Though Enron, WorldCom and other disgraced companies that helped bring about the Sarbanes-Oxley Act (SOX) are long
gone, their legacy is hardly forgotten.
When it was enacted in 2002, many feared complying with SOX would prove too great an expense, putting U.S. public companies at a disadvantage and maybe even driving many smaller companies out of business. Those fears were not justified, however.
Instead, according to John Hagerty, vice president and research fellow at Boston-based AMR Research, what SOX did do was elevate risk and compliance to the top of most corporate agendas.
"One of the things that Sarbanes did is it really raised the awareness of compliance activities in general," Hagerty said. "Sarbanes was the genesis of this whole governance, risk and compliance (GRC) concept. People now take it very seriously."
The numbers seem to back Hagerty's assertion. According to AMR, GRC spending grew 8.5% from 2006 to 2007, reaching nearly $30 billion. AMR predicted in March that spending on GRC will exceed $32 billion in 2008, up another 7.4% from 2007.
That's not to say, however, that the transition to a world where risk and compliance command as much attention as other business processes was a smooth one.
Early SOX compliance efforts hit and miss
When SOX first hit the scene in 2004, CFOs and other executives, now personally responsible for the validity of corporate financial statements, started buying software and services to get them "through the breach," as Hagerty puts it.
There were, however, very few mature SOX compliance products on the market at the time, according to Chris McLean, an analyst with Forrester Research in Cambridge, Mass.
As a result, organizations wound up with a mish-mash of uncoordinated compliance activities that proved costly. CFOs soon realized that to comply with SOX in a strategic way, they needed to get IT involved.
More on SOX and governance, risk and compliance
"There's nothing that says [compliance with SOX] has to be technology-based," Hagerty said. "But to make it repeatable, sustainable and, more importantly, cost effective, you have to find technology to do the repetitive tasks."
By 2006, vendors like Virsa and LogicalApps -- since acquired by SAP and Oracle, respectively -- responded, offering technologies to help companies manage the difficult job of complying with each of SOX's different requirements, including segregation of duties and content management, in a comprehensive way.
As more regulations were introduced, including Basel II and other privacy rules, SOX-specific technologies evolved to cover other, sometimes overlapping areas of compliance. Today, most such technologies help companies manage all of their compliance responsibilities.
"The idea is to come up with a very consistent, repeatable approach to new regulations, so it's not a brand-new project each time a new regulation comes along," McLean said. Vendors now offer products that tackle the full spectrum of compliance and risk management needs, not just SOX, he said, and that's how companies should approach GRC.
Technology no silver GRC bullet
Companies cannot meet all their compliance requirements with technology alone, however. In addition to investing in software to automate compliance-related tasks, companies must also be sure IT and the business are in sync.
"IT really understands the threats and what might happen to data as far as loss of integrity or loss of availability, those types of things. But they don't really understand the business impact," McLean said. "Having that dialogue with the business side, identifying where the key risks are, understanding what the impact would be, that's a key area to concentrate on."
AMR's Hagerty also stressed that identifying the biggest areas of risk is necessary to comply with SOX and other regulations in a cost-effective way. "Auditors, as well as the regulators, are telling people to take a risk-based approach, which means understanding where your biggest areas of exposure are -- especially financial exposure -- and work on those first," he said.
For example, revenue recognition is a likely high-risk area for most companies, so controlling revenue recognition processes is a good place to focus compliance efforts, Hagerty said. Payroll transactions, on the other hand, generally pose little to no risk, he said. "So don't kill yourself on that because the exposure is minimal."
Hagerty also urged companies not to fear but embrace auditors, who are in the best position to help identify key areas of risk.
"IT people live in fear of the auditors, but the auditor is not always the enemy," Hagerty said. "In a lot of cases, people are afraid to ask the auditor for fear of exposing something, but the idea is you're both in this together and getting their advice based on their years of experience is invaluable."
Most importantly, both Hagerty and McLean stressed that focusing on one regulation or another at a time, like SOX, from both a technological and business perspective is a foolproof way to complicate compliance processes.
"People now have to look beyond SOX to achieve better risk and compliance across the business," Hagerty said. "The vendors have technology that can help you manage it, but the risk-based approach is something you have to do logically. You can't have technology do that for you."