Sarbanes-Oxley: Enterprises Turning to Automation

Automated security and access controls get top attention as enterprises move into their second year of Sarbanes-Oxley compliance.

What’s in store for compliance and information security efforts for the second year of Sarbanes-Oxley requirements?

Fifty-eight percent of financial executives recently surveyed say improving the monitoring, structure, and vetting of their compliance controls is now a top priority. Half also plan to thoroughly vet existing business processes, and 43 percent want to further automate manual controls, especially for compliance-related reconciliation and security procedures.

Those results come from a survey of 180 senior finance executives conducted by CFO Research Services, in collaboration with Virsa Systems and PricewaterhouseCoopers LLP, who both funded the study.

As noted, automation is top-of-mind for many executives. Over the next year, three-quarters of them plan to give “top” or “moderate” priority (versus “low” priority or an “I don’t know” response) to further automating compliance controls—especially for security and access. Half of respondents in organizations with ERP systems also plan to take advantage of automated-control capabilities built into their ERP systems. One in five, however, will instead streamline ERP controls by improving manual processes.

One drive for automation is simply to reduce compliance costs. “Many companies spent the first year of Sarbanes-Oxley compliance using existing systems and processes to comply and meet the deadlines. As a result, manual control processes were implemented. This introduced a level of complexity and cost that companies found extremely difficult to manage over the long haul,” notes Jacqueline Olynyk, a partner in PwC Advisory. “It quickly became apparent that simplification of the underlying business processes and automation was the way to go.”

Where do organizations stand today? According to the survey, almost half of organizations have already automated security and access controls, about 40 percent have documented their control activities, one in three monitor their compliance controls, and one quarter retain and report on compliance-related information.

While many in the finance community view Sarbanes-Oxley with skepticism (at best), some organizations are deriving unexpected benefits from the law. Overall, two out of three respondents say Sarbanes-Oxley and other compliance initiatives have helped uncover control problems, and 65 percent of respondents say Sarbanes-Oxley has helped them better understand their own business.

Indeed, in some cases, according to the survey report, companies’ “compliance efforts are revealing weaknesses in controls and business processes, and accelerating their efforts to remediate these problems through control optimization, process improvement, and automation.” For example, thanks to reworking existing, sub-par controls, some organizations already report improving their “use of valuable data and resources.” In addition, 20 percent of respondents say complying with Sarbanes-Oxley has helped them reduce fraud.

Given such benefits, some companies claim that even if Sarbanes-Oxley disappeared, they would continue to pursue its requirements. “If the law was repealed today, Movado Group would stay on its current course because we think there’s tremendous benefit,” notes Joe Nici, the vice president of business controls at the watchmaker, in an in-depth interview conducted as part of the survey. “Our auditors and our board of directors are in complete agreement as to what are our primary controls, what are our primary processes, and who are our global process owners. Among other advantages, this gives us greater awareness of the benefits that internal control plays in helping our company meet its financial reporting objectives.”

In fact, it’s perhaps no surprise—given the financial executives surveyed—that respondents see Sarbanes-Oxley compliance and their companies’ fiscal health as tightly interwoven. Overall, half think “the market penalizes loose governance and poor controls with a lower share price,” notes the survey report. Furthermore, “almost a third agreed that good governance and tight regulatory controls are rewarded with a stock-price premium.”

Related Articles:

Enterprises Struggle with Identity Management Roles
http://www.esj.com/Security/article.aspx?EditorialsID=1433

Social Engineering Bypasses Information Security Controls
http://www.esj.com/Security/article.aspx?EditorialsID=1308

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.