Managing the cost of compliance

The past two years' efforts to comply with Sarbanes-Oxley have produced a substantial learning curve -- one that provides organizations with important input for designing effective, efficient processes for documenting and testing controls in the years ahead. Those that take steps to internalize the required compliance processes will find that they not only manage costs more efficiently, but move the mindset of the organization to one that embraces risk management.

The Sarbanes-Oxley Act of 2002 has had far-reaching implications for the ways that public companies -- and some private companies -- manage their businesses. In the rush to meet compliance deadlines, many companies approached their initial Sarbanes-Oxley compliance effort as a "project" -- leveraging a variety of tools, staff, processes, and, in many cases, the services of external consultants to:

• document internal controls,
• test those controls on a regular basis, and
• certify process owners quarterly with respect to Sarbanes-Oxley compliance.

The cost of compliance has not been inconsequential -- it is not uncommon for a middle market company to have spent in excess of $1 million to meet first-year requirements. For those with complex operations, many locations and/or operations in many countries -- the cost has been much greater.

With the 2005 Sarbanes-Oxley compliance period -- the first full year of compliance for many organizations -- in the past, now is the time to take stock and to plan for the next cycle. For many companies, a key challenge will be refining documentation and testing processes that maintain an effective compliance program at a more manageable cost. The key will be moving from a "project" mindset to one that makes Sarbanes-Oxley compliance an integral part of the company's business processes and risk management approach.

Effective compliance. Efficient execution.

Embracing the fundamental changes that are part of Sarbanes-Oxley means looking beyond the series of tasks required for compliance. It means internalizing required processes, changing the way you operate, and driving changes down to process owners within your organization.

Forward-thinking organizations are taking several steps to make sure they are managing compliance efficiently -- in terms of both process and cost.

1. Develop self-auditing and testing processes.

Because the new laws put accountability for compliance directly on boards and management teams, it is important for companies to take direct responsibility for the documentation and testing of controls. As they adapted to the new requirements, many organizations relied on external consultants or auditors to assist with or conduct testing; however, it is impossible to maintain ownership and full control of these processes when testing is performed by an external organization.

Establishing internal documentation and testing processes builds the appropriate level of accountability within the organization, but it also lowers costs over the long term by embedding these processes in the way the company does business. Effective management of controls matches accountability with the appropriate level of responsibility -- the process owners directly affected by compliance requirements, such as store managers or local accounting managers. Providing process owners with training and self-auditing "kits" -- testing and documentation materials that they can open and use at designated points in time to conduct testing and prepare and submit (or file) evidentiary material -- ensures that those closest to the process are involved, informed, and prepared to support the compliance requirements. Just as important, it ingrains into company culture the importance of these controls, serving as a constant reminder of the way that the company must operate.

2. Automate controls documentation and other processes.

Automating controls documentation significantly reduces time spent on compliance-related activities, thereby reducing costs. But it also can improve quality of the documentation, itself, by providing templates that make it easier for those completing the process to capture the correct information in the most useful format.

Many new tools have emerged on the market over the past year specifically to support Sarbanes- Oxley compliance activities, but the most effective tools may be those already in place and integrated with your existing systems. Company intranets or Microsoft® SharePoint databases, for example, often provide the technical capabilities for document development, retention, and sharing -- and they provide the built-in productivity benefit associated with a system that is familiar to users.

Automation also makes it easier and more efficient to update documentation, when required. Maintaining current controls documentation is one of the biggest challenges facing organizations regulated by Sarbanes-Oxley. Automating quarterly certification, as well as the follow-on process for alerting management of process changes that require updated documentation or testing, helps companies respond in a timely manner.

3. Redefine the compliance function.

With the trend toward regulation increasing, Sarbanes-Oxley is hardly the end of the line as far as responding with new compliance requirements. Hot buttons such as identityfy management are likely to produce similar changes. To the extent that an organization can develop a flexible, process-oriented approach to managing compliance activities, the better positioned it will be to adapt to new regulatory requirements in the future -- and to manage those requirements efficiently.

Sarbanes-Oxley has prompted many companies to reconsider the scope, structure, and reporting relationships of their compliance functions. These functions -- often reporting through the legal/general counsel office -- oversee not only facets of Sarbanes-Oxley compliance, but also other types of compliance activity, including environmental, regulatory, OSHA, financial and industry-based initiatives, such as the regulation of sales activities in the pharmaceutical industry. This can produce a variety of benefits. At the basic level, using common tools and approaches reduces the tangible cost of compliance activities. But it also moves the organization to the level of managing its portfolio of risks, providing a comprehensive view that enables management to understand the potential dollar value of each type of risk and to take actions to manage the intangible costs proactively.

West Monroe Partners provides financial advisory services that enable organizations to align business and IT needs and manage key processes, such as Sarbanes-Oxley compliance, in an efficient manner. For more information, contact John Abernathy, This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

In this issue:

• Message from the President
• Managing: Pre-merger IT and business process due diligence: look before you leap
  
• In Practice: The Quality of Service Framework
• New at West Monroe Partners: Geospatial Solutions
  
• New at West Monroe Partners: Consultants and Alliances