Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Experts Expect Surge In IT-Controls Automation

Melissa Klein Aguilar | October 17, 2006

While companies that haven’t yet had to comply with Section 404 of Sarbanes-Oxley await more guidance and expected tweaks to the standards in place for auditors, those that have already bitten the Section 404 bullet have turned their attention to the next phase in compliance, experts say.

With three years of 404 compliance under their belts, companies are focusing increasingly on automation, a panel of experts told journalists gathered at a roundtable event sponsored by automation-software provider Approva in New York recently.

“Companies aren’t happy with where they’re at now,” Ken Gabriel, a manager for business systems controls at KPMG told the group. “They’re in their third year and [404 compliance] is still a burden. It’s not just the cost, it’s the employees’ time that’s frustrating them. They’re looking to build something to make the process more sustainable.”

Approva’s own research shows that many companies have yet to automate testing of their IT controls. However, companies plan to make those investments during the coming year, according to the company’s latest research.

Manual Controls Still Prevalent

In a poll this month of 200 high-level finance and IT executives at public companies conducted by Fleishman-Hillard Research Group on behalf of Approva, 72 percent of those surveyed said they don’t currently use a software solution to automate the testing and monitoring of their IT controls. More than a third (37 percent) say at least 40 percent of their IT controls still are manual, and 68 percent say at least 20 percent of their controls are manual, Approva reported.

However, experts say that’s going to change as many companies embark upon their third or fourth year of 404 compliance.

Among those polled by Approva, 25 percent of the companies that said they don’t have an automated solution in place said they plan to evaluate or implement such software in the next 12 months.


John Hagerty, vice president and research fellow at Boston-based AMR research, says he’s seen a resurgence in the interest in automation during the last two quarters. “Companies are looking to automate as much as possible around control testing,” he said. “This is raising the specter of risk management like I’ve never seen before.”


The key findings below are from the 2006 Approva Corporation Compliance Survey:

  • 81 percent of companies who currently use software to automate their
    controls predict their controls management investment will provide
    value beyond SOX compliance
  • 72 percent of companies do not currently use a software solution to
    automate the testing and monitoring of IT controls
  • 37 percent of companies surveyed say that at least 40 percent of their
    IT controls are still manual while 68 percent sat that at least 20
    percent of their IT controls are manual
  • 41 percent of companies reported that their ERP system does not do an
    adequate job of demonstrating compliance with audit and regulatory
  • 47 percent of companies believe SOX has been successful in helping to
    prevent corporate fraud
  • 32 percent of companies who test more than 20 different applications
    believe investor confidence in their company has increased since SOX
    was introduced in 2002


2006 Approva Corporation Compliance Survey (Approva Corp.)

Gabriel noted that companies were focused on getting compliant and on remediation during the first two years of their 404 work. In addition, he says, “At the time, there weren’t a lot of [automation] tools available.”

What To Expect In Coming Years

Hagerty at AMR also cited his firm’s research, which shows that companies spent 33 percent of their SOX budget on technology support in 2006, with that percentage expected to rise in the coming year.

“In the first year, it was ‘get it done,’ and in Year Two, everyone kind of took a breath,” he says. “For the majority of companies, their third year is when automation really happens.”

Gonzalo Cuatrecasas, who manages the corporate audit IT department at Colgate-Palmolive, says SOX has “made IT auditing easier, because we have a baseline to work from.”


Colgate has automated all of its access controls, Cuatrecasas says. “But we still have a ways to go. Now we have to move on to our process controls.”

Hagerty says today’s focus on controls is just getting “back to basics.”

“When business systems were being implemented in the ’70s and ’80s, it was all about controls. In the ’90s, it was all about ERP systems and flexibility,” Hagerty said. “What companies are doing today is the same thing they were doing in the ’70s as far as how they’re running their businesses.”

As for whether smaller companies now undertaking 404 compliance efforts have learned anything from those who went before them, Hagerty says the answer is, unfortunately, not really.

“Smaller companies going through this now are going through the same process—shock, anger, denial, acceptance and moving on,” he says. “But, they’re going through it faster.”