Although the Sarbanes-Oxley Act of 2002 is focused primarily on financial reporting and accounting processes, the law is forcing publicly traded companies to assess their IT systems too.Thanks to the transgressions at Enron, WorldCom and other now notorious corporations, all publicly traded companies in the United States-including insurers-are in the throes of trying to determine how to comply with the law that was passed to deter such corporate malfeasance in the future.
The Sarbanes-Oxley Act (SOA), signed by Pres. Bush on July 30, 2002, mandates a number of reforms to improve corporate responsibility. The following are among the provisions:
* The CEO and CFO must sign statements verifying the completeness and accuracy of financial reports (Section 302).
* CEOs, CFOs and auditors must attest to the effectiveness of internal controls for financial reporting (Section 404).
* Companies must report material changes in their financial conditions "on a rapid and current basis" (Section 409).
"When you think of all these issues facing CFOs, they're naturally going to turn to their IT and finance groups and say, 'Tell me where we stand on all this,' " says Phillip Sandstrom, chief systems architect at SRC Software Inc., a Portland, Ore.-based provider of performance management software.
Evaluation stage
Although most companies are only in the evaluation and planning stages, 85% of those recently survey by AMR Research Inc. anticipate IT investment of some sort to get their systems up to par with Sarbanes-Oxley. Fortune 1000 companies will spend $2.5 billion this year on planning and executing SOA-related efforts, the Boston-based research firm predicts.
"Basically, the majority of the Act has very little to do with technology," says Alex Veytsel, research analyst at Aberdeen, a Boston-based technology research firm. However, sections 404 and 409, specifically, will affect decisions companies make about technology investments.
For example, nearly 65% of companies surveyed by AMR indicate they're strongly considering enterprise resource planning (ERP) consolidation as a remedy for SOA compliance. Another 39% will evaluate existing applications and platforms to take advantage of built-in functionality, and 40% are evaluating performance management tools-software that enables companies to perform financial modeling, budgeting, forecasting, consolidation and reporting across the organization.
Sarbanes-Oxley's disclosure rules are forcing companies to analyze their financial processes, not just their bottom-line results, says Aberdeen's Veytsel. That means high-level executives need relevant operational information as well as general-ledger data.
Operational systems and financial analytics are now interdependent, he says.
"The CIO must be looking at data visibility-and how to get that visibility up to senior management and others in the organization," SRC's Sandstrom notes.
For instance, if a company is filing its quarterly statement, the company also has to be able to report if one of its subsidiaries is faced with a huge lawsuit that was filed only a few weeks ago, Sandstrom says. "You have to know these kinds of events and report on them on a near-instant basis," he says.
Companies may also consider automating internal processes, says Mike Rost, director of product marketing for Lawson Software, a St. Paul, Minn.-based business process software provider.
"Less human interaction can bring more consistent results," he says. For example, "Bob the claims manager may have a defined process that he enforces, but if technology can automate that process, it will be looked upon more highly from an auditing standpoint," he says.
Although all publicly traded companies are struggling to understand what they must do to comply with Sarbanes-Oxley, insurance companies may be further along than most, notes Joe Pomilia, executive director of IASA, Durham, N.C. "We're in such a regulated industry," he says. "We've got layer upon layer of regulatory structuring."
Legacy burden
On the other hand, insurance companies are often saddled with multiple legacy systems, which makes it more difficult to document internal processes as well to integrate financial and operational systems, sources say.
"If technology is in complete disarray, it's much harder for a high-level executives to sign off that they have a process in place for making sure nobody 'cooks the books,'" Aberdeen's Veytsel says.
For the most part, however, Sarbanes-Oxley does not require the latest and greatest technology, he adds. In fact, in many cases, companies will be able to modify existing capabilities within their IT systems.
An insurer may be able to use the same content management system it uses for its Web site to manage its disclosure process, for example, Veytsel says. "You can't manually go through 20 levels of edits to make a public statement about your financial position and material events."
Similarly, insurers may be able to adapt exception reporting for SOA, says Stephen Brandano, business solutions engineer at Lawson. Due to the sheer volume of transactions that insurers process, exception reporting is common in the industry, he says. "The conditions for exception reporting can be modified for compliance with Sarbanes-Oxley."
