Editor’s note: Glenn Conway and Bob Broda are partners with Visage Solutions. “Managing Risk” is a regular feature on Wednesdays in LTW.The Sarbanes-Oxley Act is a complicated set of legislation, with certain rules still evolving. Public companies are struggling with how to achieve “SarbOx” compliance without destroying their core business – or spending boatloads of money in the name of compliance.

Some companies view compliance efforts as an opportunity to gain better control of their business processes. These companies expect a corresponding ROI on their expenditures. Other companies are approaching compliance as just another regulatory headache. Software and service vendors are positioning their products and “SarbOx Compliance Services” to ‘help’ companies achieve SarbOx compliance.

To help identify needs versus extras, let’s re-consider the purpose of “The Act.”

The preamble to the Sarbanes-Oxley Act reads: “An Act To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” As most of the disclosures required under securities laws are financial in nature, or tied to financial impacts or issues, it becomes clear that the Act is really about two goals:

  • Assuring the accuracy and reliability of corporate financial information that is subject to disclosure requirements; and

  • Assuring the accuracy, reliability, (completeness and timeliness) of the actual disclosures themselves.

    • From this viewpoint, achieving Sarbanes’ compliance is all about achieving accurate financial information, and reporting it honestly and in a timely manner. Everything else is secondary, unfortunately because of the corporate scandals, you have to be able to prove that you did. Money spent in the name of “compliance” that doesn’t result in more reliable financial information disclosed on a reliable, and timely basis is, quite simply, ill advised.

    From this point of view, which software tools and services are on target to help companies achieve compliance without introducing extras of uncertain benefit? And, moreover, which tools stand to have positive ROI by streamlining or improving existing business processes versus creating additional work in the name of compliance?
    Most vendors (including ourselves) have previously grouped software tools into various application areas, such as Electronic Document Management, Work Flow Management, Business Intelligence, and Knowledge Management. Vendors in each of these spaces have attempted to show how their software tools can help companies achieve compliance in an efficient manner. But corporations have been struggling with these vendors messages for several reasons:

  • It is difficult to quantify an ROI on these purchases in relation to SarbOx compliance

  • No single tool meets the needs of all companies

  • Many tools introduce additional workload to help “achieve compliance”

  • Few tools address the fundamental intent of accurate financials disclosed on a timely basis

    • A paradigm shift is in order. When selecting vendors to assist in compliance, should we not classify them in terms of how they will assist with the intent of Sarbanes Oxley instead of merely adding software and workload overhead that may actually create more work for the auditors and the requirement for terabytes of online storage?

    When determining if a third party vendor can truly help you with the compliance process, ask yourself and them these questions:

    Financial Integrity:

  • Does the (software) tool or service directly contribute to the fundamental accuracy and consistency of financial data at the transaction level (e.g. the “official records”)?

  • Does the tool support the idea that all “official” transaction data should permanently reside with the source application or host system? Or does it create or support semi-permanent or permanent, intermediate data layers that are de-coupled from the original transaction records?

  • Does the tool directly contribute to financial record integrity, leading to fewer “substantive tests” by Auditors and a lower level of assessed “control risk?”

    • Disclosure Integrity:

  • Does the tool directly contribute to the preparation, editing and/or issuance of written disclosures?

  • Does the tool directly contribute to the reduction or elimination of multiple disclosure versions or texts, in the interest of a single document?

  • Does the tool support the idea that all official disclosures should be security-controlled and concurrently visible by the disclosure team?

    • Process Integrity:

  • Does the tool directly contribute to improved efficiency of existing business processes? Or does it cause (or introduce) a suite of new overhead processes with few or no efficiency improvements to existing?

  • Does the tool provide meaningful audit trails and confirmations without creating redundant information and superfluous confirmations?

  • Is the tool sufficiently flexible to allow process-flow changes and additions to be readily defined and incorporated by the Client company?

  • Does the tool directly and readily interact with other software tools to streamline and accelerate required (as opposed to unnecessary) process and compliance steps?

    • Service Providers:

  • Are the individuals on the project team business-savvy and able to recognize business risks and control activities that mitigate those risks?

  • Does the compliance methodology focus on efficiently meeting the goals of Sarbanes-Oxley (financial integrity and accurate, timely disclosures)?

    • A majority of “yes” answers to the above suggests a tool or service that may be fundamentally beneficial to the company – and help to achieve compliance in the process. If the answers are “no” or “not clear” then the tool or service may deliver redundant functionality and/or create recurring workload overhead.

    Software and/or third party services may be necessary components of compliance efforts. But if your compliance expenditures don’t help to improve the reliability of your actual financial information or the timely issuance of required disclosures, then your expenditures in the name of SarbOx may be off the mark.

    Visage Solutions are results-focused operation assessment and risk management consultants who offer extensive real-world executive management experience. Visage Solutions offers a suite of services that provide a strategic approach to operations to improve business processes that affect the bottom line. Sarbanes-Oxley related services include OpsAudit• and Compliance Process Improvement Services supporting Sections 301, 302, 404, 406, 409, 802 and 806.

    See www.visagesolutions.com for more information and important links.