Joining the Sarbanes-Oxley Bandwagon; Meeting the Needs of Small and Medium Businesses

Introduction

The need for solutions that can meet compliance regulations has grown. In 2004, finance executives around the world became increasingly sensitive to the need to improve reporting in relation to their corporate governance and regulatory compliance obligations. CODA Group, a United Kingdom-based finance management system specialist responded by launching CODA-Control, a task modeling tool (engine), which helps user companies control and audit business processes, and automate data collection for financial reporting. CODA-Control is one of CODA's recently unveiled collaborative solutions, and aids regulatory compliance, period-end financial closing, and automates financial procedures, thus possibly reducing escalating audit costs and lowering the risks of non-compliance. The product takes the organization's best practice model of a documented financial process and automatically generates a dedicated shared, secure, in-house team web site through which the execution of the entire process is controlled. CODA-Control helps transform the organization's processes into highly repeatable, auditable, and controllable events.

Part Two of the Composing Collaborative Financial Applications, CODA series.

As exemplified by CODA-Control, CODA views Microsoft technology as its primary development platform for its process control applications. This should help organizations manage and improve complex business processes, such as those geared towards enabling compliance with the Sarbanes-Oxley Act (SOX) of 2002 and towards facilitating month-end closing. CODA's decision to design a control application using the Microsoft SharePoint Products and Technologies platform has even been cited as a key factor in some customers' decisions to purchase CODA-Control.

To put this into context, SOX was passed by the US Congress in response to a number of high profile financial scandals, such as those at Enron, Tyco, and WorldCom, with the idea of making corporate accounting procedures more transparent to investors and regulators. Even before these fraudulent scandals, missed earnings announcements were often accompanied by chief executive officers (CFO) stating that financial expectations were not met due to a "lack of visibility" into corporate activities. These CFOs would frequently blame unforeseeable events, such as a key customer canceling a major order unexpectedly, or suppliers ramping up prices due to a shortage of raw materials. Regardless of the reason, CFOs are increasingly being called upon to give more accurate estimates of their earnings potential, and explanations as to why their company failed to meet these estimates.

Although the SOX law included a number of new mandates, two sections in particular have had clear implications for corporate information systems. Section 404 (Management Assessment of Internal Controls) requires management to assess, on a yearly basis, the effectiveness of its own internal controls and procedures for financial reporting. Section 409 (Real Time Disclosure) requires companies to disclose material changes in their financial condition or operations on a rapid and current basis. These two sections have prompted many predictions regarding how much must be spent on information technology (IT) in order to meet compliance needs (albeit, this may be at the cost of stalled projects in other areas that are now considered lower priority). Section 404 requires audits of internal controls, and has caused executives to reexamine, and possibly replace, operational systems that are not well integrated with financial systems. For example, an accounts payable (AP) system that does not systematically match purchase orders and receipts to vendor invoices, before the payment is made, might be vulnerable to fraud. Such a system may also be vulnerable to abuse by someone who creates fictitious employees and suppliers and then pockets the money. In addition, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that was not yet earned.

Section 409 seems to call for a more transparent and integrated financial reporting system than many companies have. For example, companies that work on a ten day financial closing period seem to be at risk for non-compliance with real time disclosure, which currently demands the disclosure of material events within forty-eight hours. The problem is particularly acute for firms with multiple operating units and decentralized systems, because, in recent years, many enterprises have grown both organically and through acquisitions. As a result, accurately reporting on these business units requires a significant number of "manual" accounting processes and adjustments. Such companies will either need to adopt a common financial reporting system, perhaps by integrating multiple systems with a financial reporting layer at the corporate level, or by implementing a corporate performance management (CPM) solution to provide near real time analytics.

In any case, the requirements of SOX increase the amount of required manual processing, which, in turn, significantly increases the cost of compliance. The ongoing cost of testing manual financial controls to ensure SOX compliance, and the ongoing compliance risks associated with those controls are forcing companies to move towards financial systems that not only record transactions, but also manage the entire SOX 404 compliance process. Early adopters of SOX-compliance have reportedly learned some hard lessons by using SOX programs that highlight manual, paper-based processes. Such processes are very costly to audit as compared to automated processes, and it is quite time-consuming to reconcile and correct errors. Such systems are also at higher risk for human errors and omissions.

In light of this, small or medium business faces a daunting task. It is no longer enough for a company to develop a strong business plan, have a breakthrough product or service, and build strong and effective distribution channels. The complexities of today's business world have created new risks, with a myriad of regulations and complex reporting requirements that can overwhelm a lean and focused organization, regardless of its size. The logical question is how a smaller organization, with limited resources, is supposed to cope with all of this, and, even more importantly, how it will stay abreast of the additional changes that are on the way. For instance, under existing (and soon to be outdated) accounting rules, a company might value its inventories at historic cost. For example, an electronics goods vendor might value unsold, months-old DVDs at the amount they could have been sold upon their initial release. However, under the forthcoming proposed International Accounting Standard (IAS-2), a company has to give an up-to-date net realizable value (NRV). In other words, it must give an accurate estimate of the products' market value at the time the report is published, with the idea that all corporate assets must be valued at their fair value, rather than at their problematic historic cost. Companies will also need to account for the cost of all employee compensation plans. In particular, this means that the cost of stock option plans or any shortfall in company pension funds must be recorded in the accounts.

Given the magnitude of tracking these types of nuanced accounts, the only sensible answer is to use technology, since many tools have been developed that can greatly simplify the process. Indeed, new versions of compliance software represent big improvements over earlier incarnations. Certainly, in addition to CODA-Control, recent releases from Axentis, ACL Services, Certus, Oversight Technology, Hummingbird, OpenPages, Virsa Systems, Precision Consulting, and Approva reflect a more realistic understanding of the compliance burdens. Some of these solutions compare a company's current controls to compliance "best practices", offering solutions on how to shore up weaknesses and better segregate duties. For example, the software can govern who has clearance to write checks to vendors, to pay employees, or to add revenue in a given quarter. Such software can also enforce the rules by, for example, alerting compliance watchdogs if an unauthorized person attempts to make changes, and can thus act as a mechanism to prevent fraud. Other solutions can help managers document policies and procedures, create electronic archives of those policies, or flag internal transactions that look suspicious.

Investment in CODA-Control-like financial systems might provide a cost-efficient solution that would allow business managers to focus more time on operations and less on compliance. Further, these systems might allow user enterprises to streamline the integration of new divisions into their financial systems and processes, ensuring that the business processes of the acquired units are SOX 404 compliant. Nonetheless, before they can benefit from this technology, small business managers must select the right tools. For more on the critical attributes of SOX tool sets, as well as a discussion on how to use them effectively to maximize payback on the investment of time and money, see Attributes of Sarbanes-Oxley Tool Sets.

Many SOX-compliant businesses will likely still spend many thousands of labor hours and millions of dollars in documenting their accounting processes. In addition, many companies will continue to incur significant annual audit fees for the ongoing testing of manual processes. CODA-Control might come in handy as a practical and affordable solution to this problem for medium to large companies, since CODA can transform manual processes into visible, repeatable, controllable, and auditable events. In other words, it might make auditing simpler, quicker, and cheaper, and thereby change CFOs and controllers back from being slaves to SOX to being masters of finance. In particular, the automation and centralization of manual processes should reduce both the risk and the associated costs of audits because the required checks and balances should be enforced by the system. In addition, processes in remote locations can be tested centrally, re-keying errors are eliminated (and reconciliation effort is thus reduced), and authorizations can be captured electronically and viewed on-line, because one can implement preventive controls to preempt errors before they occur. While there is no panacea for ensuring adherence to documented best practices, automated process management, such as the CODA-Control solution, still seems to be an essential part of first two years or so of any SOX compliance program.

The CODA-Control solution is available to all organizations, particularly those subject to SOX-compliance, and is independent of a company's financial accounting system. A Microsoft SharePoint web site powered by CODA can deliver tasks, forms, attachment, documents, etc. to business units' diverse transactional systems, and even include all necessary language translations. CODA expects demand for the solution to be extremely high in 2005 and 2006, and has specialist implementation resources available to support organizations worldwide. Still, while such software can help, it is not going to completely automate compliance, which will continue to be a huge manual effort, as there is no substitute for a manager's understanding of the business when it comes to assessing, designing, and implementing proper internal controls.

Recent Summer Acquisition Spree

Compliance is a major issue in the US, particularly as more organizations struggle with the provisions of SOX, but it is also rapidly becoming a key issue in many other countries as legislation is introduced around the world to improve corporate governance. Thus, in August 2005, to further bolster its financial control capabilities, CODA announced an acquisition agreement and partnership with Control Solutions International, a global provider of assurance, risk management, and compliance advisory services. Founded in 1991, Control Solutions was one of the first firms dedicated solely to providing support to internal audit functions and to helping companies realize the benefits of effective internal controls. Control Solutions' services include internal audit outsourcing and co-sourcing, SOX first-year compliance and annual recertification, technology audits and advisory services, quality assurance reviews, enterprise risk assessments, and internal audit start-up services. The firm has reportedly developed close and long-term relationships with a diverse client base of leading companies through flexibility, open communication, and a "value-added" project approach. It has over 800 experienced internal audit professionals and 21 directors in offices around the world.

Under the terms of the agreement, CODA acquired the Sarbanes-Oxley Controls Evaluation Tool (SOCET) product from Control Solutions. SOCET is a Web-based internal controls documentation, evaluation, monitoring, and project management application designed to facilitate SOX compliance, and is currently deployed at a number sites of Control Solutions' major customers. CODA pledges to take on the future development and marketing of the product, whereby existing customers will receive support through the US-based support desk of CODA Financials Inc., part of the company's global support operation. Also as part of the agreement, Control Solutions and CODA will jointly develop additional, comprehensive compliance software products to help customers comply with SOX and other regulations, such as the European Union's Basel II.

Control Solutions has leveraged its breadth and depth of internal audit experience to assist over 250 US-listed companies with SOX readiness and ongoing compliance. After achieving a quick compliance fix , the next challenge for companies is "making SOX stick" , turning the near-impossible project into a practical and sustainable process, where documented processes are transformed into systems that drive the finance function. Accordingly, SOCET adds effective management dashboard reporting to the features of CODA-Control. The combination should bring additional value to existing customers. With the addition of SOCET and the opportunity to capitalize on Control Solutions' SOX expertise, CODA hopes to soon be a one-stop software shop for the whole process compliance cycle.

Future versions of SOCET, now re-branded as CODA-Control Assessor will support compliance with international regulations, since, while Control Solutions will provide the internal controls experience, CODA will provide the software to deliver it. Additionally, CODA-Control currently provides a Web-based platform for defining, rolling out, monitoring, and executing a complete range of financial, human resource (HR), and IT processes, in order to provide the visibility, repeatability, and an audit trail that is required to drive ongoing adherence to a user company's defined compliance procedures. SOCET similarly provides a Web-based environment to facilitate the testing and evaluation of financial, HR, and IT processes by an organization's internal audit team. The tool also provides management information on the status project testing and presents the information in an executive dashboard. As such, CODA's existing compliance application and SOCET are functionally highly complementary. On the technology front, both leverage Microsoft .NET, Internet Information Server (IIS) Web Server, and Structured Query Language (SQL) Server databases.

Control Solutions' deep expertise and experience in running over 250 SOX compliance projects in the US have shaped the design of SOCET. By transferring ownership to CODA, existing users should benefit from both CODA's support infrastructure and ongoing development, while CODA can continue to draw on Control Solutions' domain experience for the product's ongoing design. The roadmap for SOCET shows that the solution will become integrated into the CODA compliance suite (whose footprint will thereby be extended), while retaining its current ability to run as a standalone application. CODA will shortly announce a solution to greatly accelerate the design of controls and thereby provide a more complete solution for designing, implementing, sustaining, and testing the controls for SOX and other existing and emerging compliance initiatives, globally.

At this stage, even without SOCET's additions, CODA-Control delivers a centralized management and document repository. This is a repository web site that pulls together the tasks, people, supporting documentation, and necessary choreography to ensure that the process is completed in a compliant and efficient manner. It will also offer reasonably quick deployment and adoption and will be an easy-to-use implementation of a best practice model for a given financial process. CODA-Control also has a minimal user learning curve that leverages existing Microsoft Office skills and existing back-office applications. The product will also foster consistency throughout the framework to implement preventive controls that ensure repeatability of process completion, and this will be done in a way that promotes continuous process improvement. It will also offer "Command Center" visibility of current process status, percentage of completion, current hold-ups, task assignments, etc., and an entire audit trail of tasks, documents, commentary, etc. These features will be accessible to users and their auditors via an intranet uniform resource locator (URL). However, the product is also an extensible platform that supports automated task completion using Web service interrogation and automated updates of back-office systems. It also associates electronic forms to their related tasks using Microsoft InfoPath, and controls both recurring financials processes (such as period-end closing, internal audit programs, budgeting, planning cycles, etc.) and ad hoc processes (including new hires, new vendors, capital projects etc.). Last but not least, the product also controls business processes such as the opening of new locations, corporate responsibility programs, HR processes, and so on.

In July 2005, CODA announced that it had also acquired Simple Concepts AB, a financial consolidation software specialist for 3.25 million, plus incentive based payments. Simple Concepts' consolidation and treasury system, OCRA, will be made available worldwide as part of the CODA Financial Intelligence suite for all leading enterprise resource planning (ERP) and finance systems. Simple Concepts' offices have become the headquarters of CODA's new Nordic operation and Simple Concepts' office in Tallinn, Estonia is CODA's first directly owned operation in Eastern Europe and the Baltic states, and will continue to be the research and development center for OCRA. As part of the acquisition, CODA has retained the services of both of Simple Concepts' founders; Alar Lange is the managing director of CODA Nordic, while Lars Svensson retains responsibility for the development of OCRA.

The acquisition had apparently been in the works for a while, and when the announcement was made, CODA had already built CODA-Financials to integrate with the acquired product. The product, now branded OCRA: a CODA solution, will immediately be made available in a standalone form, and as an integral part of the CODA Financial Intelligence suite. OCRA will be available with CODA Dream, a product offering for the lower-end of the market. CODA Dream resulted from CODA's early 2003 acquisition of the former SquareSum, and will be made available to customers and prospects in the fourth quarter of 2005 or possibly earlier. OCRA is reportedly the number one consolidation product in Sweden. Over ninety client organizations in Scandinavia use the product as their core consolidation and reporting tool, and CODA has a number of CODA Financials customers who have multinational requirements, which should make OCRA appealing. OCRA has gained a reputation in Europe as being a functionally and technically superior solution, because it is Web-based and uses a powerful workflow (as will be detailed below). It also is only a fraction of the cost to implement when compared to current traditional market leaders which will likely be another incentive for users to adopt the tool.

Consolidation applications handle the process of analyzing, reporting, and reconciling the accounts from across a group of companies into a single "consolidated" group report. Financial analytics software works by consolidating data from disparate systems into one source, giving financial analysts—and, more crucially, decision makers in other departments—a consistent view of performance across the organization. Using simple queries, such as "What were our sales figures in a particular region this quarter?", through a browser or a client-server user interface (UI), managers can get a "single view of the truth" and significantly reduce the amount of time it takes to get the desired financial answers.

Unlike most of its rivals, OCRA delivers this capability via the Internet, and it combines operational financial control with statutory group accounting, and delivers multi-dimensional reporting with a whole range of options, via built-in reporting and analysis through its hybrid multi-dimensional and hierarchical database structure. Also, OCRA is designed around a workflow method with embedded rules, procedures, and techniques used and verified by auditors with years of experience. The product is currently available in English and Swedish, and is being translated into CODA's core languages. Other languages will be delivered according to customer demand.

A logical, intuitive UI provides a process view of the consolidation steps, making OCRA reasonably easy to use. Its Web-based architecture makes deployment relatively flexible, and also allows it to be used remotely, with up to hundreds of user. Thus, OCRA has the functional capability and implementation flexibility required to support management consolidation reporting requirements, regardless of geography. Culturally similar to CODA, its new parent, Simple Concepts built OCRA by focusing on software quality and with the need for minimal support in mind. By taking this approach, customers have reportedly needed only minimal support from the vendors. The product has also been optimized to allow an efficient software upgrade process. Simple Concepts has also enjoyed excellent input from clients and industry experts who sit on an advisory board, and CODA plans to continue this part of OCRA's development process with only minor modifications.

By adding consolidation and treasury capabilities that manage the inter-company processing of transactions and support in-house banking, CODA strives to become a one-stop shop for financial departments. It also provides functionality for financial accounting and procurement through to planning, budgeting, reporting, and analytics, and process control and compliance management. However, the vendor will continue to sell OCRA as a standalone module that can run across non-CODA financial and accounting management products. CODA's domain expertise in global financial accounting requirements, coupled with its implementation experience in over one hundred countries, better positions CODA to deliver consolidation and financial reporting tools than vendors who are not accounting specialists, touting generic reporting tools.