|
|
|
Features
< Back
Sarbanes Oxley : Technology : Policy Management
The Impact of Sarbanes-Oxley
on Enterprise Applications
It's a dilemma of near heroic proportions.
By
Prashanth Boccasam
|
|
Prashanth Boccasam
President and CEO
Approva
|
The Sarbanes-Oxley Act represents one of the most far-reaching changes in U.S. securities law since the Great Depression. Its implementation and enforcement take place in a technological environment that has changed in ways unimaginable even a few decades ago. Enterprise Resource Planning (ERP) systems, and enterprise application systems in general, have automated manual processes spanning individual departments, locations ? even whole companies. And while the automation of these systems has increased employee productivity and enabled far-reaching strategic initiatives, the process has resulted in intricate systems that can be difficult to control, monitor, and audit.
It's a dilemma of near heroic proportions. At the same time systems have become more complex and harder to control, the demands for insight and assurance have never been greater ? or the consequences of failure higher. You're expected to be able to answer the question of whether your company is in compliance with Sarbanes-Oxley ? but given the technological environment, the more challenging question may well be "how would you know?"
Enterprise Applications and The Sarbanes-Oxley Act
Because enterprise applications have become such a fundamental component of business processes, they now embody many of the controls managers use to mitigate risk and assure operations proceed according to expectations. Given Sarbanes-Oxley's extensive focus on the adequacy and enforcement of controls, it's become impossible to consider one without the other.
Four sections of the Sarbanes-Oxley Act hold particular relevance for compliance managers concerned with the impact of the act on enterprise applications. They are:
• Section 302 ? Certification of Internal Controls
• Section 906 ? Certification of Financial Statement Accuracy
• Section 404 ? Management Assessment of Internal Controls
• Section 409 ? "Real-Time" Disclosures of Material Events
The provisions of Sections 302 and 906 have already been implemented ? CEOs and CFOs subject to these certification requirements who have not implemented adequate controls management programs do so at some corporate and personal risk. Although the implementation timetable has recently been relaxed, the bulk of managers are now grappling with the mandates of Section 404 of the act, while Section 409's reporting requirements remain in the future. Each section affects controls management in enterprise applications in distinct ways.
Section 302: Certification of Internal Controls
Requires the CEO and CFO:
• Establish and maintain internal controls.
• Design internal controls to ensure material information is made known during that reporting period.
• Report whether or not there were significant changes in, or factors affecting, internal controls and report corrective actions for significant deficiencies and material weaknesses.
Section 302 puts the CEO and the CFO "on the record" as certifying both the content of their financial filings, and that appropriate internal controls are in place. Many executives fear problems discovered and disclosed subsequent to their initial Section 302 certification will raise questions regarding their visibility into their own businesses, their credibility, or both. So before signing the Section 302 certification, executives are asking managers "how do we really know our internal controls are appropriate for our business, and are operating correctly?"
The question speaks to one of the fundamental requirements, and challenges, of complying with Sarbanes-Oxley ? collaboration. Given that so many business controls are expressed and managed in the context of complex, distributed ERP systems, achieving compliance with Section 302 certifications requires the close cooperation of at least three groups:
• IT Managers and Application Security Specialists ? who possess the hard won knowledge of the complex codes and programs which define and enforce controls within the applications.
• Line of Business and Financial Managers ? operating at the front lines of the business, these individuals have the experience and knowledge needed to define relevant risks, and the controls required to mitigate the exposure.
• Senior Management ? with final responsibility for certifying the existence and adequacy of, and ongoing changes to, internal controls.
The inability of these individuals to collaborate and share information poses a direct impediment to achieving Sarbanes-Oxley compliance. Without the ability to understand how controls are implemented in systems, senior managers must fall back on blind faith in making their certifications ? contravening both the spirit and letter of the law. With this requirement for information sharing, it's no wonder that nearly 90% of organizations have elected to establish cross-functional Sarbanes-Oxley compliance teams, according to AMR Research studies.
The need for collaboration also fuels a potential requirement for managers investigating Enterprise Controls Management solutions. It's crucial these solutions be able to provide visibility into ERP system controls in a way that's meaningful to all participants in the process ? business rules and "Plain English" statements for managers as well as the often arcane application codes and configuration settings for security specialists and more technically inclined IT staff. This translation capability provides a common basis of understanding that enables managers to confidently certify the existence of the controls they believe are appropriate.
Section 906 ? Certification of Financial Statement Accuracy
Requires a company's periodic reports containing financial statements be accompanied by a two-item CEO and CFO certification indicating:
• The report fully complies with the Exchange Act.
• The information contained in the periodic report fairly presents, in all material respects, the issuer's financial condition and results of operations.
Section 906 overlaps Section 302 in some respects, although there is at least one significant distinction ? specific criminal penalties for failure to comply. Senior executives running afoul of Section 906's provisions face a fine of up to $5 million and 20 years in prison. With stakes like these, any competent executive will require some means of independent verification in order to have any degree of confidence they are truthfully certifying their periodic reports fairly present the corporation's financial condition and operational results.
The key question faced by compliance managers addressing Section 906 requirements must be what processes exist to assure reports fairly represent the underlying information maintained by enterprise applications. The answer will encompass the whole of the Enterprise Controls Management process. Critical success factors for consideration by compliance managers include:
• Are control assessments comprehensive?
• Is reporting timely?
• Does the management process scale to support business processes spanning multiple applications and organizations?
Managers understandably focused on headlines reporting blatant fraud and malfeasance frequently overlook an important point regarding certifications. The reality of compliance management is that it's about more than spotting "bad people doing bad things." One of the fundamental purposes of Sarbanes-Oxley was to ensure investor confidence, not only in the honesty of corporate employees, but also in the efficient and effective operation of the corporation. While we all presume we've hired honest employees, there are many critical business problems that can exist in even the most ethical of companies. Effective Enterprise Controls Management must be capable of identifying inappropriate, ineffective, or inefficient controls that pose a risk to results if complete compliance with the act is to be attained.
Section 404: Management Assessment of Internal Controls
Requires companies to:
• Provide in each annual report an internal control report assessing the effectiveness of their internal control structure and procedures.
• Obtain an attestation of and report on the management assessment by the public accounting firm that prepares the audit report.
• Provide reasonable assurance of asset protection from unauthorized acquisition, use of disposition that would have material effect on financial statements.
Section 404 is effectively a case of "checks and balances." Not only are the CEO and the CFO required to certify the presence and effectiveness of adequate internal business controls, but the external auditor must also attest to the validity of the management assertions. Given continuing trends, and the prosecutorial zeal of various attorneys general, be assured that no audit firm will take this attestation lightly. This puts tremendous pressure on executives to prove ? to themselves, their auditors and the marketplace ? that adequate internal controls are in place and enforced.
Experience in the field with large audit firms and public companies, and the statements of the Public Company Accounting Oversight Board (PCAOB), lead to the inevitable conclusion that much more demanding audits are on tap for companies. In the past, auditors generally have conducted three standard types of audits:
• High Level ? audit of financial statement results only.
• Moderate Level ? audit of financial statement results, with random sampling and tests of internal ERP controls.
• Detailed ? audit of financial statement results, combined with a full test of internal controls. Also known as an integrated audit, this option provides the most complete, costly, and lowest risk audit.
Prior to Sarbanes-Oxley, auditors chose the type of audit based on the degree of risk they believed the client posed. The choice was generally subjective and based on the relationship and level of comfort the audit firm had with the management team. A well-known company enjoying a long-standing relationship with the auditor might only be subjected to a high or moderate level examination. A less reputable or known to be troubled firm could expect the more rigorous integrated audit.
Sarbanes-Oxley requires independent auditors review how a company arrived at their financial results, as well as what controls are in place to ensure the results are accurate. That requirement has reduced auditor's discretion. The assessments required by Sarbanes-Oxley include a review of a company's controls within their ERP systems, including analysis of segregation of duties violations and access to sensitive transactions. Achieving that level of clarity and certainty, and satisfying the requirements of Section 404, will almost certainly require a detailed audit.
Another factor contributing to greater scrutiny of ERP system controls is the PCAOB's classification of "inadequate segregation of duties over certain information system access controls" as a Significant Deficiency. They have also indicated that inadequate segregation of duties controls in conjunction with other significant deficiencies could lead to the definition of a Material Weakness. This attention to segregation of duties conflicts within ERP systems will drive compliance managers to prove they've established the needed controls. The absence of such proof will, without doubt, lead to an increased level of scrutiny, subjecting companies to more costs and greater disruption.
Section 409 ? "Real-Time" Disclosures of Material Events
Requires companies to publicly disclose:
•
On a "rapid and current basis additional information concerning material changes in its financial condition or operations necessary or useful for the protection of investors and in the public interest."
The lack of an articulated deadline for compliance ? and the level of effort required to satisfy Section 404 ? has led many compliance managers to defer attention to the requirements of Section 409. Only about one-fifth of organizations have an operational solution in place, according to AMR Research analysts. The relative lack of attention the section has received means it represents a potential time bomb for managers. The phrase "rapid and current basis" has been interpreted to mean disclosures must occur within 48 hours. This is an enormous challenge, given the complexity and scale of the enterprise applications supporting the business operations of most companies. The timetable associated with making an announcement in such a short period implies an organization must be in a position to automatically detect a material event almost immediately following its occurrence.
The disclosure of material changes in the financial condition or operations of a corporation will include a focus on financial fraud, operational or business process problems, and reporting irregularities. The requirement for rapid disclosure should encourage corporations to implement a means of gaining continuous, real time, visibility into the enterprise applications that provide the basis of their financial, operational and reporting systems.
Compliance through Continuous Visibility
As organizations have begun to grapple with the issue of Sarbanes-Oxley compliance, a few truths have emerged. First, it's clear Sarbanes-Oxley compliance shouldn't be viewed as a one-off accomplishment ? ongoing SEC and exchange filings mean Sarbanes-Oxley compliance has no "end date." More importantly, smart managers have begun to ask more of their SOX compliance programs than an auditor's report. These forward-looking business leaders view Sarbanes-Oxley as an opportunity to learn more about their systems ? and as a vehicle to enhance business process efficiency. For them, Sarbanes-Oxley serves as a strategic driver fostering an overall Enterprise Controls Management strategy for their organizations.
In order to report on, and attest to, the effectiveness of internal controls, managers and auditors have learned they must be better informed than ever before. Not only must controls be put in place, their effectiveness must be monitored continuously. Given the complexity and scale of today's enterprise applications ? supporting thousands of users and innumerable transactions ? only an automated system will provide the continuous visibility required to assure compliance.
But compliance managers shouldn't stop at visibility ? it's really only the first step in establishing an overall Enterprise Controls Management strategy for enterprise applications. The ability to proactively notify managers of exceptions will speed response and mitigation efforts, while forming a foundation for Section 409 disclosures. Even better are testing and simulation capabilities that will examine proposed changes to controls, in the context of specific ERP systems and existing controls, to identify and prevent segregation of duties conflicts or other control failures before they ever take place.
An automated Enterprise Controls Management solution can deliver these capabilities, and will prove a requirement for assuring compliance with Sarbanes-Oxley. With an understanding of what controls are in place, the tasks individuals have performed, and how applications are configured, compliance managers will no longer be at a loss to understand if they are in compliance with Sarbanes-Oxley.
|
|
|
|
