The Sarbanes-Oxley Act (SOX) went into effect in July 2002; since then, it has had a far-reaching and complex impact on the financial reporting of U.S.-based public companies. Scandals in Europe and Asia have prompted similar mandates overseas, even as those regions move closer toward acceptance of International Accounting Standards (IAS). The heat is on, and public companies worldwide have no choice but to get with the program as quickly as possible. To ensure ongoing compliance with Sarbanes-Oxley and other financial reporting regulations, businesses need a performance culture in which all systems -- including people, processes, and technology -- are working toward the same goal. Smart companies are recognizing that this is a critical time to improve their software and processes.

Sarbanes-Oxley puts much of the onus on the CFO as the key compliance gatekeeper. The law's Section 302 requires that CEOs and CFOs (or their equivalents) personally vouch for the integrity of financial statements. Section 906 specifically outlines the criminal penalties that await corporate officers who "knowingly and willfully" certify incomplete or inaccurate disclosures. Although the CFO may get help from the CIO, CEO, and other key executives (such as the emerging role of chief compliance officer or chief governance officer), the finance chief should be the central figure in driving and maintaining compliance efforts.

Despite this obvious pressure, CFOs' confidence in the numbers -- basic figures for cash flow, actuals, and product profitability -- is alarmingly low. In a recent survey conducted by Coleman Parkes of 150 CFOs at international companies, only 33 percent rated the quality of their actuals information as very good, while only 29 percent rated their budget and forecasting data equally high. Furthermore, roughly 60 percent of those surveyed said that speeding up the flow of information is a major challenge for CFOs. Almost 70 percent said converting data into useful information is a significant hurdle.

Once they've met the initial requirements of new corporate governance rules, CFOs' real challenge is only beginning. They shouldn't view SOX compliance as a one-time event, but rather as an ongoing process that must be constantly monitored and managed. They also need ongoing access to information that is relevant, reliable, and readily available so that they can help steer the company in the right direction. A business performance management (BPM) system can fill both of these needs by promoting the consistency of financial data to all stakeholder groups, ensuring the completeness and accuracy of that data, and continuously monitoring the effectiveness of internal controls around that data as they relate to SOX compliance.

The depth and breadth of Sarbanes-Oxley can be overwhelming. But for executives who are drowning in control-monitoring detail, BPM systems can provide "compliance snapshots" that outline the organization's position. At the same time, the acceleration of reporting deadlines makes it necessary to automate manual activities and embed financial controls throughout performance management processes. Because of the new demands on data integrity, companies need to establish one central source of financial data for both internal and external stakeholder groups to promote consistency; BPM systems are an obvious solution. Finally, these applications can enhance auditability, traceability, and visibility of financial activities by tracking financial, nonfinancial, and compliance metrics from source to disclosure.

It's surprising, then, how few companies have even gotten out of the gate with their BPM initiatives. A survey conducted during a recent Business Finance Webcast revealed that a full 70 percent of companies have either not started or are still in the initial planning stages of BPM. Thus, the SOX compliance challenge represents a unique opportunity for forward-thinking CFOs to get a jump on competitors by achieving compliance while streamlining reporting, improving control over data integrity, and enhancing decision-making capabilities that ultimately improve business performance.

The Road to Compliance

Because they're required to measure and manage so much data, companies that fail to integrate their ongoing compliance activities into BPM processes and systems are taking a big risk. CFOs must be able to guarantee that financial information is consistently and accurately tracked from source to disclosure, while providing insight into any changes and adjustments that might occur along the way. Before disclosing financial data, they must be able to quickly surmise who touched the data, for what reason, and when and how the data was revised. Executives who aren't able to do so quickly and accurately may face challenges during the attestation and other regulatory procedures.

Not all software systems are created equal in their ability to provide this kind of transparency. Monitoring compliance metrics via the same central system that slices and dices a company's financial data confers a distinct advantage. Forming a central repository of documented controls for multiple business units is absolutely vital to ongoing SOX compliance, and attempting to merge disparate financial systems with multiple third-party applications or spreadsheets is asking for integration headaches and loss of transparency -- which is the last thing a finance department needs while fighting time to meet compliance deadlines.

Companies that are already using a BPM system to ensure the consistency, visibility, transparency, and timeliness of financial data should consult with their current BPM vendor about its compliance-enabling capabilities. Specifically, they should find out whether the software can provide financial and nonfinancial data to multiple stakeholder groups from a single source; whether it can visibly track data changes from source to disclosure; whether it offers embedded and custom controls capabilities; whether it includes workflow- and approval-routing functionality; whether it can automate functions such as intercompany eliminations, reporting, and materiality warnings; and whether it comes with compliance reporting capabilities.

Most leading BPM vendors have already made SOX compliance a major focus of their offerings, and BPM vendors are generally in a better position than ERP vendors to add real value in compliance assistance because of their focus on solving exactly the kinds of problems that SOX mandates have made more acute. The key compliance requirements that BPM software addresses include:

Monitoring internal controls. Accounting and consulting firms offer compliance services and solutions to assess and promote effective internal controls, but public companies still must regularly monitor compliance metrics alongside other financial and operational metrics. SOX Section 404 is driving a new strategic category of financial management -- "compliance reporting" -- which means finance staff must continuously assess their control environment with an emphasis on remaining compliant or improving areas of weak controls.

Compliance requires extensive, ongoing documentation of controls, whether the control model is the company's own or in accordance with the guidelines endorsed by the Committee of Sponsoring Organizations (COSO). Thus, it's critical that a BPM solution incorporate a custom or COSO-based framework into internal controls reporting to capture compliance data throughout the enterprise, allowing finance staff to view a snapshot of corporate governance at any time to identify weak spots in the organization down to the process level. Only by continually monitoring ongoing compliance metrics can CFOs have confidence in the effectiveness of their control systems.

Reporting on material events in real time. Section 409 of Sarbanes-Oxley drives the need for finance organizations to provide real-time visibility into material events that impact the financial statements of an organization. Ensuring ongoing compliance in this area requires a BPM system that automates exception-based reporting, flagging and escalating material changes in the financial position such as additions or dispositions of business units and material variances in key accounts. Using such tools, finance managers significantly reduce the risk that material events won't be disclosed.

Offering financial transparency, quickly. SOX compliance demands timely and transparent communication of financial information and material events to the investment community. Despite the demand for more detail and visibility, SOX is also driving acceleration in reporting deadlines. The message to CFOs is clear: Report on everything you used to, plus a whole lot more, and do it all much faster.

The key to disclosure speed is to automate manual activities in all BPM processes, such as intercompany transaction matching, recurring journals, and report generation, as well as integrating data links to source systems. In addition to this automation, BPM software should provide workflow features that give finance managers visibility into bottlenecks and slow points during budgeting, closing, forecasting, or compliance reporting. Most BPM systems already offer drill-down capabilities from top-level numbers to the data source to provide a clear audit trail of any changes to data that might have occurred along the way. Data collection from disparate source systems and general ledgers needs to be completely automated so that finance managers can monitor all BPM processes and data generated by those processes with absolute visibility and confidence.

Assuring data integrity. Certifying the completeness, accuracy, and integrity of reporting data as mandated in SOX Sections 302 and 906 is one of the biggest challenges of ongoing compliance. Since CFOs must now personally sign off on financial reports, putting their professional reputations at risk, absolute faith in the numbers is critical. SOX-enabled BPM systems must provide audit features that employ trace reports and audit reports to give management visibility into how, when, by whom, and how much data has been changed. To be useful in SOX compliance efforts, BPM software must offer a security system that allows for multiple user groups, including external auditors, to gain customized access to any area or data set while not compromising system security. Finance departments must be able to provide all stakeholders with the information they need at the right time with total confidence.

Providing consistency among stakeholder groups. In a November 2003 AMR Research report titled "ERP Consolidation and Automated Tools Will Reduce Long-Term Sarbanes-Oxley Compliance Costs," vice president, research, Bill Swanton and senior research analyst Dana Stiffler state that "multiple systems and redundant business processes increase the cost of Sarbanes-Oxley compliance dramatically ... failure to prioritize risks could triple compliance costs and exposure." Companies struggling with SOX compliance must move as quickly as possible to a single, integrated data model to reduce the need for reconciliations stemming from multiple applications, systems, and data sets within other so-called integrated solutions. What's needed is a BPM solution that satisfies all stakeholder needs, making "one version of the truth" a reality.

Additionally, a BPM solution should not only house your current reporting needs but also provide your organization with room to grow as additional requirements emerge, without the need for additional investment. Multiple categories of data -- budget, actual, forecast, SEC, GAAP, IAS -- should be kept in a single data store to reduce the need for reconciliations prior to disclosure, not to mention the risk of restatements, omissions, or errors.

Achieving Compliance ROI

While the legislation is still relatively new, and the fruits of SOX compliance efforts are difficult to quantify, the implementation of a BPM solution will most definitely generate returns. The investment of time and money will come back to an organization in the form of increased visibility and improved processes. Better budgeting and planning yield more consistent, predictable results, giving companies a better chance of hitting their revenue and earnings forecasts, which in turn reassures investors and increases the value of the enterprise.

A substantial ROI can be realized by automating BPM processes to reduce cycle times and labor-intensive tasks. What's more, well-controlled processes and systems potentially reduce the need for extensive audits, both internal and external, and help to prevent material misstatements. The insight into operations that BPM systems provide can also highlight problem areas in the enterprise such as low-margin or loss-leading business units, customers, or products.

Take, for instance, the example of Viasys Healthcare Inc., a $400 million company with 2,000 employees located in Conshohocken, Pa. When Viasys spun off from its parent organization, it inherited a legacy financial system that had limited reporting capabilities and limited drill-down, and which was in no shape to meet the company's Sarbanes-Oxley compliance requirements. After replacing this system with Cartesis Magnitude, the company's finance staff was in a much better position to meet compliance deadlines.

"The new system, which we went live with in January 2003, has helped us all across the board, with everything from better decision-making and more reliable data to more time to analyze the data because the manual intervention is virtually gone," says John Imperato, vice president of finance at Viasys. "We have better consolidation capabilities within each of our four divisions, and we're much better prepared to meet SOX requirements. Plus, now we can look at our international business activity and how well we're meeting customer demands across all four units. We can look at the impact of exchange rates; drill down on sales; drill down on product revenue, by product and by country; and gain visibility into our operating expenses."

Viasys plans to extend the usage of its system to incorporate other processes, such as budgeting and forecasting, to attain the best-practice model of a single, integrated BPM system that enables speed, control, and visibility.

The passage of Sarbanes-Oxley has hastened the pace at which companies of all sizes are embracing BPM technology to gain the control and visibility that today's regulatory environment demands. Companies that are able to use this technology to best advantage will be rewarded by the investment community, while those that fail to step up to the challenge will face potentially serious and costly repercussions. With the right tools in place, organizations can transform SOX compliance from an expensive burden into a golden opportunity to streamline processes, promote consistency, enhance speed, and drive visibility around all BPM processes.