July 2003 Solving Sarbanes-Oxley: The CFO …citebm.business.illinois.edu/shaw/mba/IT Survey...

July 2003

Solving Sarbanes-Oxley:The CFO Playbook

J U LY 2 0 0 3

Solving Sarbanes-Oxley: The CFO Playbook

Public companies will scramble to meet tough new

Sarbanes-Oxley regulations. Smart firms will use the

opportunity to optimize financial controls using an

electronic controls library, workflow, and inline analytics.

I N T E RV I E W S• 80% of surveyed finance execs rated their controls as very

good or excellent.• In response to Sarbanes-Oxley, firms are not significantly

increasing finance apps budgets this year.

A N A LY S I S• Sarbanes-Oxley is a catalyst for smart CFOs to build

proactive controls into processes like revenue recognition.• The CIO’s role is to implement technology -- like an

electronic controls library -- to support the new processes.

A C T I O N• CFOs must educate CIOs on Sarbanes-Oxley.

W H AT I T M E A N S• Firms will increasingly outsource their finance function.

R E L AT E D M AT E R I A L

G R A P E V I N E

E N D N OT E S18

17

16

15

14

6

2

By Jennifer Chew

With Christopher Mines

Laurie M. Orlov

Nicole Belanger

© 2003, Forrester Research, Inc. All rights reserved. Forrester, Forrester eResearch, Forrester Wave, WholeView, Technographics,TechStrategy, and TechRankings are trademarks of Forrester Research, Inc. All other trademarks are the property of their respectivecompanies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictlyprohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best availableresources. Opinions reflect judgment at the time and are subject to change. To order reprints of this document, please [email protected].

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139

USA

Tel: +1 617/613-6000

Fax: +1 617/613-5000

www.forrester.com

The TechStrategyTM Report

I N T E R V I E W S

CFOs Are Complacent Regarding Controls

While the Sarbanes-Oxley Act has generated business journal buzz,

finance executives are not worried about their financial controls and

view regulatory compliance as a short-term issue. The result? Only

minimal increases in finance’s application software budgets for 2003.

FINANCE EXECS PAY LIP SERVICE TO SARBANES-OXLEYWith the implosion of once mighty corporate giants like Enron, WorldCom, andHealthSouth and increasing regulatory requirements like Sarbanes-Oxley, topmanagement’s attention is swinging to financial controls and compliance (see Figure 1). To learn more about how companies are responding to these regulatory pressures,Forrester interviewed finance executives at 20 publicly traded companies subject toSarbanes-Oxley regulation.1

Most firms reported a high degree of confidence in their current controls processestoday, with 16 of 20 grading themselves a four or five on a five-point scale (five being high confidence).

“We are very confident that our controls and processes are adequate and meet ourneeds. Whether we meet the requirements of Sarbanes-Oxley is another question;we haven’t done enough work to know for sure.” (Software company)

“We have had a policy in place now for years that requires continuous monitoringand testing of internal controls. With Sarbanes-Oxley we will have to expanddocumentation and some testing, but our company has taken internal controlsseriously all along. To comply, we just need to enhance what we have in placenow.” (Aerospace & defense company)

CFOs View Compliance As Necessary, But Not Of Strategic ImportanceOf the executives we surveyed, 60% told us that maintaining shareholder value andensuring corporate performance outweighed tasks like reporting and compliance (seeFigure 2-1). The result? Others are assigned to deal with these lower-priority issues.

2

JULY 2003 © 2003, Forrester Research, Inc. Reproduction Prohibited

Solving Sarbanes-Oxley: The CFO PlaybookI N T E R V I E W S

Figure 1 What Exactly Is Sarbanes-Oxley?

“There are people responsible for compliance at our company who would saycomplying with regulations is their biggest challenge. However, this is not theCFO’s responsibility.” (Transportation company)

“I see the largest challenge for financial executives being a mix of maintainingshareholder value and reporting accurate financial results. I don’t think reportingaccurate financial results is an important long-term issue.” (Aerospace & Defense company)

“My largest challenge in the long run is improving corporate performance.However, if you asked me about this year only, I would say that complying withregulations is my largest challenge -- but this is only a short-term challenge.”(Telecommunications company)

Firms Do Invest In Apps To Manage Financial ReportingEvery firm we spoke with expected technology to contribute to meet financial reporting and analytics requirements. Companies plan to spend on a wide variety of appsincluding controls and accounting, but business intelligence functions are top-of-mind(see Figure 2-2).

3

© 2003, Forrester Research, Inc. Reproduction Prohibited JULY 2003


Source: Deloitte & Touche and Forrester Research, Inc.

The Sarbanes-Oxley Act of 2002 has rewritten the rulesfor corporate governance disclosure and reporting.Beneath the act’s multiple pages of legalese lies a simplepremise: Good corporate governance and ethical businesspractices are no longer niceties -- they are the law.

Section 302

• CEOs and CFOs must personallycertify that they are responsible fordisclosure controls and procedures.

• Quarterly filings must contain acertification that they have performedan evaluation of the design andeffectiveness of these controls.

• Certifying executives must state thatthey have disclosed to their auditcommittee and independent auditorany significant control deficiencies,material weaknesses, or actsof fraud.

Section 404

• Mandates an annual evaluation ofinternal controls and procedures forfinancial reporting

• The company’s independent auditormust issue a separate report thatattests to the management’sassertion on the effectiveness ofinternal controls and procedures forfinancial reporting.

Figure 2 Finance Executives’ Spending Overview

“Without technology, there is no way to compile information into a meaningfulform, especially if you are a global corporation.” (Energy company)

“You have to be able to consolidate a global enterprise into some insightful analyticmeasures. You can’t manage a company this big without a system to see insights on the performance.” (Computer hardware company)

“We use technology to sort, report, and then make meaningful decisions based onthe data.” (Insurance company)

4



Source: Forrester Research, Inc.

“Will you spend a portion of your financial application budget on . . . ?”2-2

Financial controls

Accounting

Business intelligence

Security

ERP financial applications

Risk management

Dashboards

100%

95%

90%

85%

75%

70%

40%

“What is your biggest challenge as a finance executive?”2-1

Maintainingshareholder

value35%

Improving corporateperformance

25%

Reporting accuratefinancial results

20%

Complying withregulations

20%

Base: 20 publicly traded companies subject to Sarbanes-Oxley compliance

Base: 20 publicly traded companies subject to Sarbanes-Oxley compliance(multiple responses accepted)

But Sarbanes-Oxley Has Little Impact On App Spending PlansCiting budget constraints, 85% of firms indicated that Sarbanes-Oxley had only a neutralor slight positive pressure on spending plans in 2003. Short-term investments are goinginto consulting services, not apps. Looking beyond 2003, 13 of the 20 firms expected to spend more on financial apps in the next two years, with the planned increaseaveraging 20%.

“Our finance apps budget has not increased with Sarbanes-Oxley . . . not becausewe didn’t want it to, but because we couldn’t afford it. Given the economy, wehave to do more with the money we have.” (Telecommunications company)

“We may spend a bit of money on Sarbanes-Oxley, but this money isn’t comingfrom IT. For example, we are bringing in an internal documentation softwarepackage from a Big Four accounting firm. The software is ‘free.’ They charge forthe consulting that goes with it . . . around $100,000.” (Insurance company)

“We are increasing spending due to Sarbanes-Oxley, but it’s with consultants, notapplications.” (Automotive & transport company)

CONCLUSIONSBased on our interviews with 20 publicly traded companies subject to Sarbanes-Oxleyregulation, Forrester concludes that:

• Companies are complacent about internal controls. CFOs are confident withtheir internal controls and view regulatory compliance as a short-term, tacticalrequirement.

• Sarbanes-Oxley doesn’t increase app spending plans significantly in 2003.Most firms ranked the impact of Sarbanes-Oxley regulations on their spending asneutral or increasing slightly, with spending plans focused on documentation andconsulting.

5



A N A L Y S I S

CFOs: Shift Controls To The Front Burner

Compliance with Sarbanes-Oxley is a catalyst for smart CFOs to build

proactive controls into processes like revenue recognition. The CIO’s role

is to build a technology infrastructure to enable process improvement

with tools like an electronic controls library, workflow, and inline analytics

applications.

SARBANES-OXLEY IS THE CATALYST FOR FINANCE CHANGEOur interviews revealed that the average CFO thinks that internal controls are adequateand that increased apps spending is not necessary this year to weather the Sarbanes-Oxleystorm. This, coupled with CFOs delegating regulatory compliance to staff members,indicates that many are missing the point: Compliance and controls directly relate to CFOs’stated highest-priority -- shareholder value. Revenue restatements can result in plungingshare price (see Figure 3). Inadequate financial controls contribute to these incidentsbecause they are unable to:

• Head off mistakes before they hit the books. While the jury is still out onwhether Ahold’s rebate booking practices were a mistake or outright fraud,earnings were overstated by at least $1.1 billion. Deferring revenue for controls-validation prior to booking would have given internal auditors a chance to identifythe improper postings prior to providing shareholders with incorrect information.

• Enforce rules throughout the process. Peregrine Software was forced to restate$509 million dollars in revenue over two years and file for bankruptcy. Why? Onemajor reason was that Peregrine recognized revenue when it sold to a third-partyreseller, regardless of whether the sale had a firm commitment by an endcustomer. Peregrine has since modified its rules to recognize revenue only on saleto an actual user company.

FIRMS MUST OPTIMIZE FINANCIAL CONTROLSInstead of depending on delayed or manual control activities that in turn rely heavily onexternal services, firms must place control verification where it belongs -- before revenueis posted. This will ensure that companies are both in control of their financial performance

6


Solving Sarbanes-Oxley: The CFO PlaybookA N A L Y S I S

Figure 3 Revenue Restatements Cause Massive Decline In Shareholder Value

and in compliance with the new regulations. How can firms optimize their controls? By making them:

• Front loaded. In a classic revenue recognition debacle, Xerox was fined $10 millionby the SEC for failing to recognize losses from uncollectible accounts in its Mexicanoperation. Instead of catching errors or fraud after the fact, firms should place salesin deferred accounts pending approvals. Front-loading the revenue recognitionprocess would have given Xerox’s external auditors a chance to comment on theactivity and would have avoided the costly revenue restatements and fines.

• Tightly connected. By remaining a static, paper-based document, the so-called“tidy binder” repository of controls doesn’t interact with humans or systems.Developing an electronic controls library provides an online resource withintegration capabilities to people and computers. Shareable rules of industry-specific controls practices should be populated by internal audit departments,facilitated by software partners or external auditors.

• More timely. The typical finance department and executive team must wait untilthe end of the month for a snapshot view or detailed analysis of period-to-date results.

7




Date Reason for restatementAmount3-month change

in share price

February2003 $1.1 billion Change to accounting of

promotional allowance programs -30%

March1999 -36%

March2003

June2002

March2000

April2002

March2002

Company

Ahold

Rite Aid

HealthSouth

Xerox

MicroStrategy

QwestCommunications

International

AdelphiaCommunications

$1.4 billion

$1.9 billion

$50 million

$1.16 billion

$2.3 billion

-82%

-34%

-82%

-38%

Fraudulent reporting ofearnings and assets

Change to accounting forsoftware sales

Improper booking of sales

Accounting irregularities

$1.6 billion Correction for overly aggressiveaccounting practices

Accounting fraud -99%

September2002

PeregrineSystems $509 million Accounting fraud Delisted

Incorporating inline analytics provides just-in-time views of financial transactions(see the February 13, 2003 Forrester Brief “Inline Analytics Add Insight ToTransactions”).2 With inline analytics, firms can obtain snapshots of provisionalaccounts like deferred revenue, enabling them to make better decisions and alertshareholders to material events.

Apply Optimized Controls to Major Financial ActivitiesAs firms begin to tackle the major documentation effort required by the SEC to meet therequirements of Sarbanes-Oxley section 404, CFOs have the opportunity to transformimportant financial processes, creating (see Figure 4):

• Proactive revenue management. Revenue management can be more tightlycontrolled by making a few key changes: Post revenue initially to a deferredaccount, base revenue recognition decisions on a centralized controls library, andimplement inline analytics to identify possible issues while the transactions stillreside in a deferred account. These changes will minimize the likelihood of errorsand fraud and increase management’s forecasting ability. HR apps vendor Authoriahas turned to revenue management vendor Softrax to enhance its own internalcontrols while better managing its deferred revenue schedules for maintenancecontracts.

• Rigorous cash and expense management. Finance is forever arguing withmanagers who push for the capitalization of what should be expenses for budgetand tax benefits. Instead, companies should verify posting before attestationcatches mistakes by passing them through a system-based protocol that can’t bejawboned to break the rules. This doesn’t necessarily mean more everyday workfor management -- Unilever Bestfoods only sends expense reports to managers forsign-off when the software identifies an exception, like a nonapproved airline.

• Tightly linked procurement. Procurement projects often focus on eliminatingpaper and manual approvals of requisitions. Firms should push one step furtherand integrate requisition approvals with corporate purchasing guidelines. Firmsshould also convert the labor-intensive three-way matching process to an automaticprocess, using document management functionality from vendors like Documentum.

8



Figure 4 Firms Should Optimize Controls Of Major Financial Activities

IN DEPTH: OPTIMIZED CONTROLS FOR REVENUE MANAGEMENTTo apply the principles of front-loaded, tightly connected, timely controls more concretely,we’ll use the revenue management process as an example of how technology can helpminimize controls risk (see Figure 5):

• Electronic controls library connects controls to the process. While the oldprocess relies on an often outdated manual, the new process uses an electroniccontrols library as the foundation for all controls-related decisions. It containspolicies and procedures accessible by systems and humans. When building this tool, companies should adhere to standards like COSO, CoCo, the TurnbullReport, the Australian Criteria of Control, or the King Report.3 Tech-savvycompanies that need heavy-hitting financial advice should implement their

9




Process Today’s typical controls Technology-assisted controls

Revenuemanagement

Cash andexpense

management

Procurement

Sales are booked directlyinto general ledger.

General ledger has nointegration to “tidy binder”

Revenue verified afterposting

Workflow posts revenue into deferredaccount pending approval for high-risk line items

General ledger accesses electroniccontrols library to decide whether toflag transaction as requiring managerapproval

Inline analytics identifies improperbooking in deferred revenue account

Individual project managersdecide what is capitalexpenditure and what isexpensed.

A large percentage of travel isbooked on noncompany-approved airlines.

Incorrect postings are identified when ledger validates entry againstelectronic controls library

Expense reports with nonapprovedvendors are automatically rejectedpending approval.

Manual approval ofrequisitions

Requisition approval processbased on departmentalguidelines

Manual three-way matchingof invoice, goods receipt, andpurchase order is required forpayment.

Automatic approval within tolerances

Approvals based on corporatepurchasing guidelines captured inelectronic controls library andintegrated with eProcurement system

Automatic three-way matchingbased on electronic documentsstored in content management andERP systems. Exception reportgenerated daily.

Figure 5 The New Revenue Management Process10




Applying controls-focused technology to revenue management5-2

Optimizing controls in the revenue management process5-1

Buildelectroniccontrolslibrary

Validateprovisionalposting

Manageand storedocuments

Attestation

Today’s revenue management process

Create“tidybinder”

Manualpreapprovalof salestransaction

Post revenueinto generalledger

End-of-periodreporting Attestation

New revenue management processwith optimized controls

Problemdiscoveredhere.

Problemdiscoveredhere.

Time

End-of-periodreporting

Inline analytics

Post salesto deferredaccount

BuildECL

Post salesto deferred

accountInline

analytics

Validateprovisional

posting

Manageand store

documentsAttest-ation

Electronic controlslibrary (ECL)• Stores corporate

policies and controls• Provides guiding

principles and rulesfor posting decisions

BPM• Controls process flows,

triggering each activity

ERP• Defines the accounting

system-of-record

Content management• Manages document

retention

Storage• Provides read-only

repository formaterial documents

Inline analytics• Provides business

intelligence

accounting firms’ proprietary tools like PwC’s Compliance Office; firms requiringmore sophisticated integration help should implement solutions from vendors likeOpenPages.

• BPM front-loads the controls. To prevent controls and compliance fromsneaking back into informal, department-by-department activities, users shouldimplement business process management tools from vendors like Fuego to manageworkflow (see the December 13, 2002 Forrester Brief “Forrester WaveTM:Enterprise BPM”)4. In the new revenue management scenario, a sales rep enteringdeal information into the system is prompted to alert or generate an automaticemail to the sales manager if amounts fall outside tolerance limits or if credit risksare flagged. BPM apps ensure that processes follow predefined paths and can alertboth systems and people when corrective actions are necessary -- and sendapproved actions onto the next phase without interference.

• Inline analytics makes reporting more timely. In order to identify potentialproblems before month-end close -- and provide management with better leading-performance information -- firms should turn to vendors like Searchspace,which provides pattern recognition functionality; Fair Isaac, which uses predictivemodeling in credit-risk management; and ClearForest, which searches unstructuredcontent for indications of material events.

Vendors Awaken: Sarbanes-Oxley Needs YouAs users scramble to meet Sarbanes-Oxley’s requirements, vendors should step up tomeet the new, more sophisticated demands for controls-friendly tools (see Figure 6).

• ERP vendors should build controls libraries. Softrax offers revenue recognitionprocess and transactional expertise in hopes of augmenting SAP and Oracle infirm’s back offices. Instead, the ERP vendors themselves should be packaginglibraries of revenue management, expense management, investor management, andcash management processes to meet the increased demand users plan in 2003.

• BPM vendors should package compliance-friendly processes. BPM vendorsshould follow Fuego’s lead -- this vendor has created a Supervisory ControlsApplication to manage high-risk processes like revenue recognition and vendorallowances. Also, vendors like Savvion should seek out partners like OpenPages to provide a tool set for easily managing the transition from the “tidy binder” toan electronic controls library.

11



Figure 6 Apps Vendors Need To Beef Up Controls And Compliance Offerings

• Content management vendors should feature regulatory filters. Contentmanagement vendors BroadVision and Interwoven should build filters and alertsaround compliance-related processes like investor relations and expensemanagement so material documents can easily be flagged for retention -- andothers can be destroyed according to policy. Content management vendors’acquisitions of agent experts like Agentis Software, living systems AG, and Lost Wax will help speed the process (see the September 2002 Forrester Report“Managing Business Velocity At The Edge”).5

• Business intelligence vendors should shift to inline analytics. Whileconsolidation functionality from business intelligence (BI) industry leaders likeHyperion are important for meeting Sarbanes-Oxley requirements, inline analyticswill alert managers of impending material events. Example? Companies must now

12




Category

BPM

Businessintelligence

Contentmanagement

ERP

Sample vendorsTypical Sarbanes-Oxley-related offerings today Suggested improvements

Fuego, Savvion,CommerceQuest

SAS, Cognos,HyperionSolutions

Documentum,IBM, Open Text,FileNet,Hummingbird, Interwoven,BroadVision

SAP, PeopleSoft,Oracle, J.D.Edwards

Process modeling toolsand human workflowcapabilities

Financial consolidationand reporting tools

Web content,document, collaborative contentand recordsmanagement

Transaction-drivenfinancial recordmanagement

• Build libraries of predefined, compliance-friendly processes likerevenue recognition and expensemanagement.

• Focus on inline analytics to alertmanagers of impending materialevents or fraud.

• Change code to eliminate reactivepostings to proactive ruleenforcement and prepostingconformance assessment.

• Prepackage control libraries forspecific verticals.

• Build records management practicesand policies into enterprise contentmanagement strategies. Start byimplementing content classificationsthat can be used to enforce and defineretention policies.

alert investors of an inventory shortfall during the peak sales season, or of a demandspike while a major production line is down for annual maintenance, or of an unusualpattern of revenue stream from a particular sales channel when the share pricecould be affected. To transition from traditional business intelligence to inlineanalytics, BI vendors must acquire technology from vendors like Alphablox orClearForest and build an inline analytic interface.

13



A C T I O NWhat should key players affected by Sarbanes-Oxley do to arm themselves against anSEC investigation?

CFOs: Get your CIO up to speed on Sarbanes-Oxley.Despite the fact that CFOs and CEOs are the ones who sign on the dotted linefor Sarbanes-Oxley compliance, CIOs will play a key role in implementing thenew controls-optimized finance processes. But unless CFOs clue in CIOs aboutthe regulations and proposed process enhancements -- and approve largerfinance apps budgets in 2003 -- CIOs won’t be able to help build the supportinginfrastructure. Otherwise CFOs will be stuck basing attestations on higher riskmanual processes and paying big recurring consulting fees to their audit firm.

CEOs: Include a controls assessment in M&A due diligence.The risks in buying another company increase dramatically with Sarbanes-Oxley.Mergers take on not only the balance sheet but also the chance that poor controlsmean poor revenue recognition decisions at the target company. Acquiring firmsshould view the existence of an electronic controls library and a finance workflowtool as good signs -- and reliance on the “tidy binder” as a warning flag.

VPs of sales: Recast today’s flexible deals in concrete.As CFOs increasingly examine real-life revenue recognition practices, VPs ofsales will emerge in the CFO’s cross hairs. To protect themselves, sales executivesat firms should start standardizing terms and conditions for contracts so they caneasily be converted to an electronic controls library.

Auditors: Certify Sarbanes-Oxley-friendly technologies.As companies begin to implement apps and infrastructure to support theirSarbanes-Oxley compliance efforts, they will be looking for advice on whichtechnology vendors to select. Final Four auditors like Ernst & Young shouldcapitalize on this, creating an additional revenue stream with a certificationprogram that evaluates the vendors on features like providing audit trails andadherence to COSO standards.

14


Solving Sarbanes-Oxley: The CFO PlaybookA C T I O N

W H A T I T M E A N SA new revenue recognition process isn’t the only impact of Sarbanes-Oxley. What elsecan we expect?

Finance outsourcing deals get a boost.As firms take on business process re-engineering efforts around revenue, cash,and expense management, many will use this opportunity to offload process andthe associated technology implementations to vendors like IBM that combinefinance process consulting expertise with transformational outsourcing capabilities(see the April 2003 Forrester Report “Can Outsourcers Really Transform IT?”).6

Outsourcing means CFOs can take advantage of the service provider’s learningsfrom other clients and incorporate controls best practices into the solution.

Contract management apps will gain traction.To guarantee compliance with document management and retention strategies,companies will increasingly turn to automated contract management softwarefrom companies like Oracle or diCarta. Why? These firms can track, analyze,and retrieve key revenue recognition documentation using metadata tagginginstead of rifling through box after box of archived documents in the basement.

High-performing firms begin to finance Six Sigma projects.Much like the ISO 9000 craze 20 years ago, many firms will simply opt for a documentation-only approach to meeting Sarbanes-Oxley requirements. Smartfirms will take lessons from companies like GE and Motorola that recognizedthat while ISO was a step in the right direction, Six Sigma projects actuallyimprove business processes. The result? Six Sigma black belts will now shifttheir attention to financial processes instead of focusing on the supply chain.

Corporate instant messaging rollouts are slowed.With the increased attention to document management because of regulationslike Sarbanes-Oxley, firms will become progressively more worried aboutmanaging unstructured communications like chat, email, and even cell phones.Risk-averse firms like Johnson & Johnson are likely to slow instant messaginginitiatives until the legal system generates more precedents for what is allowablein court hearings.

15


Solving Sarbanes-Oxley: The CFO PlaybookW H A T I T M E A N S

R E L A T E D M A T E R I A L

Methodology

For this report we conducted interviews with 20 public firms that are subject toSarbanes-Oxley regulation. We also spoke with the companies listed below.

Companies Interviewed For This Report

Related Research

April 2003 Forrester Report “Can Outsourcers Really Transform IT?”February 13, 2003 Forrester Brief “Inline Analytics Add Insight To Transactions”December 13, 2002 Forrester Brief “Forrester WaveTM: Enterprise BPM”September 2002 Forrester Report “Managing Business Velocity At The Edge”July 3, 2002 Forrester Brief “CIOs Can Help CEOs Stay Out Of Jail”

BearingPoint www.bearingpoint.comCap Gemini Ernst &Young www.cgey.comCognoswww.cognos.comCommerceQuest www.commercequest.comCompliwww.compli.comD&B www.dnb.comDecisionPointApplicationswww.dpapplications.com

Deloitte Touche Tohmatsuwww.deloitte.comDocumentum www.documentum.comEMC www.emc.comFuego www.fuego.comHyperion Solutions www.hyperion.comIron Mountainwww.ironmountain.comOpenPages www.openpages.comOracle www.oracle.com

PeopleSoft www.peoplesoft.comPricewaterhouseCoopers www.pwcglobal.comSAP www.sap.comSASwww.sas.comSoftrax www.softrax.comTechAdoptionwww.techadoption.com

16


Solving Sarbanes-Oxley: The CFO PlaybookR E L A T E D M A T E R I A L

G R A P E V I N E

User companies must protect themselves -- against their auditor.In a recent Wall Street Journal article, Dennis Nally, chairman of PricewaterhouseCoopers,is quoted as saying: “The auditor is responsible for a fair presentation of the financial . . .but the auditor is not responsible for detecting fraud.”7 So if your auditor isn’t planningon identifying the fraud, then smart CEOs have even more incentive to systematicallybuild a strong controls infrastructure, decreasing the dependence on external sourcesbeyond regulation-required audits and attestations.

……

The best-of-breed packaged app oxymoron.In a recent conversation with Forrester, i2’s COO Sam Nakane, debunked the myth of packaged app best practices. He described best practices as a sales gimmick used by software vendors: “In most cases, best practices are really just the most commonpractices. True best practices are often the uncommon practices that leading-edgecompanies follow -- and uncommon doesn’t sell well to the masses.” Advice? Use somecommon-sense skepticism when evaluating vendors’ “best practices” sales pitch.

……

Trying to create an ethical workplace? Consider the Ritz-Carlton model.To maintain a satisfying workplace environment, Ritz-Carlton Hotel Company hasdeveloped and codified a simple, employee-empowering model that emphasizescustomer service -- a simple credo and 20 basic rules that guide virtually all employeebehavior. The result? The hotel management firm won a 1999 Malcolm BaldrigeNational Quality Award and consistently rates as one of the highest-performing hotelbrands in customer loyalty.

……

The strong get stronger.In a recent press conference, Henning Kagerman, chairman of the SAP executive boardand CEO, said: “The market uncertainty is there and will be there in the future. Volatilitywill not go away. So build an adaptive enterprise. IT spending is not growing but goingdown. So? The strong get stronger.” The lesson for users? Decrease dependence on anyone app vendor by building an integration infrastructure that serves as a technologyfoundation for plug-and-play app implementations -- including niche and best-of-breedplayers. Then choose componentized apps that are built on open integration standardslike J2EE and .NET (see the December 5, 2002 Forrester Brief “Composite AppsReshape Enterprise Software”).8

17


Solving Sarbanes-Oxley: The CFO PlaybookG R A P E V I N E

E N D N O T E S1 Publicly traded companies with at least $75 million in revenue are subject to section 404 of the

Sarbanes-Oxley regulations in June 2004. Other smaller companies and foreign entities areimpacted in April 2005.

2 Inline analytics are embedded within the normal flow of transactions and provide predictiveoutcome advice immediately, adapting to emerging circumstances.

3 COSO stands for the Committee of Sponsoring Organizations for the Treadwell Commission. It is a voluntary private sector organization whose goal is to improve the quality of financialreporting through business ethics, effective internal controls, and corporate governance. For moreinformation, please go to www.coso.org.

4 Forrester evaluated seven enterprise BPM vendors against more than 60 criteria.

5 Agents help detect relevant change and then trigger desired outcomes. In this case, relevant change would be based on what companies define as material to the Sarbanes-Oxley regulations for documents’ storage and retention.

6 IBM was among the leaders in a recent Forrester evaluation of IT outsourcing.

7 This appeared in the article, “Accounting Firms Attempt to Dispel the Cloud of Fraud.” Wall Street Journal, May 27, 2003.

8 An exchange infrastructure serves as the basis for composite apps. Composite apps dynamicallycombine and connect functionality and data from heterogeneous applications to support cross-functional and multiorganization business processes.

18


Solving Sarbanes-Oxley: The CFO PlaybookE N D N O T E S

Upcom

ing E

vents

ww

w.fo

rreste

r.com

Whole

Vie

w™

Forrester Events

Consumer Forum 2003Creating A World-Class Multichannel Experience

New York, N.Y.September 21-23, 2003

Financial Services Forum EuropeTransforming Multichannel Finance

LondonOctober 15-16, 2003

Executive Strategy Forum 2003

Boston, Mass.October 27-29, 2003Register by August 15, 2003, and qualify for an early registration discount.

AutomotiveMarketing, Manufacturing, Distribution, Retail

Consumer Devices & ServicesBroadband, Consumer Electronics, Devices, PCs

Consumer Packaged GoodsMarketing, Merchandising, Distribution, RFID Technology, Retail

Content ManagementWeb Content, Enterprise Content, Digital Assets, Collaborative Content Management

Customer Relationship ManagementSales, Marketing & Service, Consumer Marketing Platforms, Contact Center Infrastructure, Customer Service

Enterprise ApplicationsERP, Enterprise Services Automation, B2B Sell-Side

Financial ServicesBanking, Insurance, Investment, Credit

HealthcareHealth Plans, Pharmaceuticals, Healthcare Providers, Electronic Data Capture

InfrastructureServers, Corporate Wireless, Storage, Business Intelligence, Commerce Platforms

Integration & Web ServicesMiddleware, EAI/B2B Integration Tools, Process Integration, Business Process Management

IT SecurityTechnology Security Risk, IT Security Management, Business Continuity Planning

IT SpendingIT Budgeting, Technology Adoption & Purchase Plans, IT Organizations & Decision-Making

Manufacturing & B2BCollaboration, Trade Forecasts, Energy, Chemicals

MarketingBranding, Promotion, Cross-Media Marketing, Marketing Measurement, Online Advertising, Loyalty Programs, Portal Deals

Media & EntertainmentPublishing, Television, Music, Content Syndication

Portals & Site TechnologyMeasurement Tools, Process Portals, Search Engines, Self-Service, X Internet

Product Life-Cycle ManagementProduct Development, Process & Discrete Marketing, Aftermarket, DemandManagement

RetailMarketing, eCommerce, Merchandising, Store Operations, Technology

Services & OutsourcingASPs, Hosting, Outsourcing, Systems Integrators

Supply ChainPlanning & Execution, Logistics, Product Design, eProcurement Applications

Telecom & NetworksTelecom & Mobile Services Carrier Strategy, Enterprise Network Management, Equipment, Services

TravelMarketing, Distribution, Airlines, Hotels, Business & Leisure Travel

User ExperienceInterface Design, ROI Of Design, Scenario Design, Speech Recognition, Usability

Forrester’s WholeViewTM Research provides clients with unified guidance on customer trends,

business strategy, and technology investments through Technographics®, TechStrategyTM, and

TechRankingsTM. WholeView Research drills down into the most important details of an issue

while maintaining a holistic perspective of the impact of technology change on business.

Forrester also offers Events and Strategic Services that further enhance the WholeView. Each Event

provides new ideas, clear direction, and innovative strategies with a WholeView perspective. Strategic

Services deliver custom guidance for the complex business decisions that drive your company’s success.

July 2003 Solving Sarbanes-Oxley: The CFO …citebm.business.illinois.edu/shaw/mba/IT Survey...

Documents

Transcript of July 2003 Solving Sarbanes-Oxley: The CFO …citebm.business.illinois.edu/shaw/mba/IT Survey...