Did your company take the same path as many corporations in order to comply with the Sarbanes-Oxley Act? Finance and audit teams generally followed a four-step process: They documented business processes, documented the controls on those processes, created reports on the controls, and, finally, certified those reports. Thus, with many long hours and new employees (and no help or interference from IT), the CFOs achieved initial compliance for their finance and audit departments. Now, section 404 of the regulation, which was delayed to June 15, 2004, is taking effect (its actual effective date depends on the last day of a company's fiscal year). This phase requires companies to certify compliance across their enterprises.

Now a finance department can't shut out IT, for two reasons. First, the IT department itself must be brought into compliance. Second, the job of taking the whole enterprise through the four steps to compliance is just too big a job to accomplish with nothing but more hands and more hours. Automating the documentation, testing, monitoring, and reporting processes requires technology. "Companies need to develop a phased approach to support long-term compliance, using technology to support the overall program," says Monica Huber, a senior manager with BearingPoint Inc., a McLean, Va., consulting, systems integration, and managed services firm that played a key role in developing an enterprise-level, wide-ranging Sarbanes-Oxley (also known as SOX) compliance solution. "If companies don't have an automated way to manage controls, governance, and disclosures, it's going to cost them a lot of money to manage the compliance process manually. It's impossible to maintain [such expenditures] on an ongoing basis."

BearingPoint consultants say enterprises have been adopting point-product solutions, but need to take a more comprehensive approach that encompasses documentation, assessment, and the redesign and/or improvement of controls, as well as the implementation of improved financial processes. "Many companies still use paper-based systems or relatively uncomplicated software-such as spreadsheet, word-processing, and flowchart programs-to document their business-process controls for compliance purposes," says Jens Rassloff, BearingPoint head of solution development, enterprise content management, and compliance. "But while these products and paper systems can produce initial documentation easily, they aren't well-suited to continually making or tracking changes."

Staying compliant
The good news is that CFOs are realizing the status quo is unsustainable, according to Huber. It's one thing to achieve initial compliance, but quite another to ensure continued compliance; maintaining the reams of documentation becomes increasingly difficult as processes change and documents are updated. Inevitably, documentation is outdated, lost, misplaced, or forgotten. And yet, the stakes are now too high to allow anything to go astray.

There is a strong practical argument for compliance. When a top executive signs off on a report, proclaiming that controls are in place and functioning properly, there's the threat of jail time if the report contains inaccuracies. The trickle-down effect of this responsibility places demands on other employees, right down to the shop floor. While those managers don't face criminal penalties specific to the production of the section 404 reports, they certainly face civil penalties as well as possible termination if their reports aren't on time and accurate. "[Companies] are now beginning to invest in accounting system upgrades to increase the level of automation in the accounting infrastructure, or they're turning to finance and accounting business-process outsourcers," says Andrew Efstathiou, program manager at The Yankee Group, a research and analysis firm. "The typical investments are going into document management and group work-flow software."

A holistic solution
What executives are looking for, in the long run, is a holistic solution. They're looking at the entire financial systems environment. Underlying that environment is the internal control and management repository, software that has functions for managing documents and work flow. This repository can be used to document, assess, test, and monitor the business-process controls and to report on the efficiency of those controls. "Companies should look for tools that support archiving, work flow, collaboration, communication, integration, and compatibility with the rest of their financial systems architecture," says Huber. "The final components to look for are business intelligence reporting capabilities and ease of integration between compliance data and business-performance data, leveraging the platform and tools the company has chosen as its reporting solution."

To comply with Sarbanes-Oxley in the long term, IT must document and report on its own business processes as well as support documentation and reporting for the rest of the enterprise. Companies must build IT systems to support new corporate policies, which require transparent processes. Companies should not be building stand-alone solutions, but rather should see SOX as one aspect of a wider compliance framework, relying on a solid infrastructure, according to Rassloff. Bearing Point's compliance solution embraces underlying Microsoft technologies to create documents, manage work flow, and facilitate collaboration and communications. "It is a scalable and extensible compliance platform that formalizes controls, work flow, communication, and reporting across business units, thus supporting a long-term corporate governance vision," says Rassloff. "It utilizes the existing Microsoft environment and gives workers familiar software they know how to use." This is rather important because-unlike many knowledge-management initiatives-the employees on the ground aren't allowed to choose whether to participate or not.

Once companies achieve 404 compliance, section 409, also called Sarbanes II, looms. Section 409 requires companies to inform investors "on a rapid and current basis" of material changes in the company's financial condition or operations. In the past, Form 8-K requirements provided a five-to-fifteen day window for disclosing certain events. But now companies will be required to report all of those events, plus several others, within four days. There's good news, though: An SEC review of 68,000 Form 8-K filings showed that almost three-quarters of those reports were filed within four business days, so the SEC expects only five additional filings annually per company, on average. And if companies do implement holistic, long-term systems to support disclosure management and have integrated methods of performance management, then compliance with section 409 should be achievable and not prohibitively expensive.

M. Elisebeth Tyler is a freelance writer based in Newport News, Va.

Illustration by Marc Rosenthal