Sarbanes-Oxley and Web Services
Act now to get an early grasp of the inevitable
Apr. 5, 2004 12:00 AM
This article makes the case that Web services provide a significant benefit to Sarbanes-Oxley compliance projects, and that they will therefore be used extensively on these projects. We begin with a very brief primer on the Sarbanes-Oxley Act, then describe the connection between SOX and Web services, including an outline of how most Sarbanes-Oxley projects are conducted, and where Web services fit in. Finally, I offer some specific actions you can take today to get yourself ready for Sarbanes-Oxley
A Sarbanes-Oxley Primer
The Sarbanes-Oxley Act of 2002, which applies to all companies traded on U.S. stock exchanges, was enacted into law in response to financial scandals such as Enron, MCI, and others. The law puts into place tough requirements and penalties to ensure that companies' financial statements accurately represent their business position. There are numerous sections in the Sarbanes-Oxley Act. However, the three that concern us here are Sections 302, 404, and 409. As shown in Figure 1, these are successively steeper hurdles that are being phased in over time.
Sarbanes-Oxley and Web Services
- Section 302 states that CEOs and CFOs must personally sign off on their companies' financial statements. Few specific controls are required by Section 302. The point of it is to establish CEO/CFO accountability for the rest of the Act's sections, with the possibility of prison for noncompliance.
- Section 404 mandates that well-defined and documented processes and controls be in place for all aspects of company operations that affect financial reports. Furthermore, executive management and a company's auditors must each state in writing that these processes and controls have been examined and are effective. Any findings of ineffectiveness must be publicly disclosed. For companies whose net worth exceeds $75 million, this rule goes into effect beginning with fiscal years ending June 2004. In other words, right now.
- Section 409, which is not yet in force, will soon require real-time public disclosure of all events that could materially affect company financial performance. To comply with this rule, companies will first have to recognize in real-time that significant events have taken place (e.g., a cash-flow problem), and then get that information into a public reporting system.
At first glance, the connection between Web services and Sarbanes-Oxley is not obvious. After all, what do Web services have to do with financial reporting? Indeed, most of today's Sarbanes-Oxley compliance projects are being run by finance departments, with little or no IT involvement.
But recall that Section 404 dictates that controls be in place for all material impacts to financial statements. In other words, every significant business transaction - most of which span multiple corporate systems - must be modeled and inspected for risk; if risks are found, they must be mitigated. Furthermore, Section 409 requires real-time recognition and disclosure of material events. How will these requirements be met?
As Figure 2 implies, most public companies are large, distributed organizations, with diverse systems that have been built up independently over time. To bring information from these systems together, such as for producing financial reports, multiple strategies are generally used, often including point-to-point connections and manual systems. For example, a distribution center in Ohio might send a file or a set of transactions to a headquarters accounting system in Dallas. Or spreadsheet summarizations might be used to consolidate output from multiple plants. Even pencil-and-paper manual controls are common.
These point-to-point and manual systems often get the job done, but they are not up to the requirements of Sarbanes-Oxley. They can expose an organization to problems such as:
- Inconsistent policy and control implementations
- Rekeying errors across multiple systems
- Omitted or double-posted transactions due to failed processes
- Inconsistent or nonobjective manual reviews and approvals
- Lack of reconciliation between unintegrated systems
- Unusual events not flagged for follow-up
In a nutshell, these point-to-point and manual controls (a) fail to document the specific links between systems; (b) do not enforce controls with enough rigor; and (c) can be extremely error prone. The simple truth is that most corporations cannot achieve the requirements imposed by Sarbanes-Oxley without a strategy for automating the integration of the diverse business processes and systems throughout the enterprise. Web services and other integration technologies can be that link, providing the capability to establish control and documentation, reduce risk and error potential, and lower control costs.
Sarbanes-Oxley is often viewed as a burdensome business regulation that provides little or no business value. Consider, however, a different view: Sarbanes-Oxley compliance efforts can transform an enterprise into one that ties together every person, computer system, and business process; one that routes information to and from the right people, in the right places, at the right times. In other words, the Sarbanes-Oxley Act can be seen as a compelling event that provides the impetus to accelerate business responsiveness, streamline supply chains, and enable better decisions. If this isn't a job for integration and Web services, what is?
IT and Sarbanes-Oxley
If Web services are so important to Sarbanes-Oxley compliance efforts, why aren't we seeing them (and other integration technologies) in more of today's compliance projects? Indeed, most of today's Sarbanes-Oxley compliance work is being driven by finance organizations, company auditors, or both. IT is rarely involved, except to execute the plans created by Finance/Audit. The reason for this conspicuous absence is twofold.
The first reason is simply a deadline issue. For most companies, Section 404 requirements must be met in the current fiscal year, and executives face jail time if their firms are found out of compliance. This means that finance organizations are scrambling just to get their systems documented and to plug the biggest risk areas, usually with manual fixes. Prison is a powerful motivator for getting a job done, even if the solution is not particularly elegant on the first round.
A second reason that IT is not yet involved in many Sarbanes-Oxley projects is that these projects tend to follow a natural progression of three phases, and the value of integration and Web services is not evident until the third one. In other words, many companies simply haven't gotten around to the point where Web services are needed. The three phases common to most Sarbanes-Oxley compliance projects are:
What Do Web Services Bring to the Table?
- Assess and prioritize subject areas: Financial statements are reviewed to identify line items at risk for fraud or error. These items become candidates for immediate evaluation and, where necessary, remediation. For example, salaries might be deemed a low-risk item since they are tightly controlled by a small group of people. Revenue recognition, on the other hand, might be deemed high risk because of loosely defined recognition procedures. This phase is really about analysis and prioritization.
- Document and evaluate business processes: The business processes deemed most critical in phase 1 are documented and then evaluated for fraud and error potential. Several technology-based solutions are available to enable companies to graphically model these processes and to use these models to evaluate missing or inadequate control points. But this phase is still mostly financial analysis.
- Remediate and improve control systems: As control weaknesses are discovered in business processes, system changes and/or automation are added. This is where Web services come in.
As projects enter this third phase, Web services and other integration technologies become key implementation enablers. Using Web services, for example, manually prepared spreadsheet summarizations can be eliminated in favor of direct system-to-system communication, yielding tightly controlled audit trails for Section 404 compliance. Similarly, real-time alerts can be defined via Web services to recognize and report on unusual events, to comply with Section 409. All told, Web services address three of the most important business drivers in Sarbanes-Oxley compliance projects:
Actions to Take Today
- Control enforcement: Automated control of both computer-driven and people-based systems is far more effective than written procedures, since such controls cannot easily be subverted. For example, in the event of a credit risk override, a real-time alert sent to the risk management staff can prevent a poor decision from becoming a business disaster.
- Real-time reporting: The real time reporting requirements of Section 409 are coming soon, and businesses must have automation in place to handle them. For example, Section 409 will require real-time public disclosure of material events such as significant write-downs or bad debt recognition. Automated alerts provided by Web services can ensure that such events are communicated immediately to the appropriate executives.
- Cost reduction: Initial Sarbanes-Oxley compliance costs may be high simply because many of the controls put in place will be manual or one-off efforts. To reduce these costs, IT organizations will need to drive these controls into automated enterprise-class systems. For example, the cost of evaluating customer credit risk can be reduced by integrating credit history and external credit checks into the order processing system.
If you are involved in Web services development at a public corporation, be assured that Sarbanes-Oxley is a force headed in your direction. Within the next year, many of your company's systems will need to be tied together in new ways, and Web services can be a critical architectural enabler. Be ready for these changes. Following are a few ideas for actions you can take today.
- Get involved: Learn about the Sarbanes-Oxley efforts in your organization. Identify the people in your finance organization working on Sarbanes-Oxley (they are there, I promise), explain how IT will be important to them in the near future, and ask to get involved proactively.
- Service-oriented architectures: Build your systems with a service-oriented architecture to maximize flexibility and adaptability. When the Sarbanes-Oxley projects come your way, you'll be ready.
- Build-in auditability: Remember that Section 404 doesn't just demand integration; it requires controls over that integration. Controls generally translate to auditability: the ability to know exactly what happened, along with when and why. Build these capabilities into your systems today.
- Tools: There are many solutions on the market today that claim to help with your Sarbanes-Oxley efforts. For the most part, they are designed for phases 1 and 2, which are primarily carried out by finance organizations. The tools that will be most helpful to you in implementing phase 3 (remediate and improve control systems) are Web services infrastructure and integration tools. Look for standards-based tool sets that are staying on the leading edge of Web services technologies.
- Choose your partners carefully: Chances are, your systems integrators and auditors have already been chosen by your finance organization. Choosing your technology partners, however, will probably fall to you. Be sure that your provider is a public company, itself subject to the Sarbanes-Oxley Act. It should understand Sarbanes-Oxley "personally." It should also possess an unblemished track record of conservative financial practices without pending shareholder or other lawsuits, and should have pre-existing partnerships with your Sarbanes-Oxley advisors (e.g., auditors and systems integrators).
It's important to recognize that compliance with Sarbanes-Oxley is not a one-time event or project. This is a process that will be ongoing for many years to come. Sarbanes-Oxley compliance is here to stay, and it will impact every major system in every public corporation for the foreseeable future.
It's sort of like Y2K, only this time there is no end in sight.