While companies that haven’t yet had to comply with Section 404 of Sarbanes-Oxley await more guidance and expected tweaks to the standards in place for auditors, those that have already bitten the Section 404 bullet have turned their attention to the next phase in compliance, experts say.
With three years of 404 compliance under their belts, companies are focusing increasingly on automation, a panel of experts told journalists gathered at a roundtable event sponsored by automation-software provider Approva in New York recently.
“Companies aren’t happy with where they’re at now,” Ken Gabriel, a manager for business systems controls at KPMG told the group. “They’re in their third year and [404 compliance] is still a burden. It’s not just the cost, it’s the employees’ time that’s frustrating them. They’re looking to build something to make the process more sustainable.”
Approva’s own research shows that many companies have yet to automate testing of their IT controls. However, companies plan to make those investments during the coming year, according to the company’s latest research.
Manual Controls Still Prevalent
In a poll this month of 200 high-level finance and IT executives at public companies conducted by Fleishman-Hillard Research Group on behalf of Approva, 72 percent of those surveyed said they don’t currently use a software solution to automate the testing and monitoring of their IT controls. More than a third (37 percent) say at least 40 percent of their IT controls still are manual, and 68 percent say at least 20 percent of their controls are manual, Approva reported.
However, experts say that’s going to change as many companies embark upon their third or fourth year of 404 compliance.
Among those polled by Approva, 25 percent of the companies that said they don’t have an automated solution in place said they plan to evaluate or implement such software in the next 12 months.
John Hagerty, vice president and research fellow at Boston-based AMR research, says he’s seen a resurgence in the interest in automation during the last two quarters. “Companies are looking to automate as much as possible around control testing,” he said. “This is raising the specter of risk management like I’ve never seen before.”
Gabriel noted that companies were focused on getting compliant and on remediation during the first two years of their 404 work. In addition, he says, “At the time, there weren’t a lot of [automation] tools available.”
What To Expect In Coming Years
Hagerty at AMR also cited his firm’s research, which shows that companies spent 33 percent of their SOX budget on technology support in 2006, with that percentage expected to rise in the coming year.
“In the first year, it was ‘get it done,’ and in Year Two, everyone kind of took a breath,” he says. “For the majority of companies, their third year is when automation really happens.”
Gonzalo Cuatrecasas, who manages the corporate audit IT department at Colgate-Palmolive, says SOX has “made IT auditing easier, because we have a baseline to work from.”
Colgate has automated all of its access controls, Cuatrecasas says. “But we still have a ways to go. Now we have to move on to our process controls.”
Hagerty says today’s focus on controls is just getting “back to basics.”
“When business systems were being implemented in the ’70s and ’80s, it was all about controls. In the ’90s, it was all about ERP systems and flexibility,” Hagerty said. “What companies are doing today is the same thing they were doing in the ’70s as far as how they’re running their businesses.”
As for whether smaller companies now undertaking 404 compliance efforts have learned anything from those who went before them, Hagerty says the answer is, unfortunately, not really.
“Smaller companies going through this now are going through the same process—shock, anger, denial, acceptance and moving on,” he says. “But, they’re going through it faster.”