Surviving Sarbanes-Oxley

Wall Street, Congress, and your CFO, too, soon will demand real-time answers to financial questions, data security guarantees, and insight into intangibles. Can you deliver?

Illustration by
Kurt
Vargo

by John Parkinson and Stewart Bloom
June 2003, Issue 22

From Enron to MCI, extreme accounting practices and poor management judgment have shattered investor confidence. That's why Congress passed the Sarbanes-Oxley Act of 2002, "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws." To survive, publicly traded companies now must re-establish investor confidence. And their CIOs have a new role to play in building and selling technology strategies to support that mandate.

The first attempt at re-establishing investor confidence was the certification of financial statements and disclosure controls and procedures. But investors don't worry only about numbers. A skittish market reacts to hints of fraudulent activity, complex accounting, lack of visibility into the drivers of earnings results and projections, complicated cash-flow reporting, operational and financial surprises, and unknown business risk. The market demands systems that connect diverse data flows and support real-time answers to financial questions.

Some companies are reacting to Sarbanes-Oxley by addressing the minimum requirements, considering only the new mandate to certify their internal processes on the financial reports they file at the end of 2003. But others are considering the broader implications. At a later date not yet set, the law will require the real-time disclosure of any event that might affect performance. Leading companies understand that the law leaves out many details—such as the definition of "real-time disclosure"—and that reacting literally to it today will leave them playing catch-up later. They're taking the opportunity to obtain true value by examining the underlying business issues that may be undermining their financial reporting.

10 Deadly Deeds

In a Sarbox world, beware of these errors in financial record keeping:

Records-management policy isn't linked to regulatory requirements

Retention schedule is no longer reflective of the law departments

Formal policies are nonexistent or inconsistent across departments.

Records management covers paper records only.

No one is responsible for administering the program.

Retention periods aren't integrated with document management to purge documents.

Employees are unaware of policy.

There are no tools to authorize deleting documents

There's no audit process to track what's happened.

There's no indexing, so it's impossible to retrieve documents when required.

Since the impact of business risks will have to be communicated quickly, C-level executives are asking: What does real-time disclosure mean? How can I use it to increase shareholder value? Do all of our employees understand how they impact shareholder value? Many CFOs are asking their CIOs if their financial systems can even meet the real and implied integrity, credibility, and transparency requirements that Sarbox has defined.

Smart CIOs can make their CFOs' lives easier by suggesting three things: centralization strategies, simplification proposals, and standardization efforts. This may well be an opportunity to regain some control over business units that buy "best of breed" even if it's "most expensive to own." Perhaps you can use compliance as a selling point to standardize customer-numbering schemes, or SKUs, or HR rules. Maybe this time you can get that data harmonization and reconciliation project to really work.

True business value comes from strengthening finance, accounting, and performance-management processes. The goal of Sarbanes-Oxley is to force companies to think about their response to internal and external pressures, and to provide checks and balances on that response. If business processes and disclosure practices are designed around these end goals, compliance will come naturally.

Let's consider some of the external pressures versus internal realities:

Business risk: Complying with Sarbox will force companies to provide real-time disclosure of significant changes in risk. More than ever, CFOs must be extremely well-informed and connected to the rest of the executive suite. But many companies' management systems can't monitor changing exposures in real time. Their internal reporting systems are incompatible, and the links between them are brittle. Growing data sources produced by transaction systems are often distributed across the company, built on different data models, with no enterprisewide data architecture to facilitate strategic decision making.

Historically, companies have been reluctant to invest in the integration that would make such analysis and reporting easy, though the capability to do so has been available for several years. Sarbox puts a December deadline on that hesitation. CFOs and CIOs need to be talking about the fastest and most cost-effective ways to add the necessary tools and integration layers to their financial systems.

Best practices in this area include having an enterprise data architecture and a strategy for using business intelligence to reduce the cost of compliance and increase market competitiveness.

Reporting and forecasting: More than ever, earnings surprises can hurt the value of your stock. The need for forecast accuracy is pushing demand for more timely and accurate information. Unfortunately, financial reporting and summarization tools often aren't connected to transactional systems, and the manual intervention used to make the connections work causes errors or misinterpretations. CFOs need their CIOs' vision to help develop systems that can collect and organize better information faster, with the goal of providing true visibility into the operational drivers of share price and the unexpected events that impact valuation. The details of the relationship between raw transactional data and the summarized or restructured data used for analytics and reporting are critically important. But the technology of business intelligence and business analytics is changing rapidly, and even the best tools provide unreliable results if they're fed the wrong data.

While industry spent billions of dollars on ERP systems to provide a 360-degree view of business operations, many were implemented hastily as a way to consolidate disconnected systems in distributed or newly acquired business units. The rush to beat the Y2K deadline also pushed many IT departments to skip the crucial steps of true business-process re-engineering and the development of architectures to improve reporting and forecasting. Many companies still fall short in connecting front-, middle-, and back-office processes, relying on manual processes and complex points of application integration to match customer orders, credit reports, bills of materials, warehouse pick lists, and invoices.

The self-service arena needs attention, too, to balance the need for speed in gaining access to accurate information with security and identity management. Memos requesting reports from the data-processing department or a couple of IT staffers in charge of manually converting financial information into HTML for publishing on the Web will no longer suffice. Fast companies have digital content-management strategies, and provide reports and sophisticated analytic tools to employees via the corporate portal.

Best practices link the corporate portal to the HR system and use single sign-on technology to determine exactly who users are, what department they're with, and what content they can access.

Market valuations: The intent of Sarbox is to push companies to account for brand reputation, customer satisfaction, and workforce quality. Most companies can't measure such intangibles—though institutional investors own 70% of most corporate equities, and up to a third of the confidence of these institutional investors is based on nonfinancial criteria. Research shows that 80% of corporate executives cite nine intangibles among the 10 top value drivers in their business units.

Technology has an important role to play in contributing to intangible value and enabling investor confidence. A high percentage of large companies have sophisticated IT capabilities; a mortgage lender may use technology to automate and validate property valuation, while a transcontinental logistics handler may use it to predict reroutes and delays. Yet they don't treat those capabilities as strategic assets, let alone as sources of revenue.

Balanced-scorecard approaches can help build measurement dimensions to address nonfinancial performance, but it takes time to calibrate each metric. It also takes thought and analysis to determine what any particular change in a metric actually will mean in terms of business performance. Does a decline in patent grants mean a loss of R&D effectiveness or a welcome focus on fewer, higher-yielding areas? Making these measures meaningful requires intelligent interpretation and quantitative support for conclusions—and a new set of "corporate memories" that capture the context. Companies must discover new external and internal factors to illuminate these nonfinancial performance dimensions, and the CIO has an opportunity and a responsibility to help in that effort.

While having that conversation, consider that it's also important to leverage technology to establish a communication and collaboration platform with investors. The online experience, for example, has almost as much to do with investor perception as with the financial information itself. C-level executives should pay close attention to how they communicate with all external stakeholders. They should ask themselves: When someone clicks on our Web site to ask for financial information, do we meet their expectations? Does the ease of use and visual architecture of the investor-relations section promote a sense of professionalism and an image of a well-run business? Does our online branding communicate that we get the concept of using technology for competitive gain?

Best practices here include a comprehensive strategy for online marketing and technology-enabled collaboration.

Compliance: All the previously mentioned challenges and changes must be addressed to ensure that no matter what changes are made to Sarbox, your company will have the information it needs on a comprehensive, contextually valid, near-real-time basis to report, explain, and communicate to all audiences.

Technology plays a significant role in such compliance for many reasons. Obviously, all business functions today are dependent on systems, software, and networks to execute. Clearly, the excuse, "I can't sign off on the financials because the system is down" won't play well on Wall Street or in court. But even more relevant are the risks that technology introduces into the reporting process.

With gigabytes of sensitive information being broken into bits, transformed into electrons, and streamed through strands of glass, businesses take on new responsibilities and liabilities for protecting customer information, privacy, and the associated regulatory compliance. State by state, we're seeing new levels of regulation in this area, and we're just now beginning to see the leading edge of what will likely be substantial penalties for not keeping systems secure.

Best practices are to treat the technology infrastructure as a strategic asset, and to have a comprehensive security and business-continuity strategy. Preventive security measures, intrusion detection, and identity management are part of their operating plans. Information technology, driven by the business issues the CFO and CIO face, is viewed not as a necessary expense, but as a requirement to play.

Here's an example of how complex this issue can be:

Company X is in a volume business. Based on its summarized historic financial data and carefully developed forecasts, the CFO is confident the company will meet earnings expectations. He doesn't know, though, that one of the larger business units has achieved its results through a one-time price break made affordable by a new supplier agreement. Finding this information would require his drilling down to the transactional level in that business unit, additional analysis of contract terms, and moderately sophisticated period-over-period instrumentation that would show an otherwise unexpected change in cost of goods sold. The price break offsets an anticipated increase in unit cost as a result of a manufacturing volume/sales trend that's expected to decline 10% next quarter. Here again, the underlying trends are invisible in the summarized data, and there's no integrated system to provide the CFO with the line of sight into the business unit's actual results and forecasted volumes. The business-unit management, meanwhile, lacks an understanding of the impact of these items on share price and, therefore, doesn't clearly communicate these important factors to the CFO.

Sarbanes-Oxley 101

Need to know more? Here's a reading list to get you started.

Details: Securities and Exchange Commission: www.sec.gov/rules/final/33-8177.htm

Dedicated site: www.sarbanes-oxley.com

Information, insights and FAQs:

"Five Things IT Needs To Know About Sarbanes-Oxley Compliance," AMR
Research www.amrresearch.com/content/
view.asp?pmillid=129151&docid=10387
Association for Information Management Professionals:
www. arma.org/legislative/sarbanes_oxley.cfm
Financial Managers Society:
www.fmsinc.org/cms?pid=3253
The N.Y. State Society of CPAs:
www.nysscpa.org/oxleyact2002.htm
Pricewaterhouse Coopers Barometer Survey:
www.barometersurveys.com

So the CFO reports in his quarterly presentation that performance is as projected and the company is on pace to meet the year's earnings forecast. At the end of the next quarter, though, the business unit is still operating at 10% lower volume, while supplier prices go back to their original levels. Suddenly, the financial results appear to have fallen. The CFO has to explain not only why this happened—which isn't so hard—but also why he didn't know about it a quarter earlier—which is hard.

The lesson in this example, of course, is that the enhanced disclosure requirements of Sarbox will force companies to deal with the accountability, process-management, and information-system issues they've been putting off. CFOs who look to move beyond merely complying, and CIOs who help provide a vision of technology that improves the bottom line rather than just explains it, will deliver significant, immediate benefits to their companies. The first step is a plan that incrementally improves investor confidence, internal and external communications, and training on the new business environment.

It's also a good time to consider prioritizing finance initiatives, especially around improved analytics and information integration. These will improve your understanding of the drivers of share price, your business decision making, and your communications to Wall Street. You'll have fewer financial surprises and improved risk management if you connect finance's analytic capabilities with business operations' need to rapidly and accurately assess the impact of surprises in the marketplace.

Still not convinced that Sarbanes-Oxley is a call to CIO action? Consider this: It may be financial legislation, but it's designed to ensure that the creation and documentation of financial statements is tracked by internal controls. As C-level executives, CIOs can be held responsible for inaccurate data. Although you may not be making the types of decisions whose ethics may be questioned, you are creating systems whose data is relied upon to make those decisions. If the systems generate inaccurate data, the onus could be on you. You must start thinking about the controls your company and your IT systems need to account for data cleanliness, to track and control processes, and to generate real-time outputs. Sarbanes-Oxley is about to make all of those things a bigger part of the CIO's job.

John Parkinson is chief technology officer and Stewart Bloom is vice president of technology services for the Americas at Cap Gemini Ernst & Young.

The 90-Day Plan
Think of Sarbanes-Oxley as the catalyst we all need to finally get our reporting, analysis, and decision-support systems where they should be. Keep in mind that the long-term mission is to evolve this effort into an effective enterprise performance-management capability. Here's a plan to get you started:

First month: Increase the urgency

Obtain agreement from the executive team to conduct a "current state" corporate-accountability review. Have some anecdotal but credible evidence that everything isn't perfect and that you'll need to do better. Define the organization and process scope of the review. Focus on areas that need immediate attention and offer significant possible rewards. Do these first and use the experience to help fix other areas later.

Interview representatives throughout the company to get an accurate account of the nonfinancials that impact your business. Existing literature offers good ideas on where to start. Gather financial documentation; look for areas that are weak, out of date, or lacking in rich analytics.

Examine data-handling processes for potential problem areas that could impede real-time transparency—areas where extensive manual recoding or reconciliation is required or where only highly summarized information is available without effective links back to the original transactions. Look for prototype opportunities among the financial-reporting systems that are deemed most trustworthy and timely. If some things are working well, ask why everything isn't working as well as those examples of best practices.

Launch a communications campaign to get everyone thinking about what needs to be done.

Second month: Begin prototyping

Interview key process owners to see what they use—and need but don't have—to make the decisions that affect operational performance. Use the interview process to sustain the "this is for real" message.

Complete the current-state analysis and realistically assess the priorities for immediate action, the risks of not taking action, and the costs. Be sure to keep the rest of the executive team in the loop.

Work with the CFO to build a prototype reporting process on a manageable scale to see the unexpected consequences of literal versus "above and beyond" Sarbanes-Oxley compliance. Using the prototype, assess how fast you can bring the area under review into compliance.

Draw up an improvement plan, including systems work, process change, data cleanup, and training. Consider getting input from external groups with an interest in the outcome. And give the board progress reports.

Third month: Think big

Start thinking about how to scale the prototype out to more processes or business units and "up" into a more thorough analysis. Look at where the company needs continuous rather than periodic reports. If you don't use corporate dashboards, think about what one should look like, who should see it, and what it could be used for.

Keep up the communications and training efforts for line executives and business decision makers, and monitor whether they're really using the tools and information you're making available to them.

Present your findings to the CFO, the executive team, and possibly the board.

Online Sidebar: Questions CIOs Need To Answer
1. How are off-balance-sheet transactions and commitments tracked and reported?

2. Are payments to the external auditing firm monitored through the transactional flags on purchase orders, check requests, or other means within the system?

3. Are rolling forecasts deployed throughout the business (business unit, product line, functional levels)?

4. How many tools are used in the forecasting process? The budgeting process?

5. Do the reporting systems trace back to the general ledgers?

6. Is cash flow from operations and generally accepted accounting principles (GAAP) automatically calculated?

7. Are key measures (drivers of financial results) delivered to operational managers' desktops daily, weekly, monthly?

8. Are tax-reporting systems integrated with the company's consolidation system?

9. Are consolidation and reporting activities performed on spreadsheets?

10. Do transactional reporting systems have agent-based alerts?

11. How are manual entries identified and approved?

12. How much time is spent compiling data and financial statements versus analyzing the data?

13. How many top-level adjustments are made in the consolidation process?

14. Are reporting activities performed on spreadsheets?

15. How often is control documentation updated for new changes to the internal controls (transactional and financial statements)?

16. Are controls in place to ensure that any off-balance-sheet items are properly approved?

17. Do reporting systems flag reserves and other estimated accounts?

18. Have the systems been updated to identify new responsibilities under the Sarbanes-Oxley Act?

19. Are earnings forecasts tied to predictive models?

20. Do you forecast your business on cash-flow drivers?

21. Are variances between the forecast and actual results reviewed and causes identified?

22. How long does it take to develop forecasts? Budgets?

23. Is there a significant difference between financial statements depending on timing, function, or system?

24. Are standard charts of accounts used across the company?

25. How long does it take to get the results of operations?

26. What procedures are in place to detect and prevent fraud?

27. Have you identified high-risk areas where fraud may occur and developed controls to prevent it?

28. Are the following categories of nonfinancial drivers measured: leadership, communication, brand equity, reputation, networks/alliances, technology, human capital, culture, innovation, intellectual capital, or adaptability?

29. Do sales systems flag quarter-end sales volumes over selected limits?

30. How long does it take to develop ad hoc reports?

31. Do you model the sensitivity of your off-balance-sheet commitments (swap agreements, foreign-exchange risk, purchase commitments, etc.)? How often?

32. Are you able to determine your profitability using "what if" scenarios?

33. Have financial models been created for all high-risk operations, programs, etc.?

34. How long does it take to create the management package?

35. Does each operating unit have a financial model for the key drivers of its business?

36. Are documents backed up periodically to ensure that important reports and information are maintained?

37. Does the company have a retention policy for electronic information?

38. Are internal-control reviews incorporated into all new system implementations (financial and nonfinancial)?

39. How often do you back up your data?

40. What controls are in place for record retention to avoid tampering with the data?

41. What best describes your IT capabilities related to financial-transaction processing in your company?

42. How many changes have there been to financial-statement controls (including the authorization of transactions, safeguarding assets, maintaining records, and the reconciliation process) in the past year?

43. How many different systems are involved in the financial-statement development process?

44. Are IRS and other data-retention requirements being met?

45. Are GAAP-audited financial statements the starting point for your tax returns?

46. Are alerts in place to inform key resources of specific transactions taking place in the company?

47. Does the company review its transactions for unusual entries?

48. What controls are in place to detect wire or mail fraud?