Relieve the burden of regulatory compliance
Shake any enterprise system and out falls a Sarbanes-Oxley solution
By Gary Ruderman, senior editor -- Manufacturing Business Technology, 6/1/2004 6:00:00 AM
American business loves to gripe about regulation. John Devine, General Motors' CFO, tells The Financial Times that regulations like the 2002 federal Sarbanes-Oxley Act (SOA) make manufacturers focus "on complying with financial rules at the expense of their core business."
Sun Microsystems' CEO Scott McNealy chimes in, saying shareholders will pay for the "massive amounts of time executing on the rigmarole around Sarbanes-Oxley."
But rather than viewing SOA as an expense, Michele Garigliano looks at it as a competitive advantage.
"Companies are trying to understand the components of SOA and put in all the necessary controls. It is now the law and customers may ask if you're compliant," explains Garigliano, director of IT for K&L Microwave, a government contractor in Salisbury, Md.
AMR Research, Boston, expects general manufacturing companies to spend nearly 2.5 percent of 2004 IT budgets on SOA compliance software alone. Enron and other accounting scandals of the last three years fomented the 2002 Sarbanes-Oxley Act, a public company corporate accountability law, under the purview of the Securities and Exchange Commission (SEC).
There are ways, however, to lessen what may be considered the burden of regulatory compliance. Installed ERP applications may be sufficient, or can be expanded by activating "latent" modules. A host of new ERP modules are either on—or coming on—the market to address SOA. And even for companies without enterprise suites, stand-alone data management solutions are being applied to the SOA compliance space.
K&L Microwave, a maker of radio-frequency and microwave filters, forged ahead with SOA compliance using the same document management system that serves as the framework for its ISO9001 process repository, and its control point for engineering and change control. The system is one module of K&L's ERP system, provided by IFS.
K&L's parent company—publicly held Dover Corp.—requires that all its subsidiaries comply with SOA because it imposes a set of internal controls that are "the hallmark of any good company," Garigliano says.
Tapping latent modules
Two sections of SOA bearing on corporate accountability are top of mind today. Section 404 demands a visible, repeatable, and tested financial reporting process in every publicly owned company. Section 409 mandates a "significant event" reporting mechanism more stringent and timely than the SEC 8-K filing.
Section 404, with its looming November 2004 deadline for many public companies, is of the most concern.
While a company like K&L finds document management functionality sufficient for its needs, analysts say ERP suites have other "hidden" or unused modules that can contribute to compliance.
"Long-term savings will be found by tapping latent ERP functionality to automate internal controls, periodic testing, and compliance tracking"—three key elements of SOA's Section 404 compliance, explains Bill Swanton, a VP at AMR.
What's available in ERP but unlikely to have been purchased heretofore, says Swanton, are applications that automate and document the risks and their controls.
Throwing the switch
Garigliano says she didn't have to add more modules because of the IFS suite's completeness. Instead, "We've built new queries to answer compliance-related issues."
Walnut, Calif.-based ViewSonic Corp. added Oracle's Internal Controls Manager 2 (ICM2) SOA solution to its Oracle e-Business Suite not because it's required by law, but because it's a good business practice. Installing ICM2 also meant activating parts of the Oracle Projects module.
ViewSonic's CIO Robert Moon says, "ICM2 pulls information out of many modules and puts all of it one place, gathering latent information from finance, distribution, and bills of material into one repository and organizing it functionally."
Identifying the appropriate compliance solution may involve cobbling together the old and the new—what's hidden in an enterprise system and what's in plain view—but it also requires human intervention.
PeopleSoft Financial Management has the makings of a SOA solution, explains Jennifer Toomey, a director of product marketing. It's complete enough to make the compliance process repeatable and auditable but is missing an automated enforcement tool, called Internal Controls Enforcer, due out in May.
"SOA compliance is a bit like ISO9000 in that it documents a process, but you can't flip a switch in the software to make employees follow procedures," explains Mitch Dwight, CFO of IFS North America. "Software will facilitate compliance, but it's up to you to set controls."
Seamus Moran, a director in financials software development at Oracle, says needed control capabilities might be found in any of a number of ERP modules: SOA business monitoring is considered a matter of corporate performance measurement, but includes elements of business intelligence, activity-based planning, enterprise planning and budgeting.
Because SOA requires that auditors and others see the control process in action, ICM2 shows how the control system operates in real time. "It is easily visible to those looking for or at it, but invisible to those who execute the processes."
Stand-alones proliferate
Gartner counts around 60 stand-alone vendors of SOA compliance solutions and is in the process of ranking them. Most are business process management (BPM) solutions, melded with records management disciplines and overlaid with SOA templates.
"From a documentation standpoint, stand-alones are OK, but from an integration standpoint with the enterprise system, they're not there yet," indicates AMR analyst John Hagerty.
Daryn Walters, VP of global marketing and strategy for BPM software supplier HandySoft, disagrees. "There are significant numbers of financial processes and accounts that don't originate in ERP, and they can't be monitored from the enterprise system."
Walters says ERP may not be sufficient once the SOA Section 409 process gets defined later this summer. If the SEC defines the loss of a major customer as a reportable incident, Walters says, standard SOA software can report the financial impact: X amount of sales lost through a contract period or based on historic sales. "But drilling down farther means knowing what went wrong operationally, what caused the lost business—the lack of on-time delivery to the customer or a failure of the supply chain—which is not part of the financial base."
HandySoft and Plumtree Software, a Web portal integration company, have a hybrid solution called SOXA Accelerator that approaches compliance from a BPM perspective with the ability to send information to, and get information from, an ERP system, explains Walters. Plumtree provides the presentation layer—collecting, visualizing, and offering the navigation to the user. HandySoft furnishes information collection, routing, and updating of the data.
