Don't throw away the sleeping pills just yet. If you're a senior executive or manager with financial accountability, chances are, over the past year, you've had trouble sleeping because you've been worried about complying with the Sarbanes-Oxley law--especially the part that holds you personally responsible for attesting to the adequacy of your company's internal controls over financial reporting.Unless you've been living under a rock, you know that SOX--passed in 2002--requires executive officers of public companies to annually attest to the effectiveness of internal controls over their financial reports. If you fail to establish and maintain appropriate controls, you can be fined and even sent to jail.
Fear of these penalties naturally prompted corporate leaders of publicly traded companies to scramble to meet the requirements of Section 404 for the first time at the end of last year. That's the part of the law that holds senior managers accountable for documenting and evaluating their internal controls.
But just when you and your peers thought you could individually and collectively breathe a sigh of relief--and maybe get some sleep--pundits are now warning you that it's not over yet. In fact, they're saying: Get ready for "Sarbanes-Oxley Phase Two."
Phase two involves sustaining SOX compliance into the future by embedding it into your day-to-day operations. And that means you now have to think about how you're going to do that. What new technologies or enhancements to existing systems can your company invest in to get the ongoing assurance you need to confidently sign that SOX audit statement every year?
"Most companies have hired the consultant. They've received the big binder and matrix that documents all their internal control procedures, who owns them, and how often they need to be performed. Now, its time to implement," says Lee Ann Hoover, director of the financial and insurance services practice at Chicago-based Navigant Consulting Inc. "It's time to turn talk into reality."
To be sure, companies have expended significant time and money to achieve SOX compliance, according to Bari Faudree, firm director at Deloitte & Touche LLP during a recent Web seminar sponsored by Netegrity Inc., a Waltham, Mass.-based identity management firm. "Now, a lot of folks are beginning to focus on implementing well-designed, repeatable SOX-compliant processes," he says.
Of course, wherever there are repeatable processes, automation usually makes sense.
Last year, most spending by insurers to comply with SOX was for personnel, auditing, consulting and internal process documentation, according to Cynthia Saccocia, senior analyst in the insurance research practice at TowerGroup Inc., Needham, Mass.
But TowerGroup predicts spending by insurers on Sarbanes-Oxley compliance will rise from $250,000 on average this year to $1.5 million in 2006--as carriers begin to invest in technologies to integrate controls into their daily operations.
A prudent step
Many insurers, like other companies, have been using simple, paper-based or low-tech methods of documenting their internal controls, Saccocia notes in a report titled, "Sarbanes-Oxley and Insurance: Requirements, Hype and Opportunity."
For example, Columbus, Ohio-based Nationwide Financial Services Inc. used Lotus-Notes. (Editor's note: Nationwide declined to be interviewed for this article.)
Now, insurance carriers-like other companies-will evolve from this base-level of SOX compliance, where there is little connection with daily operations, to a "standard" level, where controls are managed by key individuals using some automation, Saccocia predicts.
At the highest level--what can be called best practices SOX compliance--insurers will attain enterprise compliance management, where business units are responsible for risk management and controls--supported by real-time reporting technologies.
But before insurers get to that desirable state-SOX compliance nirvana-a prudent first step is to implement compliance workflow and data repository tools, according to Navigant's Hoover.
"When I participated in (internal control) reviews last year, we'd find that in order to determine whether a company was adhering to specific internal controls, we had to look into the bowels of the company's legacy transactional systems," she says.
What's missing is a workflow engine that can draw data from legacy systems and convert it into a set of meaningful reports that a chief compliance officer or risk officer can use to determine if the company is in compliance-and take remedial action where necessary.
Also missing, she says, is an electronic data repository for managing internal control procedures-an electronic version of all the information currently stored in the auditors' binders.
"With this kind of tool, you can automatically send out notifications on a regular basis to all the owners of all your internal control procedures to keep your repository current," she says.
Consistency, repeatability
After going through Section 404 compliance for the first time last year, many executives are now realizing that auditing-and compliance in general-have been poorly managed, manual processes up until now, says Ted Frank, president of Axentis LLC, a Warrensville Heights, Ohio-based enterprise compliance management firm.
"They're realizing they now have an opportunity to establish some consistency in these processes-because your accounts payable process is not your competitive advantage," he says. "There's no reason for that to vary between business units."
Axentis provides software that enables companies to map their compliance risks and controls, manage their policies, procedures and training, and deal with remediation issues as they arise. "This is the glue and consistency that most companies lack," Frank says.
In fact, consistency and repeatability are at the heart of "transparency," which is the term bandied about in discussions on Sarbanes-Oxley.
The law's intention is to provide more "transparency" or "visibility" into companies' financial statements. But what does "transparency" really mean? "At the most basic level, financial reports are transparent if someone with access to the same information can repeat the process and get the same results," says Gary Knoble, vice president of data management at The Hartford Financial Service Group Inc., Hartford, Conn.
"It's kind of like a scientific experiment," he says. "You have to ask yourself: Do I have all the right data? Am I using the right sources? Are my sources reconciled? SOX is really about data and data quality," he says.
SOX is also about identity management, security access controls, document management, learning management, business intelligence, business process management, data and transaction monitoring, e-mail archiving and records retention, according to industry sources.
In fact, 83% of public companies plan to deploy or evaluate solutions this year for one or more revenue management processes, according to research conducted by Revenue-Recognition.com, a Web site hosted by CFO.com and Softrax Corp., Canton, Mass. What's more, security tops the list of technology investments they're considering, followed by financial consolidation, billing, revenue accounting, document management and record retention solutions.
Not surprisingly, vendors of these technologies are already offering SOX enhancements to their products-and new and established companies are developing SOX-specific solutions.
SunGard Insurance Systems, for example, provides investment accounting software to insurance companies. The Miami-based operating group of SunGard has added more audit logs, more reports and a new reconciliation module to its software.
The enhancements help insurers provide proof that transactions between their system and their bank's are valid.
"We made these enhancements because of client requests-primarily driven by SOX," says Dennis Lebar, manager of regulatory compliance at SunGard Insurance Systems.
The new reconciliation module, in particular, automates a lot of the processes that SunGard's clients are now doing manually, he says. "It saves them a ton of time in documenting their procedures for SOX compliance."
The provider also recently received a SAS 70 Type 2 certification for its software. Several years ago, it received a SAS 70 Type 2 certification when it began outsourcing, according to Linda Treibitz, senior manager of client relations at SunGard Insurance Systems. "Getting our software certified took that certification a step further."
SAS 70 Type 2 helps publicly traded companies meet another SOX requirement-that their third-party providers also have satisfactory internal controls. The U.S. Securities and Exchange Commission (SEC) has designated the SAS 70 Type 2 audit as an acceptable method of that assurance.
For this reason, Zurich North America in December received a SAS 70 Type 2 certification for its commercial insurance business. The Schaumburg, Ill.-based company did this so that customers of its claims services business don't have to perform their own audits of Zurich's internal controls.
Defining risks
In the same spirit of helping its customers with SOX compliance, Sprint is rolling out enhancements to its e-mail protection services.
The Overland, Kan.-based telecommunications company provides Internet connectivity to thousands of corporate clients. Because of this, Sprint began offering anti-spam, anti-virus and content filtering services several years ago. More recently, the company added e-mail and instant message archiving services.
"Customers have been asking for e-mail archiving to comply with the record-retention provisions of SOX-and to offload e-mail storage from their local systems," says Cary Ransom, Sprint e-mail protection manager.
Configuresoft is another vendor providing a SOX enhancement to its technology. The Colorado Springs, Colo.-based firm sells software that automates the management of configuration settings for Windows-based servers and clients and enforces security and IT standards. In November, it launched an enterprise configuration management product for SOX-compliant IT control.
The product is based on COSO--the internal control framework sanctioned by the SEC--and CobiT-the widely accepted IT control framework developed by the IT Governance Institute, Rolling Meadows, Ill.
SOX does not specify any particular technologies, Deloitte's Faudree noted in the Netegrity Webinar. "It's about reducing risk within your business." Companies have to have appropriate IT and business process controls in place to demonstrate they've reduced their risk, he says.
"If you do SOX right, all you're really doing is defining risks-and the processes that are in place to manage those risks," Axentis' Frank concurs.
Enterprise risk
"That could be a regulatory risk, it could be an operational risk, it could be a financial risk. And those processes impact different people in the organization differently based on their roles and responsibilities," he says.
As a result, Frank sees system integration, business intelligence and business process management tools playing a part in embedding SOX compliance into companies' day-to-day operations.
"Over time, compliance will be baked into other applications--your sales force automation, your ERP system, your supply chain management tool," he says.
"You define the processes. You define the controls. Then you integrate with other applications to deal with the remediation and measurement of those processes. You'll see a whole integration layer established for compliance. That's why companies like IBM are so interested in this marketplace."
In fact, at press time, IBM Corp. was holding a road show-with stops in Dallas, Boston and Chicago-to educate compliance professionals about how the Armonk, N.Y.-based business technology giant can help them achieve sustainable SOX compliance.
Business intelligence tools will help companies build compliance controls into their existing applications, Frank says.
For example, if a company provides outsourcing services, one of the biggest risks it faces is losing the capital investment it has to make when it gets a new contract, he says.
"I need equipment. I need to hire people, I need get a facility. We're talking millions of dollars of investment. If my client goes out of business, I've just lost millions of dollars."
How can a company control that kind of risk? One way is by adding rules into a sales force automation or customer relationship management (CRM) system, he says.
"I have a pipeline of (sales) opportunities. And, if I do this right, I can build a control into my CRM system that stipulates if a deal reaches a certain stage with a certain investment required, a review process is triggered. The deal can't even go to the legal department until my risk management folks and my credit folks have evaluated the credit-worthiness of this prospective client," he explains.
This kind of risk management, which is built into daily operations and managed strategically, is called enterprise risk management (ERM). And it will be the "best practice" approach to risk and compliance management in the near future, according to sources.
Insurers around the globe are making progress in using integrated risk and capital management to drive business decisions, according to the third biennial survey of insurers worldwide by the Tillinghast business of Towers Perrin. In fact, 85% of the survey respondents said ERM is more of a priority today than it was a year ago.
In addition, the survey identified a major shift in the positioning of risk management within insurance organizations, with 39% noting that chief risk officers now have primary responsibility for risk management-up from 19% in 2002. And 40% of chief risk officers now report to the CEO-an increase from 26% in 2002.
"Senior management has become more involved in the risk management process in recent years due to corporate governance regulations, questions from rating agencies, and demands for more financial transparency," says Prakash Shimpi, Tillinghast practice leader.
Integrating risk is not new to the insurance industry; it's been done for a long period of time at a product level, says Ian Farr, Tillinghast principal and co-author of the study. But more insurers are moving away from this 'risk silo' approach to improve understanding and communicate risk management throughout their organizations, he says.
Between SOX, Gramm-Leach-Bliley, HIPAA, the USA PATRIOT Act, as well as various state regulations, insurers are devoting an average of 20% of their new project IT business to compliance-mandated projects, or $1.4 billion industrywide, according to Matthew Josefowicz, group manager of the insurance practice at Celent Communications Inc., Boston.
In a report, titled "The Virtuous Cycle of Compliance and IT," Josefowicz suggests insurers can reduce the compliance component of new project spending by at least 25% by shifting compliance IT efforts from a reactionary activity to a strategic one.
Most companies have approached Sarbanes-Oxley compliance as a set of burdensome requirements that cost money and not as an opportunity to reduce costs or improve their business processes, The Hartford's Knoble notes.
"Some of us in the industry are trying to encourage companies to go beyond just meeting the requirements of the law to instead ask, 'How is Sarbanes-Oxley going to help me?'"
As with any law, some SOX provisions may be unnecessary, he admits. "But essentially the underlying intent of SOX is: How much trust do you have in your data? How much trust to you have in your financial results?"
Viewed in this light, the discipline that SOX enforces doesn't only assure investors that a company's financial statements are accurate, it also ensures that the company is making better business decisions based on accurate information, Knoble says.
"That's what I'm suggesting," he says. "Don't just look at SOX as something you have to do because the government says you have to do it--and if you don't, you're going to go to jail. Look at it as an opportunity to improve the data that you're using to make your business decisions."
That should help you sleep better in the long run too.
Need Help? An Operational Framework Is On Its Way
Last June, a group of 10 vendors formed The Compliance Consortium. Its mission: To publish governance, risk and compliance (GRC) best practices and reference architectures; to influence and contribute to GRC-related industry and computing standards; and to establish conferences and other professional events focused on governance, risk and compliance topics.
The companies--Approva, Axentis, Hyland Software, Hyperion, Intuition, Jefferson Wells International, Navigant Consulting, The Network, Corpedia and Staffware--formed the consortium because their customers, flooded with marketing hype, were asking them for guidance on what technologies they needed to develop a best practices compliance program.
"Many of us knew each other and had done business together," says Ted Frank, chairman of the consortium and president of Axentis LLC, a Warrensville Heights, Ohio-based enterprise compliance management software firm. "So we all sat around a table one day and said, 'This market desperately needs a standard-a reference architecture. And, while none of us alone provides the complete architecture, we certainly have enough knowledge to put together a good solid approach to managing enterprise risk and compliance.'"
The framework, which the Consortium was developing at press time, will be based on the United States Sentencing Commission guidelines, he says. These include several basic elements: consistent communication; auditing, monitoring and reporting; and uniform enforcement.
These three pieces to the puzzle provide a consistent operational approach, according to Frank. "Then, a company can establish a technical architecture that provides the same consistent use of its tools." For example, if a company uses one technology to distribute its code of conduct, it makes sense to use that same tool to distribute the company's internal control policy.
At press time, Frank expected the consortium to announce new member organizations and publish its operational framework around April. For more information, visit the group's Web site at
NAIC Considers SOX-Like Provisions
Privately held and mutual insurance companies should not consider themselves off the hook when it comes to Sarbanes-Oxley compliance. Even though the law, which passed in 2002, applies only to publicly held companies, the National Association of Insurance Commissioners (NAIC), the Kansas City, Mo.-based organization that oversees state insurance regulation, is working on adding SOX-like provisions to its model audit rule.
At press time, a working group composed of members of the NAIC and the American Institute of Certified Public Accountants (AICPA), New York, was considering specific alterations to the NAIC's "Model Regulation Requiring Audited Annual Financial Reports." Those alterations are based on Titles II, III, and IV of Sarbanes-Oxley, according to Doug Stolte, chairman of the NAIC/AICPA working group and deputy commissioner over the financial regulation division of Virginia's Department of Insurance.
"In 2003, we began analyzing certain sections of SOX and compared it to our model audit rule," Stolte says. Then, last April, the NAIC developed a draft of its audit rule with proposed SOX-like changes. In March, Stolte expected two subgroups-the ones working on Titles II and III-to complete their work by June. Another subgroup, addressing the more controversial changes based on Section 404 internal controls-was aiming to finish its work by the end of this year.
Several industry trade associations are voicing their opposition to adding more regulatory burden on nonpublic insurance companies. The Property Casualty Insurers Association of America (PCI), Des Plaines, Ill., in an open letter to the nation's insurance commissioners, urged them to raise questions about the NAIC's efforts to apply SOX standards to the entire insurance industry.
Current financial reporting standards for insurers, including special accounting rules, line-by-line forms for financial statements, and actuarial opinions on loss reserves, are unique to this industry and are significantly more extensive than those imposed on other businesses, according to Ernie Csiszar, PCI president and CEO.
"The state regulators have assumed that SOX needs to be applied to the entire insurance industry, and they haven't even looked at some basic questions," says Stephen Broadie, PCI assistant vice president-financial. "First of all, is there a problem that needs to be addressed? Secondly, if there is a problem, what are the alternative solutions-and what are the costs and benefits of each solution?" Until those questions are answered, PCI believes there's no reason to impose additional requirements on insurers, he says.
Those requirements will be costly, according to sources. For example, a survey of 321 public companies conducted by Financial Insurance Executives International in January 2004 found those companies expected to spend an average of $732,100 to comply with Section 404 of Sarbanes-Oxley. Companies with less than $25 million in revenue expected to pay an average of $170,000, while those with more than $5 billion in revenue planned on SOX expenses of $1,390,100 on average.
For large companies, new SOX-like auditing requirements can run into millions of dollars, Stolte admits. "But insolvencies run into millions of dollars too," he says. The regulators realize changing the audit rule won't prevent all insolvencies, he adds. "But we do believe if insurers have strong corporate governance and a robust audit function with management and an external auditor certifying that internal controls over financial reporting are in place, we as regulators are going to be better able to do our jobs." And the public and policyholders deserve that, he says.
