The Sarbanes-Oxley Act imposes a heavy burden on IT, but innovative execs are complying with the law and bolstering network security.
Qualcomm will have a year of experience under its belt when the next major Sarbanes-Oxley deadline arrives - barring any more extensions to key provisions of the law, that is.
CFO Bill Keitel says the San Diego chipmaker was on track to comply with Section 404 of the legislation last fall. But as the date neared for companies of Qualcomm's size to begin attesting to the effectiveness of their internal controls, the Securities and Exchange Commission (SEC) announced an extension.
Tips from the trenches
"Imagine troops storming Omaha Beach, they're halfway up the beach when some general back in an office somewhere says 'Oh, never mind. Come back to the ships,'" Keitel says. "You don't stop, you keep going for sake of the people who worked so hard to get you there."
So Qualcomm forged ahead and today is among a handful of companies that have achieved early compliance with Section 404 of SOX - in Qualcomm's case, a full year before the close of its 2005 fiscal year in September.
But it wasn't without pain. Qualcomm employees put in 67,000 man-hours to comply with Section 404, Keitel says. That meant the staff worked many late nights and many weekends for the better part of the year, he says. And the financial tally? Qualcomm spent more than $7 million, Keitel says.
Sox in a nutshell
SOX became law in 2002 in response to high-profile scandals at companies such as Enron and WorldCom. At its most basic, the legislation is intended to deter fraud and protect investors by establishing more stringent standards for corporate governance. Key provisions include:
• Section 302, in effect since late 2002, requires a company's top executives to certify the accuracy of corporate financial reports.
• Section 409, which is still being ironed out, will require companies to give investors information related to any material changes in their financial condition or operations in a timely manner.
• Section 404, which takes effect in staggered deadlines beginning this spring, says companies must prepare reports - to accompany their annual reports filed with the SEC - assessing the effectiveness of their internal control structures and financial reporting procedures. Compliance with Section 404 is where most public companies' SOX efforts are aimed today.
On the surface, those efforts seem like something for financial departments to tackle. But in its execution, SOX is all about IT.
"When it first came out, everybody was thinking about finances and the accuracy of year-end reports. But it starts to take on a life of its own. Because when you ask that one question-'Is this number accurate?' - then you have to ensure its accuracy. On the IT side, all these other things have to happen to answer that one question," says Bernie Donnelly, vice president of quality assurance and control at the Philadelphia Stock Exchange.
Who goes there?
For Phil Blank, vice president of IT for the ProBusiness division of ADP in Pleasanton, Calif., SOX compliance is first and foremost an identity management issue.
"With Sarbanes-Oxley, the regulators want to know who was in what system, what they did, why they were there, whether they were authorized to be there, and how long were they there. You have to be able to answer those questions for almost everything," Blank says. "From my perspective, without a role-based access control system or an identity management system, compliance is going to be a Herculean task."
Before its acquisition by ADP, ProBusiness invested in identity management software from Waveset Technologies (which Sun acquired in late 2003). Blank bought the software to formalize what were manual, ad hoc processes for managing employee access to business systems.
As SOX came into play, Blank tweaked the rollout to better address the legislation's requirements for securing system access. "Now we can show, with a very strong audit trail, the access provisioning and deletion processes, and the auditors can come in and test. It's all mechanized," he says.
RailAmerica, too, is focused on users' access to corporate systems. In its case, segregating duties is a critical issue, says Pedro Carrera, SAP manager at the Boca Raton, Fla., short line and regional rail service provider.
One thing SOX auditors look for is potential conflicts-for example, a person with the authority to both create a vendor in an ERP system and cut checks to vendors.There is a potential for fraud if one person has that much power.
"As we analyzed the roles people had to have, there were just certain circumstances that required a person to be a back-up for someone else, but it was incompatible with their day-to-day role to have that other role," Carrera says. For example, his role as SAP manager gave him unconstrained access to the financial systems of RailAmerica's 40-plus subsidiaries. "I support over 40 companies in North America. I need to get into their purchasing and general ledgers and look at what they're doing. Imagine having that broad access without having some control over it - that would be a problem," Carrera says.
To secure possible gaps in its internal controls, RailAmerica rolled out software from Virsa Systems. The vendor's Firefighter software lets IT users, such as Carrera, retain the broad access they need to fix system problems, but tracks, logs and reports their activities for auditing purposes.
Cheese steak, voluntary compliance, automated tools
Philadelphia Stock Exchange uses current technology to aid in its compliance efforts. The exchange isn't public, but some day it could be. To prepare for that scenario, it voluntarily complied with SOX, Donnelly says.
"One thing that makes the Philly Stock Exchange different from other organizations trying to comply with Sarbanes-Oxley is that we've been under SEC regulations since the time of the Exchange Act of 1934," Donnelly says. "This type of oversight, or requirements for ensuring the integrity of data, is old hat to us."
Software from Consul Risk Management helps fill in the SOX compliance gaps. Philadelphia Stock Exchange has used it for nearly 20 years to collect log data from its mainframe, Sun and Stratus trading engines.
Consul's server-based audit and compliance-monitoring software spots discrepancies with Philadelphia Stock Exchange's development and change control policies. "No developer is permitted access to the production system. If a developer who is supposed to be accessing a development box tries to access a production box, the system flags that," Donnelly says.
There's no way to catch those lapses manually, he says. "We have eight Stratus systems, 50-plus Sun servers and one mainframe. Each of those boxes would put out three feet of paper every day. It's impossible to physically go though all that," he says.
Darning SOX by hand
Ryerson Tull waded through SOX Section 404 compliance last year "by wheeling in a number of filing cabinets and buying a few tons of manila folders," said Darell Zerbe, CIO and vice president of IT at the metal distributor, in a recent conference call hosted by Morgan Stanley.
Next year, the $2.3 billion company will consider investing in software to help with the process, but only if it makes sense to do so. "We're perfectly OK to live with the sort of brute-force method we used this year if the software is too expensive or we just don't feel like it's worth it," Zerbe said.
There's really no way around a manual start, Qualcomm's Keitel says. "I think every company's first time through 404 will be a manual effort," he says.
What the legislation requires is that companies identify their key processes and, within those processes, identify key controls and establish ways to measure the effectiveness of those controls. Coordinating that effort requires significant input from multiple departments. "There's no way a system can do all those steps. That's a very manual, intensive process," Keitel says. "I would venture that there's no alternative to doing it manually this first time through."
However, users agree, the manual way has a limited life span.
For QuadraMed, the first steps to achieving Section 404 compliance are necessarily manual, but the company has made plans to enable greater automation down the road, says Kevin Haggerty, senior director of internal audit at the healthcare technology and services firm.
QuadraMed invested in PeopleSoft's Internal Controls Enforcer software, which monitors key internal controls and alerts management when configurations changes are made to those controls.
But before launching the PeopleSoft software, Haggerty and his team had to go through an onerous documentation process. They identified between 200 and 260 control points in QuadraMed's corporate processes and designated owners responsible for verifying the effectiveness of each control point.
Much of the preparation and testing QuadraMed did in 2004 was done outside of PeopleSoft's Enforcer software, Haggerty says. "As we go forward, the great advantage of Enforcer is that we can push that responsibility down to the people who own those processes, and we'll be able to monitor that compliance. The real advantage of Enforcer is in ongoing monitoring," he says.
Likewise, Kevin Sonsky, project lead for SOX at Citrix Systems in Fort Lauderdale, Fla., first relied on manual effort. "It's now about managing the whole thing manually, managing tons and tons of files and spreadsheets. It's just file and folder management on a server, quite frankly," he says.
But the manual way is tremendously cumbersome and very inefficient. "It's getting done, but not without a lot work," Sonsky says. Looking ahead, Sonsky will rely on SAP's Management of Internal Controls (MIC) software. "The MIC tool will push access to the whole company, to all the process owners, so that someone can look in at any time and see a snapshot of where the risks are, where the controls are, what's been updated and what's been tested," he says.
Having gone through 404 certification already, Keitel advises other companies to be generous in allotting resources to the job. "Don't underestimate the amount of work," he says. "If you have an estimate of x, plan for 2x. It is so massive."
404: ROI not found
Like many other users, Keitel isn't sure the legislation is worth the effort and expense. SOX pushed Qualcomm to accelerate efforts that were already underway to shore up its internal controls. "We were very much on this path before the legislation even was hinted at, but I had no intention to ever do it to the degree that 404 requires," Keitel says. "I don't think it's a value-add for the shareholder. I do think it's overdone."
Cynthia Russo agrees. "I don't think we're going to get as much benefit as we're spending," says Russo, the vice president and corporate controller at Micros Systems in Columbia, Md., which makes software for restaurants, hotels, casinos and retailers. Micros' tab for complying with sections 302 and 404 is in the $3 million to $4 million range, she says.
Part of that investment includes compliance-management software from OpenPages to streamline the internal controls documentation process across all of Micros 60 worldwide divisions. The OpenPages software helps reconcile data from multiple financial-reporting systems in an auditable fashion.
SOX pushed Micros to formalize controls that have been in place for many years, but weren't as structured as the legislation requires. The result is greater efficiency, but the ends don't entirely justify the means. "I would not be spending this kind of money if I didn't have to," Russo says.
Donnelly speaks even more harshly about the financial burden SOX puts on companies: "There's no return on your investment in this. It doesn't generate anything other than more paper, more storage, more auditors and more lawyers."
Part of the problem lies in the interpretation of the legislation, QuadraMed's Haggerty adds. "Section 404, in my opinion, is a good piece of legislation. In its interpretation and implementation over the last couple of years - having theoretical accountants and lawyers getting to it - it has gotten way more complicated than I think it needs to be," he says. "It's very confusing for people. Even the regulatory powers have not totally decided what's necessary and not necessary."
The "moving target" nature of SOX is making things tougher, Citrix Systems' Sonsky agrees.
After the company had documented its processes and controls, working with external auditors to determine if those controls are adequate and efficient was no easy chore, Sonsky says. "It's almost 90% judgmental, which makes it difficult," he says.
On the positive side, the effort could help pinpoint areas for future improvement, Sonsky says. "We'll probably see more benefit by taking the work we did for Sarbanes-Oxley and finding efficiencies, such as opportunities to implement consistent processes across our locations," he says.
For QuadraMed, complying with Section 404 gave the company added reason to pursue an ERP upgrade and consolidation project. The company, which has completed 28 acquisitions in the last five years and orchestrated a move of its corporate headquarters from the West Coast to the East Coast, had multiple systems with which to contend.