Director's Guide to Compliance Software: what lessons can boards learn from first attestation, and its aftermath?

• Author: Shaw, David
• Position: Report on compliance software

A YEAR AGO, when we published our first Director's Guide to Compliance Software, many companies were running at full speed to prepare for the first attestation mandated by Sarbanes-Oxley 404. Many used interim software tools provided by audit firms and documented hundreds or thousands of controls in spreadsheets, flow charts, and word processing files.

Today, first attestation is over, and most--not all--companies got through the process unscathed. But the challenge of remaining in compliance, while not letting manual compliance efforts hijack the strategic and operational goals of the company, should be at the top of every board's (and, especially, the audit committee's) agenda.

"What happened in 2004 is not something that companies want to repeat in 2005," notes Mike Malwitz, senior product manager for Hyperion. "2004 was the year of documenting controls and fixing glaring issues that didn't pass audit, or had to be disclosed. But companies are sick of that stuff. They're looking now to create a robust and sustainable compliance framework in 2005."

"Boards and management teams have seen that the time, resources, and costs involved in the first year of SOX 404 compliance was very high," adds Eric Keller, CEO of Movaris. "There was a huge gap between the initial budget versus the final tab--there were accounting firm costs, the costs of consultants to do the documentation and testing, and the soft costs of the time and energy of the finance team. It became a very expensive proposition, and the pain was real. If you don't do something different in year two and beyond, there's no reason to think that costs will decline."

That expense was considerable. AMR Research estimated that affected companies spent anywhere from $250,000 to $3 million each on first round compliance, according to Peter Christie, product manager for SAS Corporate Compliance. "Companies now need to leverage feedback and lessons learned from the process to improve the efficiency of the first round of effort and reduce the cost," Christie says.

"In the last year, 95 percent of companies were scrambling to get to first attestation," notes Ted Frank, president of Axentis (and chair of The Compliance Consortium). "Now companies are reassessing. They know they rushed, so they're asking, 'How do we do it differently this year? What's the end state we want to achieve?' Boards understand that the process they used to gain compliance is insufficient to gain ongoing compliance. They recognize that they need to change the process."

The attestation process wasn't all bad, of course. As Dean Berg, director of compliance solutions for Stellent, says: "Obviously there were some reported issues and material weaknesses, but companies are in better shape than a year ago in terms of comfort with internal processes. Sarbanes-Oxley forced this, and it's hard to find anyone who hasn't found a benefit from SOX. But now the push is on: 'What do we really need to focus on in compliance now?'"

What are the primary lessons of compliance in the past year, and what can be done to ensure those lessons are learned? DIRECTORS & BOARDS interviewed executives from several compliance software solutions companies to build a road map for boards looking to create a sustainable, less-costly compliance environment while gaining strategic and competitive business advantages from that effort.

Lesson one: Companies went too far

In the absence of actual experience with compliance mandates, many companies documented everything, and essentially set themselves up in opposition with their auditors. This has created an...