As insurers hatch strategies to comply with the Sarbanes-Oxley Act (SOX), a new report suggest that they should view the law "as a catalyst for much-needed and long-delayed business transformation objectives," triggering "long-overdue investments in technology they have been putting off for years."The report, by Needham, Mass.-based TowerGroup, says that Sarbanes-Oxley should not be viewed as a burden but as an opportunity. In the report, "Technology Considerations for Sarbanes-Oxley: A Catalyst for Long Overdue IT Upgrades," Virginia Garcia, TowerGroup analyst, writes that the act "blows the cover off inherent weaknesses in hodgepodge IT architecture typically found in U.S. financial institutions today.
"IT managers should capitalize on their opportunity instead of draining these investments as compliance waste," she states.
Sarbanes-Oxley is a complex, multi-faceted law comprising 11 parts and 66 sections, which, for the most part, is intended to restore accountability and corporate governance at the executive level. It requires corporate executives to personally certify quarterly and annual financial statements and take responsibility for ensuring their accuracy.
Staggered compliance deadlines have been established depending on the various sections of the act. Insurers, for example, face a July deadline to have the pieces in place to comply with Section 404-management assessment of internal controls-which is designed to provide greater assurance to investors regarding the status of a company's internal control.
Compliance to Section 404 requires certification of internal financial controls by senior management, and will necessitate document management, business intelligence and corporate performance management.
Meanwhile, Section 409 obligates real-time disclosure of information materially relevant to the financial status of a company, and will require enterprise application integration.
Many industry experts believe Sarbanes-Oxley compliance won't automatically mandate investments in technology.
Linked to IT
However, as TowerGroup's Garcia reveals, the financial reporting in which institutions typically engage are "inextricably linked to IT systems, and hence the more stringent SOX financial reporting rules cannot be viewed independently from IT."
But as insurers begin to assemble a plan to comply to the act, they run the risk of approaching compliance without a long-term vision in mind.
There is a "very real danger of SOX becoming over-hyped for all the wrong reasons," Garcia notes, in that financial services might be inclined to "focus on the solutions that may be useful or even needed in the immediate term to comply, rather than on the enormous opportunities to view SOX as a catalyst for much-needed and long-delayed business transformation objectives."
Instead of adding IT systems to an already complicated network of technologies, firms should take the opportunity to envision SOX as a motivator for investments in legacy enhancements and replacement, data integration, business process outsourcing, and systems standardization that have well-documented business benefits, the report advices. "The money may have been missing in the past to get projects done, but SOX gives the IT departments running legs to achieve modernization of their IT infrastructures," Garcia explains.
One example of how insurers can leverage existing IT investments toward SOX compliance is the data-integration efforts for a customer relationship management (CRM) project."Investments made and since questioned may get new wind in their sails as the utility of data analytics for enterprise risk management and financial reporting purposes become evident. Data integration will assist (insurers) in fulfilling their obligations for section 404 and 409 of the Act by linking data and disparate systems in a timely fashion," according to Garcia.
SOX compliance has drawn comparisons to requirements financial services faced with Y2K obligations. However, while SOX compliance schedules are tight, the incremental nature of the Act should enable firms to spend on related technology and services more judiciously than they did for Y2K, industry experts believe.