SOX compliance software - the time is now

Under the new Sarbanes-Oxley (SOX) revision effective in August, companies are no longer required to obtain an external audit opinion on their assessment of their internal controls over financial reporting (ICFR). That is the good news. However, the latest revision reiterates that management will remain accountable for maintaining an effective system of controls. It is widely accepted that in order to meet the ongoing requirements of SOX while simultaneously capturing the cost savings anticipated from the implementation of the new Audit Standard No.5 (AS5), management must institutionalize compliance within their organization with a renewed focus on both cost efficiency and overall effectiveness.

Research has consistently confirmed the positive correlation between the maturity of a company’s internal controls processes and the effective use of enabling technology. However, even after several years of complying with SOX many executives still cannot tell you how many key controls they have throughout their company, let alone which controls are effective at any time or what progress is being made in the remediation of ineffective controls.

Most financial industry companies recognize the need for enabling technology that effectively facilitates ongoing SOX compliance. However, in today’s marketplace solution options still range anywhere from simple document management systems to complicated all-in-one Enterprise Risk Management systems. To better understand this situation, FST talked to Avalion Consulting who developed an industry leading SOX compliance solution called ComplianceSet^TM. The objective was to find out what makes the ideal solution for financial services industry companies looking to optimize both the cost effectiveness and efficiency of their ongoing efforts to comply with SOX.

Cost Effective
As with any purchasing decision an executive makes regarding information technology, the first two things they want to know are how much this is going to cost them and how much they will save the company by implementing it. They want to identify the quantifiable value / ROI associated with a buy decision. Clearly, executives understand that qualitative benefits must also be considered, but it is typically the hard dollar costs they grapple with most.

In regards to cost effectiveness, we believe SOX Compliance enabling software should be evaluated differently than the standard ERP or CRM solutions that are familiar to most companies. To determine the most cost effective solution, we believe companies must understand the answers to the following two critical questions:

1. What model does the software vendor use in establishing pricing (e.g. licensing)?
2. What delivery method do they use to implement their solution?

Enterprise License Model
Avalion believes that understanding the overall economic value a software solution provides to a company is paramount in determining if it will be a cost effective solution. In our experience, the traditional “cost per user” license pricing model used for most ERP and CRM software is inherently flawed for pricing SOX Compliance software. The reason this situation occurs is linked to the fact that organizations that want to optimize their ongoing costs for compliance must implement a pervasive / sustainable compliance process that includes interactions with numerous employees throughout the organization. However, most of those employees will only be “casual” or infrequent users of the SOX Compliance technology. As a result, a “cost per user” licensing approach actually impedes the company’s efforts to optimize their overall costs.

Although they are extremely critical to the overall effectiveness of the Compliance process, we believe that as many as two-thirds of all named users will require only infrequent access to the system, potentially only a few times a year. Our observation has been that the more mature a companies’ Compliance process, the higher the number of users that require only infrequent access to the system. Under a user-based license agreement, companies would be required to pay full user fees for these infrequent users. Therefore, we firmly believe the software pricing model that more fairly represents the economic value to a company is that of enterprise-based licensing.

Software as a Service (SaaS)
Systems delivered through a SaaS model (also known as “application service provider” or “ASP”) are generally more cost effective than a solution that is licensed, installed and maintained on infrastructure owned by the company, especially during the initial years of operation.

In addition to the significant cost saving potential, we believe the SaaS model drives the most potential value for Compliance solutions due to the dynamic nature of legislative requirements. Clients have the assurance that their vendor will provide timely future upgrades needed to support their changing compliance requirements with no additional charges incurred.

Process-Based
Financial industry executives recognize they must integrate continuous SOX Compliance into the “DNA” of their companies. However, many systems treat compliance as a once a year project rather than a continuous process. For example, almost every company we have worked with tells us that they inevitably have a number of ineffective controls at the end of the year. The fact is that controls that are ineffective on December 31st do not miraculously become effective when the calendar changes to January 1st. But many popular Compliance systems treat them as if they do exactly that. A truly continuous process based system accommodates the remediation process regardless of when a control has been tested ineffective and provides for seamless continuity across fiscal years.

Furthermore, an effective compliance software solution facilitates the entire Compliance process including risk and controls management, internal controls testing, remediation of ineffective controls as well as periodic certification and effectiveness assertions. A process-based system will not only provide robust document management functionality but will also include configurable workflow options, integration with email and will also be flexible enough to support the customer’s unique Compliance process requirements. The ability to continuously monitor and manage risks and controls on an interactive, executive dashboard (e.g. “drill-down” capability) should be integrated into the system as well. Robust custom reporting functionality and ad-hoc reporting are also key features that should be included in the system as the customer should not have to buy additional bolt-on software to meet executive reporting requirements.

Finally, since even the best planned process transitions take time, companies will want a system that allows them to initially keep the controls maintenance function within a small group of employees such as Internal Audit. Subsequently, it should provide them with rich functionality to reassign ownership and accountability that mimics the realities of their ever changing organization such as staffing changes, new systems, reorganizations, and corporate acquisitions and divestitures (e.g. various M&A activity).

Easy to Implement
Virtually every company that we have worked with is sensitive to / concerned with the time and cost required for implementation. As a result, leading Compliance software vendors should develop robust tools to help their clients implement rapidly. Overall, we believe implementation duration should be measured in weeks, not months, and that Compliance systems must be flexible to accommodate unique client organizational requirements while being easy to implement.

COSO and COBIT frameworks were universally adopted for SOX Compliance and almost all companies adopted the same basic approach to achieving initial compliance. Virtually everyone developed MS Office based documents such as Risk and Control Matrices, Process Narratives and Test Plans using standard data characteristics. Executives should anticipate legacy MS Office data migration to the new Compliance solution as the biggest challenge they will face during implementation. We firmly believe Compliance system vendors should provide robust data cleansing and migration tools as part of the implementation project. If the vendors your company is considering cannot demonstrate how your legacy data will be systematically migrated into their solution, you will likely need to significantly increase your implementation timeline.

Due to the relative immaturity of the Compliance software industry, some vendors may not be as committed to making their implementation methodology as efficient as a more mature market might require. Avalion believes Compliance vendors should provide implementation services for a fixed price. We believe providing a fixed-fee implementation guarantee demonstrates the vendor’s good-faith commitment to helping clients overcome the fear of potentially embarking on a project that never quite gets finished due to unproven technology and / or an immature implementation methodology. It also demonstrates that the vendor has confidence in their implementation methodology and tools.

Ease of Use
When evaluating software options, companies should also consider ease of use. This should not only refer to how easy it is for users to perform required tasks in the system but also how easy it is to train new users as well. Due to the nature of the most cost effective approach to SOX Compliance, most users will have infrequent need to access the system. But they recognize the significant value of having the solution in place to enable the process to work effectively and efficiently. For this to be possible, the system must be intuitive to use and should present users with access to only the relevant functionality they need to perform their specific role in the Compliance process.

Numerous client executives have expressed their frustration to us that many of the existing solutions they evaluated pack too much “extra functionality” into their software. Not surprisingly, those same vendors attempt to charge considerably more for the additional “value add” enabled by their software. Nonetheless, savvy executives recognize that such “unnecessary” extras usually prove costly to implement and difficult to train users on how to use. Compliance software requires part time participation from users with diverse backgrounds across the entire organization in order to be cost effective. In the case of SOX Compliance, less is more and simple is best.

Combined with simplicity, Role Based Access Controls (RBAC) is a must-have feature for Compliance software. Standard system roles should be established in the software that allow for customization by the customer. User accounts are established by assigning a system role, or combination of roles, as appropriate for that employee’s level of accountability within the organization. Since users are not assigned specific functional permissions in the system, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply maintaining the appropriate roles utilized in the system set-up / maintenance module. RBAC greatly simplifies common maintenance operations such as adding or removing individual users as well as modifying a user’s role assignment to accommodate a changing organizational structure.

Another important aspect of ease of use is the ability to perform user training. Training methodology should be flexible and training materials must be delivered using formats that best accommodate the needs of each unique organization. Compliance software vendors must be able to provide specific, modular training to the right people in an efficient manner. Training should make people’s jobs easier, not more difficult or stressful. Web-based delivery, supported by customizable on-line help are features that can make training simple to roll-out and easy to understand; particularly in companies that are geographically diverse.

Web Based and Secure
When considering any Compliance system, management should not have to be concerned about the security of their data. Not only should the Compliance system have standard 128 bit SSL encryption and site certification but should also provide an additional layer of encryption for very sensitive documents which may be housed as evidence to support testing results. For example, such data may include compensation related information or HIPPA sensitive documentation. Only authorized employees within the organization should be able to access these types of documents. Multiple levels of security are an imperative feature for a SOX Compliance system.

Flexible for the Future
With the changing legislative environment no company wants to get locked into a tool that is going to be obsolete in a few years, or even a few months. Companies should look for software that can accommodate changes in legislation and industry standards such as the transition from Audit Standard No. 2 (AS2) to AS5. The best systems will provide flexible functionality to allow your organization to comply with new Compliance laws as well as your unique process requirements. For example, an important feature of any Compliance solution is Risk Management. By definition, Risk Management should mean something different to every company based upon their unique industry requirements and company-specific circumstances. Executives should look for a solution that allows them to manage risks as appropriate for their organization. Software should support industry standards and best practices while remaining flexible enough to address each company’s unique requirements.

Software flexibility does not only mean having a few custom fields available for client use; it is much more than that. Executives should ask themselves whether the systems they are evaluating can accommodate their changing requirements. How easily can the system be changed to accommodate acquisitions or divestitures? That shouldn’t require a new system implementation. Also, how well does the system handle inevitable personnel or systems changes? If someone gets promoted, changes departments or even leaves the company you must be able to easily reassign their role and / or tasks to another user quickly and seamlessly. These are just a few examples of what we call “usability efficiency features” that can only be developed through hands-on Compliance experience.

Finally, a flexible Compliance system should not require a dedicated IT staff to maintain it. Configuration and user maintenance must be simple in order to be cost effective. Avalion believes this is one of the most compelling reasons companies should seriously consider SaaS model software solutions over traditional license / maintenance approaches to software acquisition.

To find out more about Avalion Consulting and our industry leading SOX solution ComplianceSet^TM please visit: www.ComplianceSet.com.