While companies that haven’t yet had to comply with Section 404 of Sarbanes-Oxley await more guidance and expected tweaks to the standards in place for auditors, those that have already bitten the Section 404 bullet have turned their attention to the next phase in compliance, experts say.
With three years of 404 compliance under their belts, companies are focusing increasingly on automation, a panel of experts told journalists gathered at a roundtable event sponsored by automation-software provider Approva in New York recently.
“Companies aren’t happy with where they’re at now,” Ken Gabriel, a manager for business systems controls at KPMG told the group. “They’re in their third year and [404 compliance] is still a burden. It’s not just the cost, it’s the employees’ time that’s frustrating them. They’re looking to build something to make the process more sustainable.”
Approva’s own research shows that many companies have yet to automate testing of their IT controls. However, companies plan to make those investments during the coming year, according to the company’s latest research.
Manual Controls Still Prevalent
In a poll this month of 200 high-level finance and IT executives at public companies conducted by Fleishman-Hillard Research Group on behalf of Approva, 72 percent of those surveyed said they don’t currently use a software solution to automate the testing and monitoring of their IT controls. More than a third (37 percent) say at least 40 percent of their IT controls still are manual, and 68 percent say at least 20 percent of their controls are manual, Approva reported.
However, experts say that’s going to change as many companies embark upon their third or fourth year of 404 compliance.
Among those polled by Approva, 25 percent of the companies that said they don’t have an automated solution in place said they plan to evaluate or implement such software in the next 12 months.
Hagerty
John Hagerty, vice president and research fellow at Boston-based AMR research, says he’s seen a resurgence in the interest in automation during the last two quarters. “Companies are looking to automate as much as possible around control testing,” he said. “This is raising the specter of risk management like I’ve never seen before.”
FINDINGS
The key findings below are from the 2006 Approva Corporation Compliance Survey:
81 percent of companies who currently use software to automate their
controls predict their controls management investment will provide
value beyond SOX compliance
72 percent of companies do not currently use a software solution to
automate the testing and monitoring of IT controls
37 percent of companies surveyed say that at least 40 percent of their
IT controls are still manual while 68 percent sat that at least 20
percent of their IT controls are manual
41 percent of companies reported that their ERP system does not do an
adequate job of demonstrating compliance with audit and regulatory
requirements
47 percent of companies believe SOX has been successful in helping to
prevent corporate fraud
32 percent of companies who test more than 20 different applications
believe investor confidence in their company has increased since SOX
was introduced in 2002
Source
2006 Approva Corporation Compliance Survey (Approva Corp.)
Gabriel noted that companies were focused on getting compliant and on remediation during the first two years of their 404 work. In addition, he says, “At the time, there weren’t a lot of [automation] tools available.”
What To Expect In Coming Years
Hagerty at AMR also cited his firm’s research, which shows that companies spent 33 percent of their SOX budget on technology support in 2006, with that percentage expected to rise in the coming year.
“In the first year, it was ‘get it done,’ and in Year Two, everyone kind of took a breath,” he says. “For the majority of companies, their third year is when automation really happens.”
Gonzalo Cuatrecasas, who manages the corporate audit IT department at Colgate-Palmolive, says SOX has “made IT auditing easier, because we have a baseline to work from.”
Cuatrecasas
Colgate has automated all of its access controls, Cuatrecasas says. “But we still have a ways to go. Now we have to move on to our process controls.”
Hagerty says today’s focus on controls is just getting “back to basics.”
“When business systems were being implemented in the ’70s and ’80s, it was all about controls. In the ’90s, it was all about ERP systems and flexibility,” Hagerty said. “What companies are doing today is the same thing they were doing in the ’70s as far as how they’re running their businesses.”
As for whether smaller companies now undertaking 404 compliance efforts have learned anything from those who went before them, Hagerty says the answer is, unfortunately, not really.
“Smaller companies going through this now are going through the same process—shock, anger, denial, acceptance and moving on,” he says. “But, they’re going through it faster.”
No comments yet