SarbOx Sustainability

This installment of our series on SOX Sustainability concerns “Technology Issues.”  In Part 1 we introduced Technology as once of the significant SOX sustainability challenges.  Additional issues and sustainability planning will be addressed in other parts of the series.

Technology

SOX sustainability is a significant Technology Issue.  By technology we refer to all manner of Automation Systems, Mechanized Equipment, Information Systems, Software Architectures, Telecommunications Networks, Security and Safety Systems that an organization may employ in its business.  This includes purchased technologies and software systems and home-grown technologies and software systems.  This also includes internal infrastructures and external/outsourced infrastructures.  Either the technology infrastructure as a whole is conceived, implemented and optimized to support the business and compliance efficiencies, or it won’t.  This requires regular re-evaluations (at least annually) to assure that technology evolves to effectively support the business and to effectively sort all mandated laws and compliance rules.  An MIS or Network Masterplan that was developed three years ago to effectively support the 2002 business,  but not updated since,  is probably obsolete for the current business, much less the “SOXed” business going forward.

Sustainability requires evaluating the role(s) and capabilities of all significant technology systems inside the company (or that the company may outsource) to support effective Internal Control.  This is because effective Internal Control relies on automation for (at least) the following:

1. Reliable, systematic processing and integration of financial transaction data

2. Decision support including estimations, allocations, budgeting and forecasting

3. Access control to limit access to important and sensitive information or systems

4. Protection of important data and infrastructure

5. Timely notification of security breaches, loss of data, and other operating anomalies

6. Management and protection of corporate assets

7. Risk assessment and mitigation across dozens or hundreds of business processes

8. Communication of critical business information, issues and status

9. Audit support

10. Testing and performance data to underpin the annual Management Assessment and Auditor Attest (e.g. the §404 overlay)

Additionally, sustainability requires evaluating how each of the company’s significant technologies support and exchange information between one another.  Well integrated technology systems tend to provide effective support in each of the areas listed above.  Poorly integrated systems tend to cause or introduce control weaknesses in one or more of the areas listed.

Appropriate technology can compensate for weak and enable strong corporate cultures to perform better.  It can help to make weak corporate cultures better able to sustain the necessary compliance overhead.  And appropriate technology can help a strong culture excel.  Software and hardware systems must be evaluated and integrated to reduce interface and interworking problems and to facilitate control assessments and audits.  For example, large public companies with highly integrated technology systems (including single-vendor ERP systems such as SAP, Oracle, etc.) certainly found their internal control assessments easier in 2004 than those companies with multiple, disconnected, best-in breed platforms and un-integrated technologies from prior M&A activity.  Going forward, technology decisions must consider compliance and control integration with existing entity systems as a significant purchasing factor.  Replacement systems must be evaluated for how and where control deficiencies could arise during the replacement project, and for how and where to change corporate processes to marry to the new technology.   RFPs for new technology and software must place as much emphasis on the ability of the new or replacement system to work seamlessly with existing (surviving) systems as it places on the added functionality of the new technology being purchased.  M&A due diligence must place greater emphasis on technology (integration) evaluations to identify and mitigate control weaknesses that could compromise the acquiring company’s internal controls. 

As an added matter, companies must further scrutinize the source(s) of their technology systems.  Home-grown and custom-developed applications are more susceptible to questions and tests (e.g. presumption of fraud) by auditors than off-the-shelf, established applications.  There is little to no concern that off-the-shelf software from a reputable software vendor contains malicious code, or that fraud may be readily propagated with the software.  Applications that are custom-developed or home-grown within an organization are subject to greater scrutiny and testing to assure that they are reliable.

Technologies and technology solutions (new or different software, new or different ways of using existing software, sound technology management, etc.) are common threads (e.g. pervasive) through all contemporary business processes.  Because of the pervasiveness they will be subject to increasing audit scopes each year going forward.  While automation has the capacity to reduce manual controls, and potentially result in less audit cycles and tests overall, increasing automation over time will serve to shift audit workloads towards a greater level of automation and technology audit and less manual audit.  With this view, Companies will do well to take a step back and evaluate their technology landscapes in view of where they need to go, and whether the technologies are readily audited and certified.  This step should include a hard look at what technology(ies) will help the company to move forward and concurrently reduce audit overhead.

VisageSolutions is a group of experienced operational executives focused on providing efficient, repeatable complinace (including Sarbanes-Oxley) solutions. By working carefully with their clients VisageSolutions provides customized solutions that focus on reducing the “operational cost” of sustained compliance through an optimum combination of existing and new technologies and tools, and business process integration.  See www.visagesolutions.com for more information and related links.