IT managers at several large companies said this week the software they now have should help them meet the Sarbanes-Oxley Act's internal documentation requirements on an ongoing basis. But analysts think many corporate users aren't so well prepared.
Companies that face year-end deadlines for complying with Section 404 of Sarbanes-Oxley have spent a lot of money this year on consulting services in an effort to help themselves "focus on their immediate needs and get their arms around what they need to automate later," said Cathy Hotka, principal at Cathy Hotka & Associates, a retail IT consultancy in Washington.
Section 404 requires companies to document their financial and IT controls and attest to the effectiveness of the controls on an annual basis. Hotka and other consultants said they believe that starting next year, companies will have to begin investing more heavily in technologies such as workflow, document management and identification management tools to help them automate some of their Section 404 compliance processes.
Compliance work isn't a one-year project, noted John Hagerty, an analyst at AMR Research in Boston. "It may not be Y2k every year, but it's an ongoing process that's hanging over people's heads," he said.
"The biggest challenge is to get software that facilitates Sarbanes-Oxley certification," said Ross Wescott, chief IT auditor at Portland General Electric, an electric utility in Portland, Oregon. "If we leave it all to manual paperwork or Excel spreadsheets, the effort will soon become too cumbersome."
However, Wescott added that he thinks Portland General's existing ERP system — which includes software from SSA Global Technologies and PeopleSoft — plus other tools it runs are capable of handling the company's ongoing controls documentation and testing requirements.
In some cases, though, "if you try to force-fit Sarbanes-Oxley requirements into existing technologies you have in-house, it doesn't always work," said Karl Kispert, a director at Jefferson Wells International, a Wisconsin-based risk management consultancy. Kispert added that he expects most companies to increase their Sarbanes-Oxley technology budgets next year.
Some companies have been more forward-looking. For instance, Bresler & Reiner purchased web-based software called the SOAx Toolkit from Orlando-based Axena in June 2003. Prior to buying the software, executives at the Maryland-based real estate investment trust decided that they wanted to develop a 10-year plan for Sarbanes-Oxley compliance, said Eric Clarke, Bresler & Reiner's internal audit director.
Clarke said Bresler & Reiner is using Axena's technology not only to document and test its internal controls, but also to assess the ongoing risks it faces. "We've gone through $US200 million in acquisitions over the last six months, so we have to constantly assess what are significant risks under Section 404," Clarke said.