With the European deadline for Sarbanes-Oxley being extended to July 2006, European organisations have the opportunity to take a more strategic approach to compliance, rather than making rash tactical decisions.
Worryingly though, it seems that organisations are instead taking the foot off the peddle and collectively mopping their brow as they relish the prospect of extra time. But for many organisations, poor planning and a general reluctance to start the process would have made it impossible to be compliant by the initial deadline anyway. With this in mind, my concern is that this will simply happen again as we get closer to July 2006.
Ultimately, the overall priorities are to increase market capitalisation by demonstrating compliance, followed by saving time, money and resources by learning from US businesses. As the US completes its first wave of Sarbanes-Oxley audits, businesses are investing time in examining their initial strategies for compliance. Most are finding that, in the rush to complete the Herculean task of documentation and testing to meet Section 404 requirements, they overlooked the development of a comprehensive strategy for ensuring ongoing, cost-effective and efficient governance, risk and compliance management. As a result, they must now contemplate revisiting the agonies of high audit costs, expensive consulting engagements and nerve-twisting remedial work. European businesses are diving head first into the same error, and unless things change, these mistakes will be compounded year-on-year as legislation evolves, or new compliance requirements emerge, or both.
On the other hand, you have the choice of learning from the US experience and of avoiding facing retrospective processes in 18-24 months' time.
The extended deadline provides a critical opportunity to reflect on what has been achieved to date, but most importantly, what more could be done with the extra 12 months.
The fundamental problem lies in businesses purely focusing on Sarbanes-Oxley (SOX) compliance, when, although it may require more thought, SOX provides businesses with an opportunity to avoid the tick-box approach in favour of reinvigorating their future governance, risk and compliance management (GRCM) needs. By doing so, SOX compliance becomes a catalyst for creating more efficiency in internal business processes and reporting, cutting costs, increasing visibility and identifying potential corporate risks. The crux of this approach is that companies can transform Sarbanes-Oxley compliance from a painful process into an opportunity to make significant improvements to their business.
In order to understand why this cohesive approach is valid for businesses, let us take a closer look at the alternative tick-box mentality and the lessons learnt in the US. As the deadline loomed in the US, we witnessed organisations tackling first-time compliance using those manual tools available to them at the time - spreadsheets, databases, tools for auditors and even three ring binders crammed full of documentation. This approach has now largely changed, as analysts and auditors have agreed that compliance must go beyond Section 404's deadline and focus on long-term needs. For example, a study by the Meta Group highlighted that many organisations believe they will be stronger and more attractive to investors if they take the opportunity to institute transparency into their financial reporting frameworks. The report indicates that companies are seeking to comply not only with the letter of law, but with the spirit of regulatory guidelines.
European business should learn from this experience and seize the opportunity that the extended deadline allows to show that their financial affairs are above reproach.
In my opinion, forward-thinking organisations should be looking to utilise GRCM-specific technologies to drive inefficiencies out of the compliance process. A powerful, enterprise-class application will combine integrated document management, interactive monitoring and compliance automation that scales to thousands of end-users.
At the highest levels, today's technology provides facilities to document internal controls, automate the ongoing test, review and approval of the internal controls framework and monitor the state of internal controls effectiveness. There is simply no comparison to ring-binders, diary reminders and spreadsheets!
While considering the solutions available it is important to take a close look at the internal purchasing processes that are generally in place when it comes to Sarbanes-Oxley and having the prowess to introduce a wider GRCM strategy. Unlike most technology purchases, the CFO and CEO are ultimately responsible for the guidelines in place and selecting what they believe is the most effective compliance solution. The CIO is only brought into evaluate the technological merits of each product.
The biggest challenge for the CIO and the wider IT team, is that this approach can result in demands from various corners of the organisation that do not compliment the existing IT infrastructure and require piecemeal implementations.
However, additional pressures and responsibilities can also be viewed as opportunities, and, in my view, IT professionals need to grasp them.
By identifying what corporate governance rules apply to their organisations, which systems need to be modified or even abandoned and what level of investment is required they can take back control. By pioneering a coherent strategy for governance, risk and compliance management that maximises efficiencies and costs, the IT professional will enjoy the recognition that he or she deserves.
The next 12 months are vital for European organisations needing to comply with Sarbanes-Oxley. With such high stakes, a strategic compliance approach is warranted, to ensure operational efficiency, cost reduction, minimisation of regulatory risk and protection of corporate reputation
- Martin James is European director, OpenPages, Tel: 0870 3511782, www.openpages.co.uk