Gaining Strength From Sarbox

Sarbanes-Oxley compliance may be a burden, but it's helping some companies improve operations at various levels

To hear many company executives tell it, the Sarbanes-Oxley Act has been a monumental burden, sucking up time and resources without making their businesses more competitive.

At MasterCard International Inc., complying with Sarbanes-Oxley financial-reporting regulations required 45,000 staff hours of work provided by its consultant, Deloitte & Touche, and its external auditor, PricewaterhouseCoopers. "The cost has been overbearing," says Chris McWilton, CFO at the charge-card company with $2.6 billion in revenue.

Automation reduces human error, MasterCard CFO McWilton says. Photo by Ken Schles

But MasterCard is trying to get something back from that investment. A post-mortem of its Sarbanes-Oxley compliance effort, looking at what worked and didn't work, found inconsistent documentation of financial controls, as well as ones that should have been automated. Among the lessons learned is that "standardization of processes minimizes the risk of misstatements on financial reports," McWilton says.

MasterCard isn't alone in trying to learn from its Sarbanes-Oxley experience. Nextel Communications Inc. found it needed to do a better job controlling employee access to sensitive data and IT systems. And United Technologies Inc. discovered that it wasn't

making full use of the financial controls built into its enterprise-resource-planning systems.

U.S. companies are expected to shell out $6.1 billion this year alone for the manpower, IT, and consulting services they need to comply with Sarbanes-Oxley, according to AMR Research. The Securities and Exchange Commission estimates that companies collectively spend nearly 5.4 million staff hours each year implementing Sarbanes-Oxley's section 404--the part of the federal legislation that deals with financial-reporting controls. No wonder Sun Microsystems CEO Scott McNealy in 2003 likened Sarbanes-Oxley to throwing "buckets of sand into the gears of the market economy."

Sarbanes-Oxley, which took effect late last year, was designed to improve the quality of financial reporting and restore confidence in financial statements in the wake of the Enron and WorldCom accounting scandals. Certainly, it has been a headache for some businesses. Major companies, such as SunTrust Banks, Eastman Kodak, and Toys "R" Us, already have reported accounting problems that may preclude issuing a statement in their 2004 annual reports attesting to the effectiveness of internal financial-reporting controls as required by the law. If the companies don't address problems in a timely manner, they could face SEC enforcement actions.

Forward-looking companies see Sarbanes-Oxley compliance as an opportunity to identify and implement business-process improvements, AMR Research analyst John Hagerty says. "They're using compliance initiatives to drive business improvement and achieve greater profitability." At Nextel Communications, which is merging with Sprint Corp., the compliance process "began as an administrative task but has evolved into a basis for achieving competitive advantage," says Michael Bryan, who until leaving the company last week was Nextel's director of IT governance.

While working through the steps to comply with Sarbanes-Oxley, Nextel managers discovered they needed to pay more attention to how employees were given access to sensitive data and programs. Although Nextel had created written access-control policies, they were enforced haphazardly, if at all. The company installed Thor Technologies Inc.'s Xellerate Identity Manager system to automate the management of Nextel's 90,000 user identities. "When someone asks for an audit trail of access privileges, the relevant documentation is contained in the Thor system," Bryan says.

Access to programs and data is one of the major IT controls mandated by the Public Company Accounting Oversight Board, a private, nonprofit body that sets auditing standards for Sarbanes-Oxley. Other controls include monitoring computer operations, software development, and software change management.

Companies are finding that beyond complying with Sarbanes-Oxley, automating access controls helps enforce information security policies, such as limiting access to sensitive data to authorized users, according to a February report from the Aberdeen Group market-research firm that examined the Sarbanes-Oxley compliance efforts of 40 companies. And information security and access control are going to become increasingly vital for compliance, not only for Sarbanes-Oxley but for the Health Insurance Portability and Accountability Act and other regulations. As information security and access control become more important, they're being transformed from a set of ad hoc activities into coordinated business processes.

Brightpoint Inc., which provides outsourced manufacturing, logistics management, and marketing services such as Web-site management to wireless phone companies, spent about $3 million last year on Sarbanes-Oxley compliance. The company has gained peace of mind that it had the necessary financial controls in place for complying with Sarbanes-Oxley, CFO and executive VP Frank Terence says. But working through the compliance process also uncovered areas where business processes needed to be improved, particularly IT change-management processes and procedures used to control access to critical software programs and data.