breakfast and compliance…anything James can do I can do …..

James wrote a useful post about CA compliance positioning. CA is an interesting case, they have had compliance challenges themselves, but as a business they really seem to be getting their house in order. I found this presentation via good old google this morning. (hope CA is okay with me linking to it) Check out slide 9, about the reduction in costs that they have achieved. At the event James attended CA  obviously pushed its part of the continuous compliance story, but that is only part of the picture.

If you look to the presentation above, you’ll see that a core ERP platform and control tools are a key part of the story. In this case, SAP ERP, and Virsa. (now SAP GRC) Slide 19 gives a good view of how the CA and SAP compliance messages fit together.

I like it when software companies walk the talk. CA is one of them. So is SAP.

Coincidentally I had compliance for breakfast this morning too. I met up in in Heidelberg, with Jan Nordhagen.  We had breakfast on a terrace in the early morning sunshine loooking out over the Neckar. (lousy job this)

Jan was the MD of Virsa in Europe, and now heads up the GRC sales efforts in Europe at SAP. Bright guy, really driven and has a passion for compliance. We talked about compliance, kids, mergers and why he should sponsor our charity bike ride. There is some real momentum behind the SAP compliance story here in Europe, it isn’t at all like Vinnie makes it out to be, vendors chasing the SOX gravy.

Compliance is less of a “new trendy thing” here in old europe, and opening a sales pitch with SOX is often the quickest way to the door.  There is a strong belief in many customers here that compliance is just good business practice, and we are seeing great traction for the SAP compliance suite from companies that dont have anything to do with SOX, for instance in the public sector. We also see great interest from private companies.  Companies are looking to reduce the cost of audit, but the main goal is to embed compliance in core business processes, and not to see compliance as a reporting after thought, or as an evil government burden. There is a real belief in many companies here that transparency and real time controls are just good business practice. Q2 for compliance was very strong here, despite a generally slow market. It wasn’t all about SOX….

There is also a lot of interest in the Risk and Governance bit of the GRC story. There is a lot of cool stuff in development at the moment on risk management, based partly on the risk desktop that we developed internally for the CFO and the CEO here at SAP. There is lots of great stuff going on in this space. If SOX was the spark that made SAP..

1) dust off stuff embedded in the depths of boring boring erp and actively tell people about it. (Like the Audit Information System for instance)

2) Acquire Virsa, and expand the solutions..

3) Build partnerships with auditors and SIs to drive down the cost of compliance.

Then maybe things arent so bad as Vinnie makes out.

Virsa surveyed 93 customers; and found that customers report significant reductions in compliance cost and labour.

Reduction time of spent on internal audit                       35%
Reduction in internal external audit costs                       28%
Reduction in time spent managing authorisation risk       44%
Recduction in costs for managing authorisation risk        36%
Reduction in audit report findings for security                41%
Reduction in time required to clean up audit findings       39% 

Technorati tags


9 thoughts on “breakfast and compliance…anything James can do I can do …..”

  1. Thomas. I have nothing against compliance per se. I was trained as a CPA myself and understand controls. If Virsa can show pay back – tangible – great. Hopefully tthe savings are not based on inflated post-SOX audit costs.

    Show me the money and I will shut up – because so far the outflow has been real )and huge), but the payback has been based on “investiors will sleep well”

    When SAP announced GRC I commented that it will be nice to see SAP do Value Engineering to show pay back from it.

    Having said all this, I would still rather take the dollar in compliance and put it towards innovation. Little of what we spend in compliance will help us against the Chinese.

  2. also we were already paying for auditors the SEC and technology with controls prior to Enron.Enron was even reporting un usual transactions to the SEC and Street – and our watchdogs did not pry. Ironically we are rewarding them now with more dollars. You really think we know everything is right today n the complex bowels of mammoth companies like GM, GE, Daimler or BA?

  3. Vinnie,
    I guess it depends how you define compliance. If it is just about SOX 404 etc, then I agree with you. But I dont think it is. It is about running a reliable, accountable, trustworthy company. I think you need to take off the sox glasses.

    Name one company that has awful compliance that is really innovative and sustainable. I cant think of one.

  4. Thomas. compliance did not get born as a result of Enron. But It has spiked dramatically since. So you cannot ignore its effect. Read my note below about real numbers corporate America is reporting about its cost impact.

    How long has Virsa been around? And when did they start to do well? Post SOX.

    Also I think it is an insult to Jeff Immelt and other CEOs to say because of Enron you need to also step up compliance. Tarring everyone and every frigging business process (some audtiors have never been to a warehouse) as suspect is overreaction on the other side. And no, I do not expect any innovation to come out of it. Unless the education if the auditors that warehouses have bar codes is considered innovation.

  5. Vinnie,
    I have read most of what you have written on your blog on SOX, and much of your ire is vented on the technology vendor, sometimes the auditor. I agree that the law is badly put together, but we didn’t spec it! Your elected representatives did.

    Perhaps you need to be pointing the hose at the SEC and the and those that run the US regulatory framework . The controls put in place after the 1929 crash have been gradually eroded by your government. To constantly blame software vendors is simply not cricket. As the old afrikaans saying goes, jy blaf op die verkeerde boom. (you are barking up the wrong tree)

  6. I left the accounting community a long time ago otherwise I would be bitching at that community about the orgy. I am now in the tech community – and yes it does bother me that we often do not think about the customer’s interest first. In the end my blog and my viewpoint is that. If the industry did and pricing was more reasonable, and we fought the government over stupid stuff like SOX and Net Neutrality and Privacy, rather than just going along because it makes money, I would have little to say. A lot of people would say hooray to thar -)

    About US regulation – not sure it is just us. MNCs are complex beasts. But so are insitutional investors. They know how to read MNCs and make risk assessments. We are kidding oursleves if we think SOX is helping them make better risk assessments. Compliance is just one area of risk. Competition is a much bigger one – where we should be putting our dollars towards…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: