the control required. The CFO, for instance, might sign all checks and review all bank statements and reconciliations to mitigate a lack of segregated duties in the cash area. Smaller public companies need effective accounting systems, “and most will benefit greatly from modest investments in information technology,” says the oversight board, which is inviting comment on these suggestions.

While some companies are addressing the Section 404 challenge without investing in new IT systems (see “Doing Without: Zebra Technologies Won’t Change Its Stripes” on page 56), Kyle Didier grabbed the opportunity to bring technology to bear at Regis, which employs more than 49,000 people in North America and Europe. “We didn’t really want to use three-ring binders and have volumes and volumes that captured and stored all of our testing documentation,” he says. “We felt software was the legitimate long-term solution.”

Regis’s relatively small outlay makes it easier for the company to contemplate a return on its investment. Others might not be so lucky, but they may have little choice. In a world where investors and regulators insist more than ever on clean financial reporting, complying with Section 404 is not just a cost. It’s the law.

What Compliance Software Canu00e2u20ac”And Cannotu00e2u20ac”Do

Before software can help meet Sarbanes-Oxley compliance requirements, it needs a lot of basic information about the company that’s using it. This includes a rundown of the internal controls that are in place, the identities of the employees responsible for each control, and the processes that make up those controls. The data can be entered manually by the client or imported from other software the client is already using. Once that grunt work is done, it’s time to document that the controls the company has imposed are in fact being followed. This is the real challenge at big companies, since it involves numerous transactions by numerous employees, often at dozens or hundreds of locations.

It’s here that a computer program earns its keep. The Certainty software, for instance, begins the process by sending e-mail notices to employees when their reports are due. Suppose, for example, that Bob G. is in charge of the quarterly inventory reconciliation at his employer’s Toledo, Ohio, plant. At the end of the quarter Certainty e-mails Bob, telling him that the inventory reconciliation form is due, and provides a link to a form that he can fill out and return electronically to the Certainty siteu00e2u20ac”just as, in the past, he might have sent in his numbers on paper.

Alternatively, Bob can attach a reconciliation form generated in, say, an Excel spreadsheet and, with another click, route the data back to headquarters electronically. Certainty will store it, and it will be readily accessible to management as well as the internal and external auditors. Should Bob forget to file his report, Certainty will send him an e-mail reminder, and if that doesn’t do the trick, it will e-mail successive notices up the chain of command until he responds.

Meanwhile, if the company’s inventory-management system indicates that the Toledo plant should have 1,000 parts on hand but the physical inventory count produces only 800, Certainty will generate an exception report so managers can either address the disparity or review the control itself to see whether it needs to be modified.

Certainty provides a dashboard tool that can show managers at a glance which controls have been completed and lets them drill down and review control activities in further detail as needed. Auditors can do the same. “A lot of companies have great policies and procedures, but there’s no proof that they’re being adhered to,” says Kurt Garbe, president and CEO of Movaris Corp., which sells the Certainty software. “That’s what a product like ours can provide: an auditable trail of actions driven by your policies and procedures.”

By creating a centralized system that a company’s external auditors can use to review control procedures and their results, this sort of software could, or at least should, reduce the amount of time it takes to complete that tasku00e2u20ac”and thereby help hold down costs. By providing companies with a way to identify and plug gaps in their control systems, it can also lead to more effective controls, which should result in fewer surprises.

No software is a panacea. “If someone wants to misstate numbers, software can only check against the data that’s available,” warns Craig Schiff, founder and CEO of BPM Partners, a consulting firm in Stamford, Connecticut. “If you’ve defined rules and parameters for what’s a reasonable number to enter on this line, it can validate that. But it can’t prevent willful abuse.”

Five Questions Directors Should Ask

Board members looking at an expenditure on Sarbanes-Oxley compliance software won’t be expected to understand all the nitty-gritty technical details of how the software works. Still, they can make sure the company gets a product that meets its needs. Here are five questions that consultants advise directors to ask a CFO or CIO who wants them to sign off on something that could cost into the millions.

1.Will this solution allow us to meet our first-year filing requirements?

“Make sure nothing that’s being proposed will put your first-year certification at risk,” says Lee Dittmar, a Philadelphia-based partner with Big Four accounting firm Deloitte & Touche. “Make sure that the product is proven. You don’t want any development-type project when you’re involved in a bet-the-farm proposition.”

2. How will this software help the board get the information it needs to provide adequate oversight?

Is the information the software will give you something that you can’t get in other ways? Says Craig Schiff, founder and CEO of the consulting firm BPM Partners: “Some companies already have good IT systems in place and have been buying business performance-management software even before it was called that. Don’t buy software whose capabilities overlap those of programs you already have.”

3. Will we be able to jump to a better software package if one comes along?

“Make sure you buy a program that has a short-term focus for immediate purposes but that can also be adapted to more effective systems over the next five years,” says Anthony Miller, vice president of strategy, product marketing, and professional services at LRN, a Los Angeles consulting firm that is developing comprehensive compliance software.

4. What benefits will the software provide beyond compliance with Sarbanes-Oxley?

“Expenditures of this magnitude can seem hefty if they’re just for compliance,” notes Schiff. He says his company’s system will not only help with Sarbanes-Oxley compliance but be of use in running the rest of a business more efficiently too. Producers of similar software make the same claim, arguing that this helps justify the capital expenditure.

5. Is the company we’re choosing going to improve the product down the line?

Ask about the manufacturer’s long-term development plans and the improvements it has on the horizon, advises Rocco Tarasi, national director of the consulting firm Resources Connection Inc., which is based in Costa Mesa, California. “This will allow you to evaluate what weaknesses might exist in the product today,” says Tarasi, who works out of his company’s Pittsburgh office. “And while you’re at it, ask if you have to pay extra for those anticipated improvements or if they’re included in the price of your support and maintenance package.”

Doing Without: Zebra Technologies Won’t Change Its Stripes

Todd Naughton knows there are plenty of software packages on the market to help him comply with the Sarbanes-Oxley requirements for documenting and testing his company’s internal financial controls. But he isn’t ready to buy just yet.

“We’ve taken a very contrarian view on this,” says Naughton, vice president and controller of Zebra Technologies, a manufacturer of bar-code printers and related products in Vernon Hills, Illinois. “We’re putting a lot of effort into understanding our controls, but we’re not buying software.”

Naughton’s resistance may seem odd, given his company’s technology-oriented business. But there’s a reason for it: Zebra has already invested heavily in other IT systems. These include business performance-management software from Hyperion that allows managers to collect data about the company’s performance and then slice and dice them to understand trends, identify potential problems, ferret out the details behind those trends and problems, and make prompt disclosure of material findings. “If I didn’t have those tools, I’d be scrambling to get them,” Naughton says. He adds that Zebra is helped by a strong internal audit team, by already good management, and, not least, by a corporate culture that values playing by the rules.

It was around March of last year when Naughton first began to consider the purchase of software to ease compliance with Sarbanes-Oxley’s internal-controls requirements. He says he soon became concerned that manufacturers and consultants were advocating an “over the top” approach of documenting every one of Zebra’s controls and business processes, regardless of their potential impact on the bottom line. He was also worried about being able to vet competing software packages in time to use the winner for the company’s 2003 annual report.

The Securities and Exchange Commission would later push the internal-controls compliance deadline to the annual reports for fiscal years ending on or after November 15 of this year. Still, Naughton was already leery of a quick software fix. Instead, he gathered about eight colleagues who understood the company’s internal controls and spent a week with them, working through Zebra’s financial statement line by line to identify material risks and the controls in place to mitigate those risks. “We did it all in Microsoft Excel, and by the end of the week we had a really good document,” he reports. “It wasn’t as detailed as what some of the professional-services firms were saying we had to have, but it’s good, and our auditors said it’s okay too. So now we’re off testing things instead of still picking software.”

Naughton says that once the software for Sarbanes-Oxley compliance becomes more mature, it’s entirely possible that he’ll buy something. In the meantime, he’s convinced that his approach was right for Zebra.