Insurers Wrestle With Sarbanes-Oxley

As insurance companies develop a blueprint for compliance to the Sarbanes-Oxley Act, an alarming number of U.S. corporations admit they are still uncertain about how they plan to adhere to the mandate.Moreover, industry experts believe that insurers who disregard the role of technology to comply with the Act might be in for a rude awakening.

But before insurers consider technology's role, they must develop a fundamental compliance plan. So far, many insurers are struggling with the details of the endeavor.

In a recent survey conducted by White Plains, N.Y.-based IBM Business Consulting Services, just one in 10 chief financial officers and financial executives surveyed from a cross-section of U.S. companies view their internal controls as compliant with Sarbanes-Oxley.

However, the survey found that a vast majority of insurers expect to be compliant within the required timeframe. And this may require significant changes in the way they conduct their business.

"The current environment of regulatory compliance requirements is forcing all companies in all industries to rethink the way they manage data and business information transparency across the enterprise," says Jim Bramante, partner, financial management, IBM Business Consulting Services.

"Our research shows that progressive companies are taking the opportunity to build systems and provide standardized, consistent data in real time across the enterprise that not only addresses the immediate regulatory requirements but enables the company to operate as a real-time adaptive enterprise."

Broad legislation

Ratified in 2002, Sarbanes-Oxley is considered the broadest legislation to affect corporations and public accounting since the 1933 and 1934 U.S. Securities Acts. Consisting of 11 parts and 66 sections, the Act is so expansive that many believe it could produce a compliance nightmare for U.S. firms.

Compliance with the Act commenced in August 2002 when section 302-which requires CEOs and CFOs to personally certify quarterly and annual financial statements and to take responsibility for ensuring their accuracy-went into effect.

For insurers, the vast majority face an August 2004 deadline to comply with section 404-Management Assessment of Internal Controls-which is designed to provide greater assurance to investors regarding the status of a company's internal control.

Another part of the law, section 409, requires real-time disclosure of information materially relevant to the financial status of a company.

Key findings of the survey include:

* Nearly one-third of all executives would have done things differently in approaching Sarbanes-Oxley compliance, including getting started sooner, running early pilots, having a strong project manager, keeping better documentation of internal processes, focusing less on deadlines and more on thinking through the process.

* Financial executives view enhanced compliance capability opportunities for process improvement, and focus on longer-term and real-time governance solutions as the main benefit of the Section 404 deadline extensions.

* Allocating sufficient resources, costs and documenting internal controls are compliance challenges.

Hidden opportunities

Executives also consider records management, IT infrastructure and accountability issues as challenges to Sarbanes-Oxley compliance.

But amid that challenge, a majority of CFOs view compliance requirements as an opportunity to streamline systems and improve real-time business process efficiency, even beyond the scope of any specific regulatory requirement, the IBM survey found.

That's promising news because IT is expected to play an important role in compliance, says experts.

"Conventional wisdom says that Sarbanes-Oxley does not matter to IT and IT organizations. Nothing could be further from the truth," says Debra Logan, research director, Stamford, Conn.-based Gartner Inc., which compiled a report examining the role of IT in Act compliance.

"Financial managers that drive Sarbanes-Oxley efforts might think IT should not be involved, as it is purely a finance and legal issue. There are a number of reasons why this is not true," she says. "IT implements, maintains and documents the systems that financial data comes from. Under Sarbanes-Oxley, these will be subject to scrutiny and testing. IT must be involved."

Another Gartner research analyst, Eric Hwang, also compiled a study on Sarbanes-Oxley compliance and discovered that a wide range of IT vendors face a major opportunity in helping support insurers in their quest to comply.

That's because with its 11 parts and 66 sections, compliance to the Act will necessitate piecemeal resolution, according to Hwang.

"While compliance schedules are tight, the incremental nature of Sarbanes-Oxley will allow firms to spend on related technology and services more judiciously than they did for Y2K," Hwang declares. "Most corporations already enforce sound financial controls and auditing processes supported by some form of systems automation. As a result, prudent compliance efforts will pursue enhancement of incumbent systems and relationships with established vendors rather than engage in sweeping system makeovers involving solutions from new upstarts."

For reprint and licensing requests for this article, click here.
Security risk Data security Core systems Compliance
MORE FROM DIGITAL INSURANCE