The need for solutions that can meet compliance regulations has grown. In 2004, finance executives around the world became increasingly sensitive to the need to improve reporting in relation to their corporate governance and regulatory compliance obligations. CODA Group, a United Kingdom-based finance management system specialist responded by launching CODA-Control, a task modeling tool (engine), which helps user companies control and audit business processes, and automate data collection for financial reporting. CODA-Control is one of CODA's recently unveiled collaborative solutions, and aids regulatory compliance, period-end financial closing, and automates financial procedures, thus possibly reducing escalating audit costs and lowering the risks of non-compliance. The product takes the organization's best practice model of a documented financial process and automatically generates a dedicated shared, secure, in-house team web site through which the execution of the entire process is controlled. CODA-Control helps transform the organization's processes into highly repeatable, auditable, and controllable events.
Part Two of the Composing Collaborative Financial Applications, CODA series.
As exemplified by CODA-Control, CODA views Microsoft technology as its primary development platform for its process control applications. This should help organizations manage and improve complex business processes, such as those geared towards enabling compliance with the Sarbanes-Oxley Act (SOX) of 2002 and towards facilitating month-end closing. CODA's decision to design a control application using the Microsoft SharePoint Products and Technologies platform has even been cited as a key factor in some customers' decisions to purchase CODA-Control.
To put this into context, SOX was passed by the US Congress in response to a number of high profile financial scandals, such as those at Enron, Tyco, and WorldCom, with the idea of making corporate accounting procedures more transparent to investors and regulators. Even before these fraudulent scandals, missed earnings announcements were often accompanied by chief executive officers (CFO) stating that financial expectations were not met due to a "lack of visibility" into corporate activities. These CFOs would frequently blame unforeseeable events, such as a key customer canceling a major order unexpectedly, or suppliers ramping up prices due to a shortage of raw materials. Regardless of the reason, CFOs are increasingly being called upon to give more accurate estimates of their earnings potential, and explanations as to why their company failed to meet these estimates.
Although the SOX law included a number of new mandates, two sections in particular have had clear implications for corporate information systems. Section 404 (Management Assessment of Internal Controls) requires management to assess, on a yearly basis, the effectiveness of its own internal controls and procedures for financial reporting. Section 409 (Real Time Disclosure) requires companies to disclose material changes in their financial condition or operations on a rapid and current basis. These two sections have prompted many predictions regarding how much must be spent on information technology (IT) in order to meet compliance needs (albeit, this may be at the cost of stalled projects in other areas that are now considered lower priority). Section 404 requires audits of internal controls, and has caused executives to reexamine, and possibly replace, operational systems that are not well integrated with financial systems. For example, an accounts payable (AP) system that does not systematically match purchase orders and receipts to vendor invoices, before the payment is made, might be vulnerable to fraud. Such a system may also be vulnerable to abuse by someone who creates fictitious employees and suppliers and then pockets the money. In addition, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that was not yet earned.
Section 409 seems to call for a more transparent and integrated financial reporting system than many companies have. For example, companies that work on a ten day financial closing period seem to be at risk for non-compliance with real time disclosure, which currently demands the disclosure of material events within forty-eight hours. The problem is particularly acute for firms with multiple operating units and decentralized systems, because, in recent years, many enterprises have grown both organically and through acquisitions. As a result, accurately reporting on these business units requires a significant number of "manual" accounting processes and adjustments. Such companies will either need to adopt a common financial reporting system, perhaps by integrating multiple systems with a financial reporting layer at the corporate level, or by implementing a corporate performance management (CPM) solution to provide near real time analytics.
In any case, the requirements of SOX increase the amount of required manual processing, which, in turn, significantly increases the cost of compliance. The ongoing cost of testing manual financial controls to ensure SOX compliance, and the ongoing compliance risks associated with those controls are forcing companies to move towards financial systems that not only record transactions, but also manage the entire SOX 404 compliance process. Early adopters of SOX-compliance have reportedly learned some hard lessons by using SOX programs that highlight manual, paper-based processes. Such processes are very costly to audit as commpared to automated processes, and it is quite time-consuming to reconcile and correct errors. Such systems are also at higher risk for human errors and omissions.
In light of this, small or medium business faces a daunting task. It is no longer enough for a company to develop a strong business plan, have a breakthrough product or service, and build strong and effective distribution channels. The complexities of today's business world have created new risks, with a myriad of regulations and complex reporting requirements that can overwhelm a lean and focused organization, regardless of its size. The logical question is how a smaller organization, with limited resources, is supposed to cope with all of this, and, even more importantly, how it will stay abreast of the additional changes that are on the way. For instance, under existing (and soon to be outdated) accounting rules, a company might value its inventories at historic cost. For example, an electronics goods vendor might value unsold, months-old DVDs at the amount they could have been sold upon their initial release. However, under the forthcoming proposed International Accounting Standard (IAS-2), a company has to give an up-to-date net realizable value (NRV). In other words, it must give an accurate estimate of the products' market value at the time the report is published, with the idea that all corporate assets must be valued at their fair value, rather than at their problematic historic cost. Companies will also need to account for the cost of all employee compensation plans. In particular, this means that the cost of stock option plans or any shortfall in company pension funds must be recorded in the accounts.
Given the magnitude of tracking these types of nuanced accounts, the only sensible answer is to use technology, since many tools have been developed that can greatly simplify the process. Indeed, new versions of compliance software represent big improvements over earlier incarnations. Certainly, in addition to CODA-Control, recent releases from Axentis, ACL Services, Certus, Oversight Technology, Hummingbird, OpenPages, Virsa Systems, Precision Consulting, and Approva reflect a more realistic understanding of the compliance burdens. Some of these solutions compare a company's current controls to compliance "best practices", offering solutions on how to shore up weaknesses and better segregate duties. For example, the software can govern who has clearance to write checks to vendors, to pay employees, or to add revenue in a given quarter. Such software can also enforce the rules by, for example, alerting compliance watchdogs if an unauthorized person attempts to make changes, and can thus act as a mechanism to prevent fraud. Other solutions can help managers document policies and procedures, create electronic archives of those policies, or flag internal transactions that look suspicious.
Investment in CODA-Control-like financial systems might provide a cost-efficient solution that would allow business managers to focus more time on operations and less on compliance. Further, these systems might allow user enterprises to streamline the integration of new divisions into their financial systems and processes, ensuring that the business processes of the acquired units are SOX 404 compliant. Nonetheless, before they can benefit from this technology, small business managers must select the right tools. For more on the critical attributes of SOX tool sets, as well as a discussion on how to use them effectively to maximize payback on the investment of time and money, see Attributes of Sarbanes-Oxley Tool Sets.
Many SOX-compliant businesses will likely still spend many thousands of labor hours and millions of dollars in documenting their accounting processes. In addition, many companies will continue to incur significant annual audit fees for the ongoing testing of manual processes. CODA-Control might come in handy as a practical and affordable solution to this problem for medium to large companies, since CODA can transform manual processes into visible, repeatable, controllable, and auditable events. In other words, it might make auditing simpler, quicker, and cheaper, and thereby change CFOs and controllers back from being slaves to SOX to being masters of finance. In particular, the automation and centralization of manual processes should reduce both the risk and the associated costs of audits because the required checks and balances should be enforced by the system. In addition, processes in remote locations can be tested centrally, re-keying errors are eliminated (and reconciliation effort is thus reduced), and authorizations can be captured electronically and viewed on-line, because one can implement preventive controls to preempt errors before they occur. While there is no panacea for ensuring adherence to documented best practices, automated process management, such as the CODA-Control solution, still seems to be an essential part of first two years or so of any SOX compliance program.
The CODA-Control solution is available to all organizations, particularly those subject to SOX-compliance, and is independent of a company's financial accounting system. A Microsoft SharePoint web site powered by CODA can deliver tasks, forms, attachment, documents, etc. to business units' diverse transactional systems, and even include all necessary language translations. CODA expects demand for the solution to be extremely high in 2005 and 2006, and has specialist implementation resources available to support organizations worldwide. Still, while such software can help, it is not going to completely automate compliance, which will continue to be a huge manual effort, as there is no substitute for a manager's understanding of the business when it comes to assessing, designing, and implementing proper internal controls.
Part Two of the Composing Collaborative Financial Applications, CODA series.
As exemplified by CODA-Control, CODA views Microsoft technology as its primary development platform for its process control applications. This should help organizations manage and improve complex business processes, such as those geared towards enabling compliance with the Sarbanes-Oxley Act (SOX) of 2002 and towards facilitating month-end closing. CODA's decision to design a control application using the Microsoft SharePoint Products and Technologies platform has even been cited as a key factor in some customers' decisions to purchase CODA-Control.
To put this into context, SOX was passed by the US Congress in response to a number of high profile financial scandals, such as those at Enron, Tyco, and WorldCom, with the idea of making corporate accounting procedures more transparent to investors and regulators. Even before these fraudulent scandals, missed earnings announcements were often accompanied by chief executive officers (CFO) stating that financial expectations were not met due to a "lack of visibility" into corporate activities. These CFOs would frequently blame unforeseeable events, such as a key customer canceling a major order unexpectedly, or suppliers ramping up prices due to a shortage of raw materials. Regardless of the reason, CFOs are increasingly being called upon to give more accurate estimates of their earnings potential, and explanations as to why their company failed to meet these estimates.
Although the SOX law included a number of new mandates, two sections in particular have had clear implications for corporate information systems. Section 404 (Management Assessment of Internal Controls) requires management to assess, on a yearly basis, the effectiveness of its own internal controls and procedures for financial reporting. Section 409 (Real Time Disclosure) requires companies to disclose material changes in their financial condition or operations on a rapid and current basis. These two sections have prompted many predictions regarding how much must be spent on information technology (IT) in order to meet compliance needs (albeit, this may be at the cost of stalled projects in other areas that are now considered lower priority). Section 404 requires audits of internal controls, and has caused executives to reexamine, and possibly replace, operational systems that are not well integrated with financial systems. For example, an accounts payable (AP) system that does not systematically match purchase orders and receipts to vendor invoices, before the payment is made, might be vulnerable to fraud. Such a system may also be vulnerable to abuse by someone who creates fictitious employees and suppliers and then pockets the money. In addition, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that was not yet earned.
Section 409 seems to call for a more transparent and integrated financial reporting system than many companies have. For example, companies that work on a ten day financial closing period seem to be at risk for non-compliance with real time disclosure, which currently demands the disclosure of material events within forty-eight hours. The problem is particularly acute for firms with multiple operating units and decentralized systems, because, in recent years, many enterprises have grown both organically and through acquisitions. As a result, accurately reporting on these business units requires a significant number of "manual" accounting processes and adjustments. Such companies will either need to adopt a common financial reporting system, perhaps by integrating multiple systems with a financial reporting layer at the corporate level, or by implementing a corporate performance management (CPM) solution to provide near real time analytics.
In any case, the requirements of SOX increase the amount of required manual processing, which, in turn, significantly increases the cost of compliance. The ongoing cost of testing manual financial controls to ensure SOX compliance, and the ongoing compliance risks associated with those controls are forcing companies to move towards financial systems that not only record transactions, but also manage the entire SOX 404 compliance process. Early adopters of SOX-compliance have reportedly learned some hard lessons by using SOX programs that highlight manual, paper-based processes. Such processes are very costly to audit as commpared to automated processes, and it is quite time-consuming to reconcile and correct errors. Such systems are also at higher risk for human errors and omissions.
In light of this, small or medium business faces a daunting task. It is no longer enough for a company to develop a strong business plan, have a breakthrough product or service, and build strong and effective distribution channels. The complexities of today's business world have created new risks, with a myriad of regulations and complex reporting requirements that can overwhelm a lean and focused organization, regardless of its size. The logical question is how a smaller organization, with limited resources, is supposed to cope with all of this, and, even more importantly, how it will stay abreast of the additional changes that are on the way. For instance, under existing (and soon to be outdated) accounting rules, a company might value its inventories at historic cost. For example, an electronics goods vendor might value unsold, months-old DVDs at the amount they could have been sold upon their initial release. However, under the forthcoming proposed International Accounting Standard (IAS-2), a company has to give an up-to-date net realizable value (NRV). In other words, it must give an accurate estimate of the products' market value at the time the report is published, with the idea that all corporate assets must be valued at their fair value, rather than at their problematic historic cost. Companies will also need to account for the cost of all employee compensation plans. In particular, this means that the cost of stock option plans or any shortfall in company pension funds must be recorded in the accounts.
Given the magnitude of tracking these types of nuanced accounts, the only sensible answer is to use technology, since many tools have been developed that can greatly simplify the process. Indeed, new versions of compliance software represent big improvements over earlier incarnations. Certainly, in addition to CODA-Control, recent releases from Axentis, ACL Services, Certus, Oversight Technology, Hummingbird, OpenPages, Virsa Systems, Precision Consulting, and Approva reflect a more realistic understanding of the compliance burdens. Some of these solutions compare a company's current controls to compliance "best practices", offering solutions on how to shore up weaknesses and better segregate duties. For example, the software can govern who has clearance to write checks to vendors, to pay employees, or to add revenue in a given quarter. Such software can also enforce the rules by, for example, alerting compliance watchdogs if an unauthorized person attempts to make changes, and can thus act as a mechanism to prevent fraud. Other solutions can help managers document policies and procedures, create electronic archives of those policies, or flag internal transactions that look suspicious.
Investment in CODA-Control-like financial systems might provide a cost-efficient solution that would allow business managers to focus more time on operations and less on compliance. Further, these systems might allow user enterprises to streamline the integration of new divisions into their financial systems and processes, ensuring that the business processes of the acquired units are SOX 404 compliant. Nonetheless, before they can benefit from this technology, small business managers must select the right tools. For more on the critical attributes of SOX tool sets, as well as a discussion on how to use them effectively to maximize payback on the investment of time and money, see Attributes of Sarbanes-Oxley Tool Sets.
Many SOX-compliant businesses will likely still spend many thousands of labor hours and millions of dollars in documenting their accounting processes. In addition, many companies will continue to incur significant annual audit fees for the ongoing testing of manual processes. CODA-Control might come in handy as a practical and affordable solution to this problem for medium to large companies, since CODA can transform manual processes into visible, repeatable, controllable, and auditable events. In other words, it might make auditing simpler, quicker, and cheaper, and thereby change CFOs and controllers back from being slaves to SOX to being masters of finance. In particular, the automation and centralization of manual processes should reduce both the risk and the associated costs of audits because the required checks and balances should be enforced by the system. In addition, processes in remote locations can be tested centrally, re-keying errors are eliminated (and reconciliation effort is thus reduced), and authorizations can be captured electronically and viewed on-line, because one can implement preventive controls to preempt errors before they occur. While there is no panacea for ensuring adherence to documented best practices, automated process management, such as the CODA-Control solution, still seems to be an essential part of first two years or so of any SOX compliance program.
The CODA-Control solution is available to all organizations, particularly those subject to SOX-compliance, and is independent of a company's financial accounting system. A Microsoft SharePoint web site powered by CODA can deliver tasks, forms, attachment, documents, etc. to business units' diverse transactional systems, and even include all necessary language translations. CODA expects demand for the solution to be extremely high in 2005 and 2006, and has specialist implementation resources available to support organizations worldwide. Still, while such software can help, it is not going to completely automate compliance, which will continue to be a huge manual effort, as there is no substitute for a manager's understanding of the business when it comes to assessing, designing, and implementing proper internal controls.
No comments:
Post a Comment