Datawatch CFO Discusses Small Company 404 Compliance

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

Yikes, you’re a small company! How daunting is compliance to you?

I was brought on board because the former CFO wanted to move on. My background is first from public accounting, and then I went to a small company that grew from about $50 million to $150 million. We then merged and I was in charge of the Sarbanes project when the first rules came out. When I came to Datawatch—we’re a Sept. 30 year-end company and I came aboard in December—the rules were to comply by September 30, 2005. So right when I started, I would say that 75 percent of my task was to get the project going and get the people in place.

Now you have until September 2006. How has that changed the urgency?

Well, it hasn’t gone away, but it has slowed down and shifted gears. I think for small companies, delaying things for a year is really beneficial from a cost standpoint. We’re still going to incur the same cost, but now I can spread out that cost over 18 months rather than trying to squeeze everything into six or nine months.

Have you studied other companies’ experiences with Section 404, to prepare for your own project?

Being a small company and having very few resources, I realized my team would have to take on a good amount of responsibility, and that’s why I contacted a third party—Grant Thornton—to assist us. Internally, I also had to get my team up to speed to take on the additional work.

But basically with the whole Sarbanes world, every company has different issues. Within your peer group and talking to colleagues … every story is different. You need to understand your own company and get a handle on what procedures are in place and getting your team up to speed. You do have to keep your eyes and ears open on what’s happening at other companies, but really you have to get hold of your own company.

You don’t have the luxury of forming a high-level steering committee like a Fortune 500 business. How will you approach Section 404?

It’s a small team: myself, an accounting manager, a finance director at our U.K. subsidiary, and just a few departments heads—really, there’s only a few people you can push this down to. Not only am I the overseer, but I’m also one who will roll up his sleeves and do a lot of the documentation and the process. That’s very different for a small company.

Which chores will you handle internally, and which will go to Grant Thornton?

Basically since the U.S. represents the larger of our consolidated business, from a corporate governance high level, we’ll do that on our own. And as a software company, our biggest risk area is revenue recognition, so I’ll pass the revenue cycle and expenditure cycle to Grant for them to do documentation and testing. For other small areas like payroll we can do ourselves.

What’s the timetable, now that you have the 2006 extension?

We’re trying to spread things out to a cycle per quarter. By the time we get to January of next year, we’ll have a good amount of the work done and not be rushing to comply. But I will say that a lot has changed in the environment around Sarbanes. If I’d had this interview with you back in January, there was nothing in sight that the PCAOB or the SEC would delay things for another year for non-accelerated filers; that all changed within two months.

So you feel that regulators are giving small businesses their due attention?

They’re not only looking at small companies, they’re looking at the issues that transpire with larger companies. There were a lot of issues between auditors and companies that came up. One of the issues with non-accelerated filers—the key issue, really—is the segregation of duties. Because you’re a small company, many people have to wear many different hats. So you have that problem of segregation of duties, which is a cornerstone of Sarbanes in the internal controls process.

Most accelerated filers burned through their first year documenting controls, ignoring how they might use that information strategically. What will you do?

When I came aboard, the company had a certain way of doing things, and I wanted to take a fresh look at how we operated. Given that one year’s leeway, that helps me on two fronts: documenting the processes, and actually looking at the processes and seeing how we can make changes to them. Spreading it out over a year helps me.

But for example, might you implement any new IT systems to exploit that data?

Well, we are a small company and we have to manage the bottom line. We can’t go too overboard on the IT infrastructure.

So you’re sticking with Microsoft Word and Excel?

Yeah, pretty much. And we’ll use a database such as Microsoft Access.

How much will all this cost Datawatch, anyway?

It could range from $150,000 to $250,000, and that doesn’t include the additional cost from the auditors. We’ll actually get two invoices, one for audit and quarterly work and one specifically for Sarbanes work. The cost could be as much as 2 percent [of total revenues]. For a small company like us, that’s a significant expense for us to be a public company.

Do you expect difficulty training employees on life under Sarbanes?

Luckily for me, it was somewhat in place already when I came here. Because people wear so many different hats, from an internal controls perspective you do need certain executives or managers to take responsibility for certain areas. Sarbanes more formalizes that by doing the documentation and proving an audit trail. I know a lot of companies already have these procedures in place, but it had never been formally documented as a process.

We’ve chatted away about Section 404. Are other provisions of Sarbanes-Oxley challenging?

No. When Sarbanes first came out, with help from the auditor and the legal team, the company took a very proactive approach to Section 302 and a lot of whistleblower and code-of-ethics rules, and established them right from the get-go. That was the beginning step for the employees to get in line with Sarbanes.

And what are your one or two compliance priorities for the next 12 months?

I think the big thing with Sarbanes was the IT infrastructure and IT controls. We need to make sure we have a good handle on our IT backbone. We’re a good company and we’ve been around for a long time, so some of our IT equipment is nearing its useful end. Probably the other item is to minimize the cost impact of Sarbanes, and to keep it at a manageable level.

Thanks, John.

Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.

Click here for upcoming Webcasts with compliance officers.