Compliance concerns

Should you buy dedicated compliance software, or develop your core business systems to support your present and future compliance efforts? Lesley Meall considers the options

Scandal sells. So corporate accounting has rarely been out of the headlines over the past three years. This is a mixed blessing: the public profile of the profession has never been higher, but neither has the burden of legislation - or the penalties for failure to comply.

'Now it's considered exciting to be an accountant,' says Sherron Watkins, the Enron whistleblower. But the transformation from boring beancounter to savvy business strategist has come at a cost: increased regulation and responsibility. 'There is a lot of new legislation,' observes Glenn Collins, technical advisory manager for ACCA UK, 'and people are struggling to come to terms with it.' Finance professionals are burning the midnight oil trying to grapple with Basel II, CLERP 9, International Financial Reporting Standards (IFRS), Sarbanes-Oxley, anti-money laundering legislation, and more.

With the profession under so much pressure, software that promises 'complete compliance' can seem mighty tempting, and suppliers wasted no time flooding the marketplace. IBM has a collection of offerings ranging from its general purpose Tivoli Security Compliance Manager to its Basel II Information Management program; Geac, Movaris and Teleran offer dedicated Sarbanes-Oxley compliance applications; while suppliers including Cartesis, Hyperion, Oracle, PeopleSoft, and SAP are all keen to emphasise the compliance strengths of their various resource planning and performance management systems. And these are just the tip of the iceberg. Accountants are spoiled for choice. But those affected need to think beyond immediate regulatory requirements when they decide how to meet them. Keen to sell their systems, software suppliers suggest that a wide variety of technologies offer the solution to the compliance puzzle, but corporate governance and compliance are just like other business issues. According to the research giant Gartner, compliance doesn't necessarily require new software investments, nor does it need to be implemented across the enterprise in a single step. Most organisations will find that they already have many of the software tools they need to create what Gartner calls a 'compliance management architecture'.

Compliance involves common procedural and technological elements that can be leveraged from one initiative to the next, suggests Debra Logan, research director at Gartner. 'Businesses should not respond to individual regulations but recognise that corporate governance is the target.'

Diverse as they are, the recent regulations do tend to mandate business process changes, documentation and reporting. 'These consistencies can allow businesses to develop an architecture that improves their response to any regulation,' adds Logan, 'and those that have security and business continuity planning (BCP), a document management system, and a business process management (BPM) system in place, already have the foundations for a compliance architecture.'

BCP addresses many of the risk reduction issues; BPM manages, modifies and monitors processes as required; while document management solutions can help meet the records retention and documentation requirements that almost every regulation mandates. But having those systems in place offers no guarantee of compliance.

You bought IT, now audit

The first step is an audit of information systems. Although this can theoretically evaluate all aspects of an organisation's technology controls, capabilities, and performance, a series of smaller-scale, more focused, IS audits is probably the most practical approach. A risk-assessment audit will provide an overview of the major systems and applications used to support critical business processes, and the results can then be used to identify existing or potential areas of risk that need more detailed audits. This list will probably include continuity planning, document and records management, and business process control, but within and around these areas more specific and detailed checks will need to be made.

'Some things are fundamental and can be checked once,' says Logan, but 'others will need to be checked for each set of regulations.' You have to take a compliance view of things, she cautions: 'It's not enough to say 'we have all these systems so we must comply.''

This advice is echoed by Wendy Cohen of business process management company HandySoft. 'Document management systems don't help you do your due diligence,' she warns, 'particularly if there's no audit trail.' Computer systems are just the beginning. Research from the Hackett group recently found that 47% of companies still use stand-alone spreadsheets as part of their financial reporting process; and the controls used to trace and audit these are necessarily manual.

'One of my clients is finding that they have to go back to paper-oriented work,' says Cohen. 'They used to be able to look at a number on a screen then work from it, if it was what they expected it to be.' Now, they have to be certain that it is the right number, as a matter of prudence and necessity. But, as she observes: 'Without the paperwork they can't actually prove that it is the right number.'

Integration and integrity

Another barrier to compliance is islands of information and disconnected systems. Multiple applications, and even different versions of applications, can get in the way. 'If a company is using both SAP and Oracle, or multiple versions of one, this creates a level of complexity,' says David McRaven, director of tax research with specialist supplier Sabrix. 'And lots of companies have more than one ERP.' It is also commonplace for compliance efforts to be hampered by the disconnection between departments. Gartner has found that process management silos all too frequently prevent legal, financial audit and IT audit groups from working together productively.

Organisations that remove these barriers have much to gain. The software giant Oracle faces the same compliance requirements as its client base, but it has taken some of the pain from the process by eating its own dog food. 'Our philosophy is based on seven tenets of business prosperity,' says Michelle Maden, head of finance and compliance solutions at Oracle. These are - consolidate and simplify IT, move to shared services, adopt self-service, automate all processes, leverage low-cost computing, ensure visibility and accountability, and build a culture of agility; and Oracle has rigorously applied all of these to itself. None is without merit, but in the context of compliance, some are more valuable than others. 'Adopting the shared services model makes it easier to apply uniform accounting practices, and so on,' says Maden, 'and the common processes established in the shared services centre have in turn made handling IFRS and Sarbanes-Oxley easier.'

Few of those affected by the growing compliance burden can be so positive. Because firms have no option but to meet the compliance requirements of regulations such as IFRS and Sarbanes-Oxley, many have adopted a short-term, tactical approach to legislation, which will ultimately prove more costly. Maden predicts a bleak future for them: 'The most dangerous route firms can take is a piecemeal approach, where they address each change by reconfiguring disparate systems and establishing separate regulation-specific data warehouses.' It's a high risk strategy that can lead to multiple versions of transactional data and spiralling compliance costs, and does nothing to help organisations create the flexible systems they will need to meet any future compliance requirements.

Those that fail to see the bigger picture are also wasting the opportunity to gain wider business benefits. 'It is easy for firms to view legislation as an obstacle to be overcome,' says Maden, but 'compliance should be viewed as a catalyst for better performance' and improved corporate governance.

Lesley Meall is a writer on business and technology issues.