James wrote a useful post about CA compliance positioning. CA is an interesting case, they have had compliance challenges themselves, but as a business they really seem to be getting their house in order. I found this presentation via good old google this morning. (hope CA is okay with me linking to it) Check out slide 9, about the reduction in costs that they have achieved. At the event James attended CA obviously pushed its part of the continuous compliance story, but that is only part of the picture.
If you look to the presentation above, you’ll see that a core ERP platform and control tools are a key part of the story. In this case, SAP ERP, and Virsa. (now SAP GRC) Slide 19 gives a good view of how the CA and SAP compliance messages fit together.
I like it when software companies walk the talk. CA is one of them. So is SAP.
Coincidentally I had compliance for breakfast this morning too. I met up in in Heidelberg, with Jan Nordhagen. We had breakfast on a terrace in the early morning sunshine loooking out over the Neckar. (lousy job this)
Jan was the MD of Virsa in Europe, and now heads up the GRC sales efforts in Europe at SAP. Bright guy, really driven and has a passion for compliance. We talked about compliance, kids, mergers and why he should sponsor our charity bike ride. There is some real momentum behind the SAP compliance story here in Europe, it isn’t at all like Vinnie makes it out to be, vendors chasing the SOX gravy.
Compliance is less of a “new trendy thing” here in old europe, and opening a sales pitch with SOX is often the quickest way to the door. There is a strong belief in many customers here that compliance is just good business practice, and we are seeing great traction for the SAP compliance suite from companies that dont have anything to do with SOX, for instance in the public sector. We also see great interest from private companies. Companies are looking to reduce the cost of audit, but the main goal is to embed compliance in core business processes, and not to see compliance as a reporting after thought, or as an evil government burden. There is a real belief in many companies here that transparency and real time controls are just good business practice. Q2 for compliance was very strong here, despite a generally slow market. It wasn’t all about SOX….
There is also a lot of interest in the Risk and Governance bit of the GRC story. There is a lot of cool stuff in development at the moment on risk management, based partly on the risk desktop that we developed internally for the CFO and the CEO here at SAP. There is lots of great stuff going on in this space. If SOX was the spark that made SAP..
1) dust off stuff embedded in the depths of boring boring erp and actively tell people about it. (Like the Audit Information System for instance)
2) Acquire Virsa, and expand the solutions..
3) Build partnerships with auditors and SIs to drive down the cost of compliance.
Then maybe things arent so bad as Vinnie makes out.
Virsa surveyed 93 customers; and found that customers report significant reductions in compliance cost and labour.
Reduction time of spent on internal audit 35%
Reduction in internal external audit costs 28%
Reduction in time spent managing authorisation risk 44%
Recduction in costs for managing authorisation risk 36%
Reduction in audit report findings for security 41%
Reduction in time required to clean up audit findings 39%
Technorati tags sap compliance redmonk virsa SOX
July 21, 2006 at 11:24 am
Thomas. I have nothing against compliance per se. I was trained as a CPA myself and understand controls. If Virsa can show pay back – tangible – great. Hopefully tthe savings are not based on inflated post-SOX audit costs.
Show me the money and I will shut up – because so far the outflow has been real )and huge), but the payback has been based on “investiors will sleep well”
When SAP announced GRC I commented that it will be nice to see SAP do Value Engineering to show pay back from it.
Having said all this, I would still rather take the dollar in compliance and put it towards innovation. Little of what we spend in compliance will help us against the Chinese.
July 21, 2006 at 11:36 am
also we were already paying for auditors the SEC and technology with controls prior to Enron.Enron was even reporting un usual transactions to the SEC and Street – and our watchdogs did not pry. Ironically we are rewarding them now with more dollars. You really think we know everything is right today n the complex bowels of mammoth companies like GM, GE, Daimler or BA?
July 21, 2006 at 11:40 am
Vinnie,
I guess it depends how you define compliance. If it is just about SOX 404 etc, then I agree with you. But I dont think it is. It is about running a reliable, accountable, trustworthy company. I think you need to take off the sox glasses.
Name one company that has awful compliance that is really innovative and sustainable. I cant think of one.
July 21, 2006 at 11:51 am
Thomas. compliance did not get born as a result of Enron. But It has spiked dramatically since. So you cannot ignore its effect. Read my note below about real numbers corporate America is reporting about its cost impact.
How long has Virsa been around? And when did they start to do well? Post SOX.
Also I think it is an insult to Jeff Immelt and other CEOs to say because of Enron you need to also step up compliance. Tarring everyone and every frigging business process (some audtiors have never been to a warehouse) as suspect is overreaction on the other side. And no, I do not expect any innovation to come out of it. Unless the education if the auditors that warehouses have bar codes is considered innovation.
http://dealarchitect.typepad.com/deal_architect/2006/01/1_billion_per_w.html
July 21, 2006 at 11:52 am
Vinnie,
I have read most of what you have written on your blog on SOX, and much of your ire is vented on the technology vendor, sometimes the auditor. I agree that the law is badly put together, but we didn’t spec it! Your elected representatives did.
Perhaps you need to be pointing the hose at the SEC and the and those that run the US regulatory framework . The controls put in place after the 1929 crash have been gradually eroded by your government. To constantly blame software vendors is simply not cricket. As the old afrikaans saying goes, jy blaf op die verkeerde boom. (you are barking up the wrong tree)
July 21, 2006 at 11:59 am
think this shows the challenge of having a synchronous conversation with an asynchronous tool…..
July 21, 2006 at 12:00 pm
let’s do a pod cast – for and against!
July 21, 2006 at 12:17 pm
I left the accounting community a long time ago otherwise I would be bitching at that community about the orgy. I am now in the tech community – and yes it does bother me that we often do not think about the customer’s interest first. In the end my blog and my viewpoint is that. If the industry did and pricing was more reasonable, and we fought the government over stupid stuff like SOX and Net Neutrality and Privacy, rather than just going along because it makes money, I would have little to say. A lot of people would say hooray to thar -)
About US regulation – not sure it is just us. MNCs are complex beasts. But so are insitutional investors. They know how to read MNCs and make risk assessments. We are kidding oursleves if we think SOX is helping them make better risk assessments. Compliance is just one area of risk. Competition is a much bigger one – where we should be putting our dollars towards…
February 20, 2007 at 1:15 pm
[...] It will be interesting to see what approach SAP takes to integrating Pilot Software dashboards with its existing Business Information Warehouse platform. One interesting opportunity will be pointing SAP’s scripting language, widget and rich UI communities at the business information enabled through Pilot. Why not extend Pilot’s UI through SAP ERP data using PHP, or position the SAP widget foundation as a primary consumer of Pilot info? There could be some interesting partnering opportunities with Adobe and Microsoft. Another internal opportunity for SAP will be integration of Pilot with its Governance, Risk and Compliance portfolio, and particularly the business controls functionality it acquired with Virsa. [...]