Jerome Klajbor Executive VP & CFO of IntelliCorp Intellicorp

It is no surprise that in 2004,
S-OX spending is expected to exceed $5 billion. Those responsible for S-OX compliance are being forced to evaluate and determine which technology solutions have the ability to provide true, reliable, continuous monitoring of the data and critical processes within ERP systems. Moreover, they have to assess whether these tools can be used without significant human intervention, and if they can reduce the overall costs of achieving and maintaining compliance.

Key S-OX Challenges for IT and Financial Executives

The shift in thinking towards year two and beyond includes an emphasis on monitoring processes and internal controls, as well as the holistic management of technology and financial systems. The latter requires intense collaboration between IT and Finance, which tends to complicate matters. Both will agree the road to compliance means more than simply adhering to regulations, but prioritization of the remaining challenges is what causes angst in the boardroom.

Forester Research reported that financial executives considered their greatest challenge maintaining shareholder value, placing it ahead of compliance with regulations, reporting accurate financial results and improving corporate performance.

As a CFO, this ranking is understandable. Shareholder value will be driven by how the market perceives the company is operating. Any mention of noncompliance or the need to restate financial results, no matter what the circumstances, will have a negative impact on shareholder value. In addition, noncompliance can result in fines, possible delisting for public companies and civil/criminal penalties.

As a technologist, this ranking is irrelevant. The four challenges are interconnected, as well as dependent on an effective and efficient IT infrastructure. At the end of the day, it falls on the shoulders of both IT and Finance to demonstrate the company's ability to monitor critical processes and internal controls, and provide credible data.

Mitigating Cost and Making the Right Technology Decision

Another rainstorm for IT and Finance to weather, presented by S-OX, involves the cost and evaluation of current technology versus the need to invest/bring in new solutions or resources. Thinking beyond a year one quick fix is essential, especially when assessing the risk involved with noncompliance and recurring maintenance/technology costs. Consider these four criteria when determining the right S-OX technology approach:

A company must also define the goals for selecting a software tool and secure necessary internal buy-in. For example, a company's primary goal might be to minimize the risk of noncompliance, while its secondary goal is to leverage technology that creates efficiencies to reduce overall costs. When considering that a large US organization will typically spend $4.7 million each year to implement requirements associated with S-OX, automating the process may reduce costs of compliance by an estimated 30%. Even with a non-recurring first year investment of $350,000 for a software tool, a return can be achieved within that first year. Additionally, the second year savings will be greater.

The Technical How-To for Continuous Monitoring

As companies continue to work through their S-OX compliance business plans the need for system monitoring becomes more apparent. Herein lies the inevitable choice between two approaches: continuous or event monitoring. A common mistake coming out of the rush to comply in year one is the selection of event monitoring. In today's business environment, it is not enough to identify problems during a quarterly audit review (event), or even worse, during an annual audit (event). The event monitoring approach is more costly and in most cases results in higher business risk. (Figure 1)

Understanding system architecture and ensuring that key requirements have been designed from the ground-up is essential when selecting any continuous monitoring software solution. Once the business requirements necessary for continuous monitoring of IT controls in support of a repeatable, sustainable and flexible S-OX compliance system have been defined, the technical components of a company's continuous monitoring solution can be established and placed into an automated framework. (Figure 2)

Starting with a strong foundation and gateway for this architecture is critical. The Data Access component must provide complete admittance to any data nugget in the system that needs to be monitored, and yet be flexible enough to adapt to changing business requirements, e.g. new legislation, updated regulation specs, changing corporate business models, etc. The data and all subsets must be open and accessible in order for a continuous monitoring solution to be effective.

Enterprise applications typically provide limited data change control. A Snapshot Management component must be present to monitor changes over time to key IT controls, without burdening the ERP data storage subsystem. IT controls fall into three basic categories:

The next logical building block is the Domain Rule Engine, which provides the means to encapsulate all types of IT control tests within the continuous monitoring solution. It too must be flexible to easily adapt to changing legislation, as well as the unique requirements of the business and IT infrastructure.

Understanding changes in requirements and data over time is not possible without the means to compare snapshots. The Comparison Engine provides the necessary functionality to compare and contrast multiple snapshots, providing must-have information for compliance officers to identify trends and failures. This is an important aspect to a comprehensive technology and management approach. While the Sarbanes-Oxley Act is specific in many areas about which IT controls must be assessed, it is expected that companies will go even further to limit the risk of noncompliance.

In the areas where compliance is not a simple binary result (compliant or noncompliant) it will be necessary to associate a risk factor with the additional rules. The Risk Assessor associates organizational or industry risk factors with various compliance tests to better quantify any noncompliance results.

The need for continuous monitoring is apparent, but it's important to acknowledge that an assessment producing reports on a system's standing provides only a snapshot of historical reference up to that point in time. Therefore, the goal of continuous monitoring is to be as real-time as possible. A Scheduler component allows for the flexibility to define "near real-time," in the context of a specific ERP system.

For business users, the ability to easily take an automated system snapshot is an obvious time-saver. Other ERP management aspects then also become more reliable. For example, a company needs to know when an IT control compliance test has failed. With an Alert Management module, a reliable event notification process (who should receive the information and via what medium: email, pager, fax, voicemail, SMS text, etc.) can be set. Alerts must be configurable, based on the specific compliance test that failed: not everyone has to be notified at 2:00 a.m. that a low-priority test has failed.

As the framework continues to develop, companies find that a continuous monitoring solution is a highly effective information repository that is the generation source for accurate reporting. The need for Reporting comes from several sources. For example, the compliance officer will require regular reports covering the compliance status and in turn, compliance officers and company boards will evaluate the data to identify failure trends in order to develop mechanisms for correcting the faults. Not only do these reports need to be credible, but also given their use by business users (CEOs, CFO, operations, legal teams, external audit firms, etc.), an intuitive user interface must be applied to the system. The Presentation layer takes the underlying technology and makes it accessible to a broad audience base. It's the continuous monitoring system?s front-end.

Year Two and Beyond: The Net/Net

The need to plan beyond achieving year one compliance is evident. Those responsible for compliance must take the time to understand the technology behind the fancy vendor screenshots and be wary of companies that claim to have the "perfect solution," which normally requires their specialized (i.e., expensive) team of many to assist in gaining compliance. A company's ultimate goal should be to automate its continuous monitoring system and compliance process to reduce risk and maintain intellectual property.

It's clear that the wrong continuous monitoring approach won't adequately support organizational requirements. Therefore, be deliverable-focused in the selection of S-OX technology and ensure a forward thinking, comprehensive, automated continuous monitoring approach is implemented to stay ahead of compliance changes.