Sorting Out Sarbanes-Oxley

Posted: 2/2004

Sorting Out Sarbanes-Oxley
Vague Law, Varied Solutions Cause Confusion for Public Telcos
By Kelly M. Teal

June 15, 2004, is D-Day for many publicly held companies
to show compliance with the Sarbanes-Oxley Act of 2002. A plethora of software
solutions but scant instruction from the federal legislation combine to make the
months leading up to the deadline confusing for public telecom corporations
seeking to prove they wont go the way of the WorldComs and Enrons, instead
pledging their allegiance to scandalfree business operations.

On a most basic level, and of its many provisions,
Sarbanes-Oxley requires publicly traded companies to prove their officials and
employees have not engaged in financial fraud or tampering. Among other
requirements of the law, CEOs and CFOs must personally review and sign off on
all fiscal reports.

Myriad software programs on the market offer internal controls
to keep companies on the straight and narrow. Because the Sarbanes-Oxley Act
does not specify software to use, companies have a number of options from which
to choose (see Sox Toolbox below). This can be the most frustrating part
for executives, according to analysts, because there is no roadmap to
compliance, just a hand pointing in that general direction.

This is partly why analysts stress that software alone wont
meet companies compliance requirements executives also must examine their
companies processes. Theres hardly a software vendor out there that
doesnt make some argument that whatever theyre selling has something to do
with compliance, says Lane Leskala, research director for Gartner Inc. Functionality
thats closest to the mark is tools that deal with secure archiving of
information. Theres a straight line between the features and functions of a
tool that would do that and the ability to be compliant.

But, he adds, complicating matters is vendors claim such
capability but dont actually have it.

Mostly, Leskala says, its important to make sure companies
already are implementing best practices. A lot of the better, if not best,
practices that are shared are about alignment of process, Leskala says,
adding that companies should consider the solidity of their techniques and
controls before relying on technology to solve any problems.

For those eager for analysts to name software solutions, John
Van Decker, vice president of research firm META Group Inc. has several
companies in mind. Oracle, PeopleSoft [and] SAP either have solutions or will
have solutions by the first quarter of next year, he notes. Other
companies have solutions Movaris, Fuego, Documentum and IBM and also have
tools that companies can use to demonstrate that their financial controls
are effective.

Further, Van Decker encourages telecom companies to look at
solutions from ERP vendors. so, if youre an Oracle customer, I would
suggest the Oracle internal controls manager solution, he says. What you
want to be able to do is leverage the integration with the ERP solution to pull
out assessment information. A lot of your internal controls will be within your
ERP solution, so why duplicate all of that?

Meticulous planning and consultation with experts are required
to help win the battle for conformity with Sarbanes-Oxley. But, even though
companies know the task ahead of them, they do not necessarily know how to
complete it because of the absence of compliance instruction within the
Sarbanes-Oxley text. That absence, says Gartners Leskala, leaves an
extraordinary open door for litigation, meaning that companies found not to
be compliant will risk being sued.

The fundamental goal is to close gaps, and Leskala suggests
additional methods to achieve that aim, such as conducting risk assessment on
internal processes. He says one key is to develop a system with assigned
responsibilities and departments, before augmenting the underlying technology to
automate as much of the ongoing, repeatable practices as possible.

To that end, META Groups Van Decker recommends companies
consider solutions from the experts theyve commissioned to help them ensure
compliance. These experts cannot be a companys auditor. There may be some
complementary tools or some relatively small scaled-down solutions that can at
least get them started and understand what their requirements will be for 404,
he says, referring to Section 404 of the Sarbanes-Oxley bill that calls for
management assessment of internal controls.

With four months before the deadline, there is still time to
turn DDay into V-Day.