SOX Compliance and Costs
By Ken Mark
After enduring short-term pain to achieve Sarbanes-Oxley (SOX) compliance from the SEC (Securities & Exchange Commission), retailers are now seeking long-term gains from deploying technology to lower costs by automating repeatable processes. The shift focuses on boosting the efficiency of IT and other departments as they continue to comply with evolving regulations.
Thats the conclusion of industry and technology analysts since most retailers remain tight-lipped about their SOX initiatives. Unlike pharmaceutical and financial services firms that are already highly regulated, says John Hagerty vice-president, AMR Research, retailers are new to this level of government oversight. So they are treating their SOX efforts as corporate secrets. In fact, they will only talk to us on a non-disclosure basis.
In heard on the street terms, among others here are some pairings of retailers and SOX-compliance software vendors: 7-Eleven and LogicalApps, KMart and Open Pages, and Lowes and Approva. On the retailer-consultant side, there is Walgreen and Protiviti as well as Limited Brands and Paisley Consulting.
Add to that list Michaels Stores and Consul Risk Management. A closer look at this project offers true insights into what SOX implementations are all about. The Irving, Texas-based retailer enjoys a reputation for state-of-the-art systems. It also is the worlds largest specialty retailer of arts and crafts materials. It has more than 900 stores under its own and other banners with annual revenues exceeding $3 billion.
However, in late 2004 according to Rick Wenban, an independent Dallas-based consultant under contract with Michaels Stores, it received only a provisional pass from the SEC accompanied by a proviso to upgrade its compliance system. All the compliance work had been done manually, he says, so there was little proof to support that verification and that the audits had been done properly.
As a result, the retailer currently is wrapping up the implementation of Consuls InSight Security Manager. Its task is to normalize SOX compliance processes while reducing costs. Thanks to InSight, Michaels has set up Cardholder Information Security Program (CISP) compliance standards and a rules-based system to ensure that policies are consistently interpreted and applied across the corporation to replace earlier, one-off practices. InSight tracks, reviews and investigates non-compliant behavior such as unauthorized system access from administrators and other privileged users. It continuously monitors activity logs on the firms 20 servers to detect unusual incidents and intrusions and measures them against a benchmark based on each individuals position and authority. The log reports are then reviewed daily and verified periodically.
The system is easy to use. It was implemented in three days, says Wenban. Since InSight is so robust, it produces a number of new views of the logs. They offer systems administrators additional tools for tightening security. For example, automated log reports provide near real-time snapshots of transaction activity. But now they also can be compared with longer-term historical data to spot trends.
Consequently, if they notice a series of incidents occurring every day at the same time from the same source, that may indicate a more serious problem than if they simply notice a lone event on a single days log.
According to Wenban, the software was affordable and requires approximately $40,000 of hardware to operate. InSight delivers ROI in the form of reducing the systems total cost of ownership (TCO). Before implementation, the eight system administrators each spent about four hours a week on SOX compliance, he says. Now, they spend only half-an-hour per week.
Such a boost in employee productivity is not typical. According to a November 2004 AMR survey, in 2006 U.S. firms, not just retailers, are expected to spend $6 billion on conformance. Of that total, 39 percent goes to employees time and effort, a share that is stabilizing. However, technologys portion 32 percent is rising, while that for outside consultants 29 percent is falling.
On this last point, however, Michaels experience is on trend. InSight makes outside auditors more efficient, says Wenban. They can now do their work validating the presence of required processes and their proper functioning sitting in front of a terminal. Before, they had to go and interview administrators individually.
For retailers, meeting SOX compliance standards also delivers additional immediate dividends. According to Wenban, being SOX compliant makes it easier for them to meet the CISP agreement section of the Payment Card Industry (PCI) Data Security Standard. Non-compliance penalties are severe, for example, merchants or service providers whose systems have been compromised but found to be CISP-compliant at the time of the security breach are subject to fines of up to $500,000 per incident.
Other retailers further along the compliance path have started to use technology to meet business rather than just compliance needs. In 2006, more mature compliance efforts will leverage technology to support internal controls evaluation and controls automation and monitoring, says Paul Hamerman, vice-president, enterprise applications, Forrester Research. In addition, many companies will make significant investments for overdue improvements in their core accounting and reporting systems.
Such investments will target basic back-office IT systems and procedures as well as expanding control and monitoring functions. Companies need to reduce variability and increase accuracy in critical financial and other data, says AMRs John Hagerty. They want to eliminate extra or unnecessary processes and standardize their IT platforms. I recently talked to a firm with four different ERP systems not to mention various versions of dozens of software applications running on them. Consolidating on a central IT platform will enable them to make greater use of business intelligence (BI) analytics to improve overall performance monitoring and measurement. Thanks to Sarbanes-Oxley, we are seeing technology introduced into new areas of the business.
As a result, companies are replacing Excel spreadsheets with more up-to-date tools to speed up the completion of period-ending statements and to ensure their accuracy. From there, firms can use SOX-specific software to validate and verify their control and the security of the numbers as well as the underlying accounting and financial processes.
In 2004, I talked with a very large retailer with more than a dozen chains built up through acquisitions, says Forresters Paul Hamerman. Each chain had its own separate accounting system. At that time, the companys goal was simply to consolidate all the different systems into a single corporate-wide one.
In the future according to AMRs John Hagerty, as compliance becomes an everyday business concern, SOX software will become embedded in business application programs or larger enterprise management systems (EMS). Functionality also will expand to focus more on business risk management and the number of SOX-specific software developers will shrink as larger vendors acquire them.