A few years ago, when senior executives took to the podium to report their companies' earnings, no one really questioned if they were telling the truth. Today, because Enron, WorldCom and other companies have so blatantly duped investors, the federal government is hovering over them, saying "Prove it."With the threat of criminal penalties, the Sarbanes-Oxley Act of 2002 (SOX) holds senior executives personally accountable for the accuracy of their companies' financial statements. The law also requires publicly traded firms, including insurers, to document and test their internal financial controls, and report within 48 hours any "material" events or weaknesses that may affect their earnings.
Reporting linked to IT
Because financial reporting touches upon so many areas of corporate activity, IT is expected to play a critical role in SOX compliance. In insurance, for example, financial reporting draws upon transactional data from accounting, underwriting, policy administration, claims, and risk and capital management.
Therefore, sources say, appropriate technology can enable insurers to meet SOX requirements-ranging from upgrades to enterprise resource planning (ERP) to business process management (BPM) to business rules management systems (BRMS) to enterprise content management (ECM) to ACORD XML data standards and dynamic financial analysis (DFA).
These same investments can enhance risk management across the enterprise, improve IT architecture and data quality, and reduce costs through automating time-consuming, manual processes.
"SOX does not specifically mandate investments in technology," says Virginia Garcia, senior analyst, financial services strategies, at TowerGroup, Needham, Mass. "But financial reporting is inextricably linked to IT systems. Therefore, IT must absolutely be part of SOX planning right from the start."
Surprisingly, however, many insurers are only beginning to comprehend the overarching IT implications of Sarbanes-Oxley. Until recently, publicly traded companies have been focused on the most pressing SOX deadline--documenting and testing their internal controls by this November, which has been primarily a manual process.
"A lot of companies have documented their internal controls, but they haven't evaluated them with regards to IT. And that will come back to haunt them," Garcia says. "It's not that insurers can't correct their mistakes. They will-in two or three years' time. But reporting windows are getting shorter, and they will realize their mistakes. They are going to make investments that are redundant, and IT waste will ensue."
According to some research, that may already be happening. A survey last year of P&C, life and reinsurance companies showed that while 83% of insurers had appointed compliance officers or teams, only 17% had directly involved IT while implementing guidelines to manage the impact of regulatory compliance.
Conducted by ILOG Inc., a Mountain View, Calif.-based business rules management systems vendor, and ACORD, the Pearl River, N.Y.-based insurance data standards organization, the study also reveals insurers' primary compliance challenges: a reactive rather than proactive culture; inflexible technology infrastructures; and continued reliance on paper-based processes.
Similarly, Gartner Inc. also observes companies taking a tactical-ultimately costly-approach to SOX compliance. "Enterprises that choose one-off solutions for each regulatory challenge they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach," says French Caldwell, research vice president at the Stamford, Conn.-based research and consulting firm.
Although there are times when adopting a "quick-and-dirty" solution may be necessary to meet deadlines, insurers should avoid committing too much time, effort or data to these solutions, he advises. Instead, Gartner says companies should focus on improving corporate governance across the organization, which will lead to better business decisions and real ROI.
Gartner also advises executives to allocate 50% of their SOX budget to implementation and remediation issues, including directors' and officers' insurance and increased consulting fees; 30% to internal analysis, including redundant audits for the next three quarters; and the remaining 20% to software upgrades and new purchases.
Approximately 70% of SOX committees are run by the CFO or the CFO's office, says Michael Morel, industry marketing director at ILOG. "And they see this whole SOX issue as a huge cost sink. They're spending all this money to keep their directors and senior management out of jail-which is of value-but they don't see anything else."
Not a one-time event
What CFOs need to realize, sources say, is automating manual financial controls will lower their long-term costs.
"SOX reporting is not a one-time event," Morel notes. "This happens quarterly now, which means every time I put out a quarterly document, such as a 10K or an annual report, my internal and external auditors have to go through this whole process again. SOX is an ongoing expense. And if I keep everything manual, that ongoing expense is going to remain high."
Manual processes for financial reporting have worked for centuries, says TowerGroup's Garcia. But with the demands on public companies for readily accessible financial information (i.e., "corporate transparency") and more rapid reporting cycles, manual processes will be rendered obsolete for many companies.
Fortunately, she says, many firms already have technologies in place that can be leveraged to automate financial reporting compliance. Technologies such as business intelligence, data analytics, and business process management have been implemented within insurers' business silos for other purposes, such as customer relationship management.
"Insurers now have to map out what IT they have and use those investments across other silos for compliance-because SOX is holistic. It's not going to impact any one business. It affects all of them," Garcia says.
"The whole issue of internal financial controls is multifaceted," says ILOG's Morel. "It includes corporate guidelines, segregation of duties, confidentiality, risk management and assessment, business process management, financial rules and processes, content management, and data management. So you're talking about seven or eight components you have to worry about for every financial control. That's a big deal."
It's such a big deal that several industry sources have compared Sarbanes-Oxley to HIPAA (the Health Insurance Portability and Accountability Act), which health insurers have been wrestling with for years.
"SOX is very much like HIPAA," says John Sarich, insurance industry marketing manager for FileNet Corp., a Costa Mesa, Calif.-based enterprise content management and business process management provider. "When HIPAA came out, health insurance companies said, 'Oh, we've got this covered. We don't need any technology.'
"Now, they're all saying, 'We did HIPAA wrong, and we have to go back and re-do everything.' There's more to HIPAA than meets the eye."
Compliance software vendors are preaching that message to insurers: There's more to SOX than meets the eye. Yet, despite an onslaught of vendors, insurers have to figure out what they need to do for themselves, says TowerGroup's Garcia. They understand their business better than anybody, and each company's SOX compliance strategy will be unique.
On the other hand, she adds, consultants, lawyers, auditors, and IT vendors that have long-term relationships with insurers can help.
SOX driving demand
For example, PeopleSoft Inc., which has more than 350 insurance customers, has been very aggressive in helping its customers address SOX, according to Susan Foley Kane, vice president of product marketing in the financial management solutions group at the Pleasanton, Calif.-based enterprise software provider.
"Overall, technology spending across industries to deal with this very big pain right now is expected to reach $1 billion this year," she says. And, according to Gartner research, insurance companies alone will invest an average of $250,000 to $750,000 each between 2004 and 2005, peaking in 2006 when some individual insurers will spend $1 million in that year for SOX compliance.
Furthermore, a shift is taking place from last year, when companies invested in consulting services to document their internal controls for Section 404, says Foley Kane. "This year and moving forward, folks are turning to solutions that can perform the ongoing monitoring and diagnostics associated with enforcing those internal controls," she says.
MetLife, for instance-a long-time PeopleSoft customer-was concerned about having diagnostics that will enable the company to decrease the ongoing costs of monitoring internal controls, and alert management when a control is not in place, she says. (MetLife did not respond to requests to be interviewed.)
Other companies are also concerned. PeopleSoft's Internal Controls Enforcer product is currently the most highly requested product demonstration, says Foley Kane.
Likewise, demand for evaluations of Lawson Software Inc.'s Smart Notification and ProcessFlow products have increased approximately 80% this past year, according to Mike Rost, director of product marketing at the St. Paul, Minn.-based enterprise resource planning firm. "That's just demand," he says. "When we get into the deal, we find that what's driving the demand is SOX."
Smart systems
Fortunately, insurers are finding their core operational applications and their enterprise systems can help them address SOX compliance, says ILOG's Morel. "That's the good news."
"But the bad news is if you look at the assumptions that were made when core legacy applications were written, they include: the business environment was homogeneous, the flow of data was transparent across the organization, and management of processes and controls were straightforward. But this isn't even close to reality."
That's where business process management and business rules management systems come into play, he says.
"Insurers are not going to get rid of their operational applications," Morel says. "But they are seeing they have to put something on top of those applications to supplement what's already in place to address the business reality: They've really got a heterogeneous application environment. They've really got a lot of integration challenges. And they don't have a centralized way of setting processes up, especially in large organizations."
Indeed, the two top technologies insurers say they're considering for SOX compliance are business process management and business rules management systems, according to the ILOG/ACORD insurance survey.
"A couple of insurance companies have come to understand that managing their business processes for compliance is not just about managing workflow," says Alan Trefler, founder and CEO of Pegasys-tems Inc., a Cambridge, Mass.-based BPM provider. "It's about having the rules at every point in the workflow to guarantee compliance."
This way, compliance isn't only about creating workflows and then checking and remediation after transactions are processed, sources say.
Rather, rules-based systems enable insurers to build enough intelligence in the system that affect a company's financial reports-so the system guides the transactions and alerts the appropriate people to anomalies in real-time.
In fact, real-time alerting factors into the next phase of Sarbanes-Oxley compliance-Section 409-which requires companies to report in "real-time" (actually 48 hours) any material events or weaknesses that may affect their earnings.
"There's a SOX component that's really the sleeper," says FileNet's Sarich. Insurance companies will no longer be able to make blanket reserve adjustments under Section 409. "Today, an insurance company may report quarterly earnings of $310 million, and say, 'Earnings would have been higher but we had to make a reserve adjustment of $1 billion for asbestos claims,'" he says. "Under 409, you can't have those surprises."
Instead, insurers will need the analytical ability to track claims and identify when asbestos claims are exceeding the average reserves. "They've got to start adjusting those claims right away. They can't wait until the end of a quarter," Sarich says.
Section 409 is not getting the attention it deserves because the deadline has not been set, says TowerGroup's Garcia.
"But it's significant. In large firms, it can take weeks-if not months-to simply identify a material weakness or problem, whether it's fraud or a data entry error or a resilience issue."
Identifying weaknesses
Therefore, putting an information technology structure in place that will identify those weaknesses, escalate them properly, and report them to the regulators within 48 hours is a huge, and necessary, undertaking for most insurance companies, she says.
"If you have islands of data all over the organization and across the globe, the ability to consolidate that information, or integrate that information at the very least, and provide some unity to data models is critical."
But, data is inconsistent in most insurance companies (see "The Industry's Dirty Secret," October 2003). In general, insurers have not established corporate data architectures, notes Denise Garth, vice president of membership and marketing for ACORD. "And data is the lifeblood of the industry," she says.
"It's what our rates are based on, it's what are reserves are based on, it's what our financial reports are based on. And today, in one system you define premium in one way, and in another system you define it another way. How do you reconcile that?"
You reconcile it by adhering to data standards, she says. "Fundamentally, SOX compliance-particularly the issue of transparency-is about data consistency and data quality," Garth says. "And for that, you have to have a corporate data architecture strategy. You can't look at a your data strategy separate from your business strategy."
Cornerstone of compliance
Similar to dirty data, records management is also a problem in the industry, according to FileNet's Sarich. "And it's a cornerstone of compliance."
Nobody really "owns" those records, he says. "Underwriting doesn't own them. Claims doesn't own them. Maybe an administrative officer is responsible for records management. But usually, it's an issue of 'how often do we call the service provider to come in and haul it out?'"
With SOX, insurers can't just haul their records out, he says. "If an insurance company goes through a merger or acquisition, for instance, it has to retain and produce any information regarding that transaction if and when that information becomes material."
With enterprise content management, an insurer can do a keyword search in a database and find all relevant content, Sarich says. This has benefits in the general business as well as for SOX compliance. For instance, insurers can query the database for fraud investigations, he says.
In addition to enterprise content management, many companies are investigating enterprise performance management, which provides "dashboards" that give CIOs a top-down view of their corporate financial picture.
"There's a whole cottage industry emerging," notes TowerGroup's Garcia. However, she adds, if an insurer puts such a system on top of its IT environment, that tool has to be integrated across the entire business to be effective.
"Where are the transactions coming from?," she says. "I have offices and branches across the globe. I have thousands of branches. I have agents. All these people, in some form or fashion, are contributing to my financial statements. That's really complex, and that goes far beyond any management tool we're hearing so much about."
SOX Drives Interest In Financial Modeling Tools
Along with the turbulent stock market and threats of terrorism, the Sarbanes-Oxley Act of 2002 is putting heightened pressure on insurance executives for improved management information.
"The broader use of stochastic models by senior management is essential in today's uncertain environment," says Jack Gibson, North American life insurance and financial services practice leader at Tillinghast - Towers Perrin, the New York-based actuarial and management consulting firm.
"By their nature, insurance companies have uncertainty about their future," he says. "And stochastic modeling enables them to better understand what their most significant risks are, what might cause their earnings to fluctuate, or what might cause value to erode-not on a product by product basis, but across the entire company."
It's a fallacy to have a risk-bearing enterprise sign off on their financials, says Bret Price, senior vice president of SS&C Technologies Inc., a Windsor, Conn.-based investment and financial management software vendor. "Insurers assume a risk today that they'll pay a liability in the future. And most companies don't have that as their business model."
SS&C offers a high-definition financial forecasting system, called Finesse HD, which enables insurers to subject their investment portfolios to a range of scenarios. "It's only a matter of time before a disclosure of ranges for reserves and investments is going to be part of the reporting process for insurers," says Price.
"If you can report on a range, such as, 'We expect our reserves to be at $2 billion, but they can get as high as $3 billion or as low as $1.5 billion,' at least investors and policyholders will have a clearer understanding of the inherent volatility of reserve levels."
Mutuals Aren't Off The SOX hook
Sarbanes-Oxley governs financial reporting for publicly traded companies, but mutual insurers will likely to be held to very similar standards, according to industry sources.
"There has been some discussion in the insurance world about whether mutual companies will have to comply with SOX--and from a practical standpoint, they just about have to," says John Sarich, insurance industry marketing manager for FileNet Corp., Costa Mesa, Calif.
If a mutual life insurance company sells annuity products, for example, that insurer will have to track account changes according to SOX rules just as a brokerage firm that sells annuities, he says. "So, if you're an annuity company, and a customer calls and says, 'I want to move my money from the bond fund to the stock fund,' you'll have to record and track the request--as well as what you told the customer."
In addition, the National Association of Insurance Commissioners (NAIC), Kansas City, Mo., will most likely adopt very similar financial reporting requirements as SOX. And states eventually may take over enforcement of the federal rules, according to sources.
"A lot of states are looking at SOX enforcement and Gramm-Leach-Bliley enforcement because they fear the Feds coming in and taking it all over," Sarich says.
Mutual insurers are not accustomed to such stringent financial reporting requirements--and they'll find them difficult and expensive, says Dianne Lyons, controller of United Fire Group, a publicly traded P&C insurer based in Cedar Rapids, Iowa.
After successfully implementing the WINGS Financial Reporting software from Eagle Technology Management Inc., Marion, Iowa, for NAIC financial reporting, Lyons is considering the technology implications of SOX for her company.
"We build most of our own systems, such as underwriting and claims," she says. "So we have the ability to go in and put our controls within those systems. The more you can build controls in the system versus coming back and checking the reports manually after the fact, the better."
Enforcing internal financial controls is a very easy concept to sell to senior management in insurance companies--both public and mutual--because they're in the business of managing risk, says Timothy Plunkett, global insurance industry consultant at PeopleSoft Inc., Pleasanton, Calif.
"I thought mutual companies would be a lot more reluctant toward the NAIC's plans to impose SOX standards on them too, but it just makes good business sense. If stock companies have to comply with SOX, the mutual companies also need to. It's just a best practice," he says.
