电话:010-85195300
E-mail:cassoa@cass.org.cn
地址:中国北京建国门内大街5号中国社会科学院1#楼
扫一扫关注微信
国家哲学社会科学文献中心版权所有
Sarboxing: finance executives continue to grapple with section 404 of Sarbanes-Oxley. So far, it's unclear who's winning
John GoffWHEN LAST WE LEFT MARK THOMPSON ("Drowning in Data," November 2003), the senior vice president of finance and information technology at Crown Media Holdings was shopping for software. Specifically, he was looking for an application that would help him manage the company's international contract rights. Crown Media, which owns the Hallmark Channel, operates in more than 120 countries, where it buys and sells thousands of broadcast rights to more than a thousand films. Overseeing the contracts that govern the payment schedules for those programs is a herculean task. Says Thompson: "International rights is a huge portion of what we have to manage."
Three months later, the finance executive still hasn't found what he's looking for. "I haven't come across the right fit yet," he says.
He may have to settle on one soon, however. Handling contract rights is one of the 25 or so activities Crown Media's management deems key to the company's business. As such, the process is subject to the provisions of Section 404 of the Sarbanes-Oxley Act of 2002--meaning Crown Media must demonstrate sound financial controls governing that business process and then test those controls quarterly. Manually documenting and testing those controls, while doable, would be a real pain. Consequently, says Thompson, "the reporting deadlines and 404 are leading us down the path of automation."
Finance executives at other companies are headed down a similar path. Despite the fact that the Securities and Exchange Commission pushed back the filing deadline (accelerated filers must be in compliance after June 15), many corporate managers are fast discovering just what a bear Section 404, really is. The biggest hurdle: few businesses operate off a single information platform. In fact, The Hackett Group estimates that the average $1 billion company maintains 48 financial programs, along with nearly three enterprise resource planning (ERP) systems. So it's little wonder, says Randy Whitchurch, CFO at bar-code maker Zebra Technologies, that "if you've got a lot of far-flung locations on disparate accounting systems, [documenting controls is] a problem."
Not surprisingly, business-software makers--many of which see Sarbox as the next Y2K--have flocked to Section 404 like alley cats to albacore. John Van Decker, vice president (technology-research services) at Stamford, Connecticut-based Meta Group Inc., reckons there are now 50 or more vendors flogging software aimed at Section 404 (for a vendor chart, see page 74). The long list includes ERP vendors, content- and business process-management specialists, startups, upstarts, and industry giants (read: IBM and Microsoft). And in a survey conducted by Meta, fully 92 percent of those IT product and service vendors said they expect Sarbox to boost their year-over-year sales.
To date, however, companies haven't fully embraced the vendor offerings. In fact, in the same Meta survey, 57 percent of the vendors said that sales of Sarbox products so far had not met their expectations. Part of the problem is that the early work on Section 404 is a decidedly in-house affair, with many companies tapping controllers and internal auditors to handle the initial documentation. What's more, of the $5 billion or so that publicly traded companies will spend on Sarbox projects this year, only about 20 percent will go toward software purchases, with the rest spent on staff and consultants.
Eventually, however, that percentage is bound to increase. CFOs, the senior executives generally charged with wrestling Section 404 to the ground, say they'd just as soon not go through this exercise every year. And deciding among the various software offerings that promise to alleviate some of the Section 404 drudgery will undoubtedly become a priority. Says James J. Groberg, senior vice president, director, and CFO at New York-based Volt Information Sciences, of the 168 words that make up Section 404: "It's a small section. But it's creating a large amount of work"
DADERED OVER
Software should eliminate much of the documentation work going forward. It is possible, says Steve Biskie, assistant vice president (internal control) at insurer Great-West Life & Annuity Insurance Co., for many businesses to rely on Word and Excel files to document internal controls, but he points out that such an approach would result in hundreds, if not thousands, of files. "That may be OK for the first year of 404 compliance," he asserts. "But on an ongoing basis, it will be tough to maintain controls using those products:'
Deciding which product to use long term, however, is not cut-and-dried: there is no clear market leader. Greenwood Village, Colorado-based Great-West, for example, opted for a program called Certus, marketed by Nth Orbit, an interesting decision, considering Great-West is also an SAP customer. But Biskie says senior managers at the life insurance company weren't overly worried about using a relatively new product from a small software company (one that started out as a supply-chain specialist, no less). "The older products were designed for other purposes," he argues. "Besides, any product that is out there for 404 is new."
He has a point. While Van Decker warns against purchasing software from companies that have "arisen specifically because of Sarbanes-Oxley," Section 404 compliance products from such niche vendors as Movaris Inc. and Nth Orbit (plus programs from Paisley Consulting and OpenPages) do offer certain advantages over apps from better-known ERP and business-software companies. As Biskie points out, "Certus is geared toward doing this work. It's not a bolt-on product that's designed for something else."
Moreover, smaller software vendors can ill afford to lose any customers--a fact that often translates into gold-plated service. "Large companies don't give you the same level of service" claims Kyle Didier, vice president of finance at Minneapolis-based Regis Corp., which recently purchased Certainty, a compliance-management program, from Campbell, California-based Movaris. Buyers of compliance software from niche vendors also can negotiate price reductions, flexible contracts, and service enhancements. Another perk: Groberg reports that programmers at OpenPages consulted with Volt when designing an upgrade to its Sarbanes-Oxley Express (SOX) program, and ultimately incorporated some of those suggestions in later versions of the software.
LET'S PLAY TWISTER
Of course, service tends to suffer when the service provider goes out of business. And make no mistake, a number of companies currently flogging Section 404-related products will be gone by the end of the year. As John Hagerty, vice president of research at AMR Research, states: "The market simply can't sustain a dozen independent vendors."
While it's tough to tell which companies will capsize, Van Decker says several in the contract-management sector are already foundering. Likewise, the crowded enterprise content-management space appears headed for a shakeout. In December, for example, Documentum was acquired by data-storage giant EMC Corp. Around the same time, Interwoven, which recently merged with rival content-management vendor iManage, reported a net loss of $35.1 million for the first nine months of 2003. That's a sizable hit, considering the Sunnyvale, California-based Interwoven generated revenues of only around $78 million during the same time period.
The prospect has clearly spooked some prospective purchasers of Section 404 software and has bolstered the case for dealing with larger--more stable--software vendors. But staying power doesn't necessarily mean the products of top-tier vendors are up to snuff. Doyle Arnold, executive vice president and CFO at Salt Lake City-based Zions Bancorporation, says he looked at all sorts of Section 404related software before settling on a program from Providus (a company Zions spun out of Lexign, another software company it had acquired). "All the software [I looked at] was built for another purpose," explains Arnold. "It would have to be twisted to do 404."
Generally speaking, twisting software is not good. That's why most experts say it's unwise to purchase a Section 404-targeted program without considering if the application plays well with others--particularly ERP systems. As part of Crown Media's compliance efforts, for instance, Thompson bought an online purchase-order system called eRequester (from Paperless Business Systems). In making the buy, he says, he was mindful of Crown Media's plan to eventually swap out the company's Best Software general ledger. "We wanted a [PO] system that was open," he explains, "one that would work with whatever general ledger we went with."
Such an approach, while prudent, raises the obvious question: Why not simply use deployed enterprise software for Sarbox compliance? Indeed, at San Jose, California-based Aspect Communications, controller Bruce Ruberg says the company is addressing Section 404 compliance in tandem with a reimplementation of Oracle lli. "We're redefining all our business flows, which ties in to the 404 sweet spot," he explains. "It makes sense to do them together."
TURNED ON
Certainly, integrating Section 404 reporting with a company's financial systems would seem to be an ideal approach to Sarbox. ERP vendors have not been shy about playing up the angle, either. Early on, vendors claimed that business users need only turn on the existing controls within their ERP systems to satisfy much of Section 404.
The pitch hasn't gained a whole lot of traction in the marketplace, however. First off, as Van Decker points out, ERP systems can help with the assessment of financial controls--a big task, admittedly--but not necessarily the documentation of controls. And as Hagerty notes, ERP systems come with both inherent controls and configurable controls. Those configurable controls offer a dizzying number of choices. Says Biskie: "There can be a million control options within each process [in an ERP system]. Which one do you choose?"
Even the ERP vendors appear to have backed off their initial "just turn 'em on" approach: in recent months, the major players have unveiled new modules designed specifically for Section 404 compliance. In May, for example, Oracle announced the development of its Internal Controls Manager, an application aimed squarely at Section 404 compliance. Then, in October, People-Soft launched its own Section 404 product, called Enterprise Internal Controls Enforcer. And SAP began shipping a similar offering, its Compliance Management for Sarbanes-Oxley Act (part of my SAP Financials), around the same time.
Yet while ERP vendors may be saying this is part and parcel of what they do, they're going to have to fend off some powerful rivals--rivals that are already well entrenched in the business-computing landscape. IBM, for one, has teamed with Big Four auditor KPMG to offer IBM Lotus Workplace for Business Controls and Reporting, a program designed to help businesses tackle the issues of documenting and dynamically assessing their controls and business processes.
Some industry watchers, however, say Big Blue competitor Microsoft may pose an even bigger threat to the Section 404 sales of ERP and niche vendors. Next month the company will release the Office Solution Accelerator for Sarbanes-Oxley, a software package built for the Office System platform (and one of a number of business "accelerators" the company markets). Essentially, the accelerator for Section 404 compliance sits on top of a company's existing infrastructure and features a familiar Windows interface. As with many products from Gates & Co., Microsoft is relying on partners to extend and enrich the software.
And which of Microsoft's raft of business partners will likely end up doing the extending and enriching? Says one industry watcher: "I think auditors will end up using this."
Just what Section 404 software vendors need: more competition.
RELATED ARTICLE: Auditors in the ring.
Section 404 of the Sarbanes-Oxley Act of 2002 has been good to the Big Four. Not only are the firms in line to pick up considerable attestation business this year, they're also pitching 404 compliance tools to clients. Says Steve Barth, a partner at Foley & Lardner: "Audit firms are jumping all over this."
Some corporate managers am availing themselves of their auditors' tools--at least for this go-round. John Van Decker, a vice president at research firm Meta Group Inc., is advising corporations to "go through [the] first year with [your auditor's] tool, understand how it works with 404, then replace that when you understand the nature of your 404 process."
Other management teams, however, are choosing to talk to their auditors about the configuration of third-party Section 404 software. Volt Information Sciences CFO James J. Groberg says that his company gave auditor Ernst & Young a demo showing how Volt structured its 404 effort, which is encapsulated in a program from OpenPages. "The last thing we want in July is E&Y saying, 'Oh, that's not what we meant.'"
There are other risks involved with using an external auditor's Section 404 tool. At the top of the list: software development is not the core competency of accountants. Says Bruce Ruberg, controller at Aspect Communications: "The Big Four are not in the business of software, long term." In addition, purchasing Section 404 software from external auditors may send the wrong message to shareholders. "An auditor firm is very involved in [a] 404 process, then it sells you a software tool, then it comes in and audits over this," says Barth. "You can just see the cases coming up, can't you?" J.G.
CFO BUYER'S GUIDE compliance software providers
Documentum (EMC) Hyperion Solutions
$227 million revenues $610 million revenues
Founded 1990 Founded 1981 (as IMRS)
Sarbox/404 program eRoom Fin. Compliance Hyperion Financial
Workplace; Ent. Management (v. 3.4)
Controls Repository Packaged program that
Program description Web-based Workplace consolidates financial
one of several tem- results from multiple
plates used to manage ERP or GL systems.
404 and 302. Program Assists with risk
provides capability to assessment, information
manage testing, docu- and communication, and
ment findings, and monitoring during
report/manage remedia- monthly and quarterly
tion. Integrates with close and reporting
Enterprise Controls cycles.
Repository, a records
manager and storage
offering.
Fin. controls
documentation No No
Fin. controls
attestation Yes Yes
Integrates with ERP Yes Yes
XBRL enabled No Yes
Monitor operational
systs. No No
Size of business
targeted All M, L
Price Varies Contact vendor
IBM Microsoft
$81 billion revenues $32.2 billion revenues
Founded 1911 Founded 1975
Sarbox/404 program IBM Lotus Workplace Office Solution Accele-
for Business Controls rator for Sarbanes-
& Reporting Oxley
Program description Designed to help users Helps organizations
manage processes, manage compliance
controls, and informa- initiatives related to
tion subject to 404. 302 and 404. Program
Created in tandem with facilitates regulatory
KPMG, app intended to compliance and sustain-
provide foundation for able corporate gover-
financial-reporting nance by enhancing
processes and orga- visibility over finan-
nized approach to cial processes and
gathering information internal controls.
about internal
controls.
Fin. controls
documentation Yes Yes
Fin. controls
attestation Yes Yes
Integrates with ERP No Must be customized
XBRL enabled No No
Monitor operational
systs. Yes Through SQL Server 2000
Size of business
targeted All All
Price $1,150 per user @ list Contact vendor
price
Movaris OpenPages
Revenues NA Revenues NA
Founded 1988 Founded 1996
Sarbox/404 program Movaris Certainty OpenPages Sarbanes-
(v. 6.5) Oxley Express (v. 2.0)
Program description Created specifically Enterprise compliance-
for Sarbox. App based management program
on business process-- designed to reduce
management platform time, resource costs of
that manages company's compliance for 404 and
entire Sarbox obliga- 302. Combines document
tion, from documenta- and process management
tion and risk assess- with flexible reporting
ment to ongoing moni- capabilities. App
toring and attestation intended to help mana-
preparation. gers enforce internal
controls.
Fin. controls
documentation Yes Yes
Fin. controls
attestation Yes Yes
Integrates with ERP Yes Yes
XBRL enabled No Yes
Monitor operational
systs. Yes Yes
Size of business
targeted M, L All
Price Contact vendor $65,000 & up (min. 25
users)
Open Text Oracle
$178 million revenues $9.5 billion revenues
Founded 1991 Founded 1977
Sarbox/404 program Livelink for Corporate Oracle Internal
Governance Controls Manager
Program description Tracks, reports, Comprehensive tool for
manages processes and executives, control-
info for corporate lers, internal-audit
governance. Features: departments, business-
auditable process unit managers, busi-
workflows based on iness-process owners,
COSO; integrated and public accounting
records, document, and firms. Programs docu-
content management; ments and tests inter-
secure collaborative nal controls, and
tools; integrated monitors ongoing
online training, compliance.
training audits. Open
architecture.
Fin. controls
documentation Yes Yes
Fin. controls
attestation Yes Yes
Integrates with ERP Yes Yes
XBRL enabled No Yes
Monitor operational
systs. Yes Yes
Size of business
targeted L M, SMB, L
Price $125,000 (1) See Footnote 2, below
Paisley Consulting PeopleSoft
$10 million revenue $1.9 billion revenues
Founded 1995 Founded 1987
Sarbox/404 program Risk Navigator (v. PeopleSoft Enterprise
1.3), Focus Control Internal Controls
Assurance (v. 1.2) Enforcer
Program description Risk Nav. incl. docu- Designed to automate
mentation and testing, and enforce internal
control self-assess- controls required under
ment surveys, and 404. Enables users to
operational risk streamline documenta-
assessments; also tion and continuously
features executive monitor internal
dashboard. Focus docu- controls. Diagnostic
ments financial pro- capabilities intend-
cess risks/controls, ed to help companies
tracks issues and reduce the cost of
action plans. Incl. compliance.
prepopulated process,
risk, and control
templates.
Fin. controls
documentation Yes (both) Yes
Fin. controls
attestation Yes (both) Yes
Integrates with ERP Yes (Risk Nav.), No Yes
(Focus)
XBRL enabled No (both) No
Monitor operational
systs. No (both) Yes
Size of business
targeted S (Focus), M (both), L SMB, L
(Risk Nav.)
Price See Footnote 3, below Varies
SAP SAS
$9.5 billion revenues $1.2 billion revenues
Founded 1972 Founded 1976
Sarbox/404 program SAP Compliance Manage- SAS Corporate Com-
ment for Sarbanes- pliance for Sarbanes-
Oxley Act Oxley (v. 2.1)
Program description Addresses internal- Targets all relevant
control requirements Sarbox provisions.
of 404 via comprehen- Software provides
sive management of tracking and auditing
rols. Helps document/ of internal controls,
model business proces- rapid consolidation of
ses, document existing financial data, valida-
controls, test tion/verification of
results,and suggest financial reports, and
improvements. Also dashboard monitoring,
provides status as well as risk-impact
reports to management assessment and alerts.
according to law's
provisions.
Fin. controls
documentation Yes Yes
Fin. controls
attestation Yes Yes
Integrates with ERP Yes Yes
XBRL enabled Yes No
Monitor operational
systs. Yes Yes
Size of business
targeted All All
Price Contact vendor See Footnote 4, below
(1) Must also have core product suite, which starts at $100K far first
100 users. (2) Price avail. online at
http://www.oracle.com/corporate/pricing/ePLext.PDF. (3) Risk Nav.
install. pkg.: $150,000, plus annual user fees (based on no. of users)
starting at $150 per user. Focus: Per-user license fees start at $700
per user, plus 20 percent maintenance charge. (4) Base price for
software license, plus per user cost.
JOHN GOFF (JOHNGOFF@CFO.COM) IS TECHNOLOGY EDITOR AT CFO.
COPYRIGHT 2004 CFO Publishing Corp.
COPYRIGHT 2004 Gale Group