In further defence of compliance

Vinnie, Dennis, James  and I are having a rather longwinded discussion on Compliance, Governance and Risk , and in partly  the Sarbanes-Oxley Act of 2002.  (We had a similar run in last year)

I don’t really  like it when the broader compliance discussion ends up focusing on the costs of section 404 of SOX,  but this is where the debate always seems to end up. (I’ll save that rant for another day, but there is more to SOX than audit, more to compliance than SOX, and more to GRC than compliance) In this post I won’t discuss software. I’ll focus on SOX.

Vinnie, I don’t think I am glamourising compliance,  but at the risk of being trite I’d  suggest that you are looking at business through a set of rose-coloured specs.  Options scandals , excessive executive pay anyone?

I’m not arguing that SOX is perfect, just that is working. Investor confidence is up,  transparency is up, and costs are on the way down.  Yes, Audit costs are still way too high, but recent reforms may help to address this.

I was updating my reading list  this morning.  I wish I’d found this blog earlier. Lots of interesting, well researched stuff on compliance. Well worth a long perusal.  The site pretty much debunks the argument that SOX is a failure, and also points out that many business leaders are strong supporters of SOX.

The blog is maintained by Prof Brown from The University of Denver. Herewith a excerpt from a recent paper.

Sarbanes-Oxley (SOX) was adopted in a rush, political expediency necessitating that something be done before the 2002 election to minimize voter backlash from the collapse of Enron and WorldCom. Despite the rush, the Act contained a number of improvements on the current state of regulation, including a separation of accounting and consulting services, increase in the strength and independence of the audit committee, certification of financial statements by top officers, and assessment of internal controls by managers and auditors


The blog led me to this piece written  by Joel Seligman is president of the University of Rochester and has written several books about securities regulation. Harvey J. Goldschmid is Dwight Professor of Law at Columbia Law School and served as a commissioner of the SEC from 2002 to 2005, and general counsel of the SEC in 1998 and 1999

It is important to remember the context in which SOX was passed.

Go back about five years. This country was in the midst of the largest securities fraud wave in its history. Daily news stories highlighted the alleged misconduct of major corporations, including Enron Corp. and WorldCom Inc. As significant were several other lesser known trends. Financial restatements had grown linearly between 1997, when there were 116 restatements, and 2001, when there were 305. Not all of the restatements should be attributed to fraud, but a significant number fairly could be. The staff of the SEC had not grown by a single position between 1995 and 1998. Deterrence, as we entered the new century, had been grievously weakened. Significant areas of concern, such as research analysts, were largely unaddressed by the commission. In the months running up to the enactment of the Sarbanes-Oxley Act, aggregate stock market values declined by more than $7 trillion between selected dates in March 2000 and July 2002.
These developments led Congress (by a vote of 99-0 in the Senate and 423-3 in the House), the SEC, the New York Stock Exchange and the National Association of Securities Dealers to respond vigorously with the Sarbanes-Oxley Act and other important reforms. Conflicts of interest in the auditing profession and in corporate board practice have been systematically reduced. Internal auditing controls have been effectively strengthened through executive certification and the much-criticized § 404 of Sarbanes-Oxley. The SEC’s budget was dramatically increased, and the SEC and Justice Department devoted much greater resources to enforcement. And private securities class actions have played an important role in deterring corporate misconduct.

 They go on to note:

Is the system perfect today? Of course not. It is nearly universally recognized that compliance costs with respect to § 404 of Sarbanes-Oxley have been too high, particularly for small and medium- sized firms. But the system is working. The Public Company Accounting Oversight Board has recently proposed revising its most expensive Audit Standard No. 2 (the basis for most complaints about § 404) and replacing it with a streamlined Audit Standard No. 5. The SEC itself has offered constructive guidance that should further reduce compliance costs.

 See also what the Business Roundtable had to say in 2003. I’d argue they are more representative of the CEO than Fortune magazine is. (given that it directly represents one third of listed companies, rather than the whims of an editor)

The following is submitted on behalf of The Business Roundtable, an association of chief executive officers of leading corporations with a combined workforce of more than 10 million employees in the United States and $3.7 trillion in revenues. …

The Business Roundtable strongly supported the enactment of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and we applaud the Commission’s efforts to implement the Sarbanes-Oxley Act.

Read the full submission here. And if you go to the Business Roundtable site you will see continued, consistent support for SOX.

Brown’s blog also led me to this business week article, not everyone hates Sarbox.

Lost amid all the boos over SarbOx, they say, are some major benefits. The biggest: SarbOx and related reforms have produced much more reliable corporate financial statements, which investors rely on when deciding whether to buy or sell shares. For them, SarbOx has been a godsend.

At the end of the day though,  SOX is about the investors. Since the passage of SOX, the Dow has almost doubled, some of the credit for this should go those that passed and implemented the law. 

I’ll finish with a link to a bad couple of weeks for critics of SOX

Technorati tags: ,


Yet more on Sox, Compliance etc

Credit to Mark Crofton for spotting this blog-newsletter, fiercesarbox.  Subscribed! It is a super source of compliance related news and fluff free commentary.  Some examples.

The new guidance from the SEC and PCAOB 

Enterprise Risk 

Sarbox costs continue to decline, audit fees remain high

Myth busted: Sarbox not driving away U.S. companies

Compliance readiness: a way of life?

More jargon: What is a SAS Type II Exam?

All good stuff,  but I’ll leave you with this gem

Sarbanes-Oxley is a convenient scapegoat in a lot of ways. If a company wants to go private, there’s no shame in citing the law. If a CFO wants to step down, he can always say Sarbox has made his job impossible. Exchanges can always blame Sarbox when another listee goes overseas. The list goes on and on. Perhaps you should use this wonderful scapegoat to your advantage. Tim Minahan, a supply chain expert who cut his teeth at Aberdeen, has released an e-book called the The 100 Greatest Supply Management Tips of All Time! Tip No. 11 is a great one: “Create a Crisis: Whenever possible, link your supply management initiative to a top corporate goal or challenge, such as complying with the Sarbanes-Oxley Act or managing risk. This speeds alignment and can help secure executive and stakeholder support.” So there you have it. If you want something done, use Sarbox


Technorati tags: , ,

SOX again. Getting to the real numbers.

I sense a series of enterprise software and law-compliance posts brewing.  I tried to explain some compliance stuff last night via email, but I failed.  Signal-noise ratio was wonky.  So I’ll post instead.  Warning if you find law, finance costs and software boring, stop reading now.

I’d rather pick up on other laws than the Sarbanes-Oxley Act of  2002, it tends to crowd out discussion on other important laws, and paints a very US centric picture of compliance.   But given that the Act is undergoing a timely fine tuning, I figured it was worth a revisit.

Details here on the SEC site. 

Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources,” said SEC Chairman Christopher Cox. “With the Commission’s new interpretive guidance for management on the evaluation and assessment of its internal controls over financial reporting, companies of all sizes will be able to scale and tailor their evaluation procedures according to the facts and circumstances. And investors will benefit from reduced compliance costs.”

You can watch the SEC broadcast here.  (nice transparency!)  I’ll explore the implications of these changes in another post, but it seems that the US is moving to a more principles based control framework, which is more like the UK’s FSA model.  SOX isn’t being scrapped or radically transformed, but after 3 years of year-ends   the SEC is a better position to improve the “protection-cost” ratio.

Vinnie has a regular go at  SOX, SOX costs,  and indeed those selling compliance tools.   His recent post is no exception, commenting on Oxley saying he would have done things differently..

Wish he had said that 3 years ago – but sounds like we are back to “normal times” after pissing away billions on gun-to-the-head compliance spend.

In this post I’d like to explore SOX costs in a little more detail, because I’ve been privy to some interesting research.  As part of my job I have access to the Hackett Group Research, and I’d really urge anyone who is interested in understanding technology and best in class performance spend some time reading their stuff. It is thorough, independent, compelling and worth the money.

In 2005 Hackett commented.

This is the first time in Hackett’s 14-year history of benchmarking that finance costs have risen for typical companies.

2005 was the first year that Section 404 really hit home for most companies: they had to begin to comply with the requirement in their annual reports for their first fiscal year ending on or after April 15, 2005.

Hope Hackett don’t mind me linking the graph here.


Again in 2005 Hackett said.

Hackett’s research also found that world-class finance organizations now spend 42 percent less in the finance function than typical companies, and have 44 percent fewer finance staff. According to Hackett’s research, world-class finance organizations now spend 42 percent less than typical companies overall (0.73 percent of revenue versus 1.26 percent). Typical companies have seen an 18 percent increase in total finance costs since 2003, while world-class finance organizations have seen a 5 percent drop during the same period.

Compliance costs have risen significantly for both world-class and typical companies since 2003. World-class now spend 36 percent less on compliance than typical companies (.060 percent of revenue versus .094 percent). For instance we see that the typical company is spending an additional $340,000 per billion in revenues or a total of $940,000 per billion in revenues for additional internal finance and external resources to meet today’s compliance requirements.

There are a couple of things I’d like to pick up on this.

1. The impact of SOX is clear here. The big jump in costs can largely be linked to SOX related projects, especially the panic projects that drove early spend.  Interesting though that the world class companies cost of compliance post-SOX is lower that of the peer group pre-SOX.  The impact of SOX is less on world-class companies than on the peer group too, the jump in absolute terms being significantly smaller.

2. Now, let’s  move on to the more recent numbers from Hackett. (I don’t have a graph  I can share publicly, but book of numbers owners can look it up)  The finance costs as a percentage of revenue for world class companies have now dropped down to  below pre-SOX levels, whereas for typical  companies the cost continues to climb. The delta is growing. For those companies that lurch from audit to audit and spreadsheet to spreadsheet the cost of compliance will spiral,  as SOX is just one wave in the ebb and flow of compliance demands.  For those that invest in compliance automation, strong foundation systems and smarter processes, the picture is a whole lot better.  Hackett has the numbers to prove it. 

The message here is clear. Moan about SOX all you like, but the best companies in the world have focused on putting in place the processes and the technologies to drive down the cost of compliance.  Every year they will relentlessly improve their  processes, further automate and drive out more costs. Yes, compliance costs, but how big that cost becomes is entirely up to you.  SOX will not be the only law that causes compliance challenges.

I’m not sure where the  shame comes into it.  The finance folks that I talk to want a finance function that provides transparency, control and trust at the lowest possible cost.  And that is just for starters.


Technorati tags: , , , ,

Ode to a twitter.

Nick Carr has knocked twittering on a number of occasions.

We’re Tweety Birds.

I did! I did taw a puddy tat! [half a minute ago]

I tawt I taw a puddy tat! [1 minute ago]

I’ve not done one of my poncy literary quote posts for a while, so here goes… I’ll spring to the defence of Twittering by calling up the big guns from ages past. In this case John Keats. The bloke who died young and did that Greek pot thingy also figured that birds, especially those that tweet, were pretty cool. 

 ‘Tis not through envy of thy happy lot,
 But being too happy in thine happiness, –
 That thou, light winged Dryad of the trees,
     In some melodious plot
 Of beechen green, and shadows numberless,
 Singest of summer in full-throated ease

(see the wikipedia entry on the poem)

James really raves about Twitter so I sense Nick got irked with his too Happy in thine Happiness riff.

I’m a fan of Twitter, but more so of the act of twittering. I was mildly skeptical at first, but once I saw that half a dozen good friends of mine were using it, I began to pay it more attention.  Jason Wood, taking yet another well-deserved break from composing  his Sapphire epic post, is eloquently puzzled by Twitter.  Dennis, the human mashup: half curmugedeon-half gadget freak, now gives Twitter the thumbs up, after dissing it at first. One of Dennis’s favourite sayings is strong opinions, weakly held.  He now calls Twitter “a bit stream of personality” Spot on Dennis!  It was his Twitter that alerted me to Jason’s post. And yes, I would have got to it in my feedreader eventually.

Twitter fills that space between email and my feedreader,and I’ll use it until something better comes along.  It beds down nicely in my nest of lightweight tools, Confluence, Livewriter, Google Reader, WordPress,gmail and my nano-microphone. It provides a mix of personal stuff, work stuff and humour. I keep up with about 20 or so “friends” now, some of whom I meet a lot in person, others I haven’t. 

Via James  I found Ted, who links to Leisa Reichelt on Amibent Latency. (two new adds to the feed)

Ambient intimacy is about being able to keep in touch with people with a level of regularity and intimacy that you wouldn’t usually have access to, because time and space conspire to make it impossible. Flickr lets me see what friends are eating for lunch, how they’ve redecorated their bedroom, their latest haircut. Twitter tells me when they’re hungry, what technology is currently frustrating them, who they’re having drinks with tonight.

Who cares? Who wants this level of detail? Isn’t this all just annoying noise? There are certainly many people who think this, but they tend to be not so noisy themselves. It seems to me that there are lots of people for who being social is very much a ‘real life’ activity and technology is about getting stuff done.

There are a lot of us, though, who find great value in this ongoing noise. It helps us get to know people who would otherwise be just acquaintances. It makes us feel closer to people we care for but in whose lives we’re not able to participate as closely as we’d like.

Knowing these details creates intimacy. (It also saves a lot of time when you finally do get to catchup with these people in real life!) It’s not so much about meaning, it’s just about being in touch.

Ted goes on to say

One thing that attracted me to Twitter was that it was a one stop shop. Web view, RSS view, IM integration, Text Message integration, and a REST based API for additional integration (I can’t wait until Bear gets done hacking Twitter support into supybot). There’s going to be a bunch more experimentation with Twitter, both via technology hacks, but also via social hacks. I think that this is going to be an interested playground to be a part of. The top thing on my list is the ability to have subgroups (both dynamically and statically) formed inside Twitter.

Craig is thinking of knocking together a SAP Twitter integration. Not because he reckons that it will be useful, but that it might be useful. If you’d like to see Twitter in a simple work context, read Craig’s post here. 

A year ago it was hip to say I found my job via my blog. It won’t be long until someone I know will say in 140 characters or less, I twittered my way into a cool new job.

I’m not sure if the Twitter tool will stand the test of time, but twittering will. Bring on the singest of summer in full-throated ease.

Technorati tags:

Org charting…

My cycling compadre Sig is no friend of Hierarchies, but most us in the corporate world are faced with them everyday.  Any tool that can make hierarchies more visible, transparent and usable is goodness, so it was good to see Techcrunch feature Orgplus from Human Concepts recently.

It’s always a little weird when a stodgy-sounding task goes all Web 2.0. Case in point, creating organizational charts. Software vendor Human Concepts makes OrgPlus, the go-to app for such an activity and OrgPlus Live is the new Web-based version of said software. Don’t think you need org charts? Well, maybe it’s just that you don’t know any better.

In my early days at SAP I was a consultant for the organisation management product. (2.2f and 3.0 for those consulting sorts reading this) The product could do all sorts of neat things, but could it display a decent org chart. Nope.

Well, after a while some enterprising folks decided that charting add-ons to SAP was a good business to be in. A couple of firms got together with SAP consulting partners and built integration to SAP PD to do really cool and fancy charting. Charting tools become powerful if they visualise business data. I’m not a big fan of re-entering data for the sake of a nice chart, but if you can drive it off your real-time transactional systems then this is goodness. Here more details on the Orgplus integration.

Initially this was tolerated rather than supported here in Walldorf.  Thankfully, things have changed. Over the last couple of years, especially with Netweaver, this sort of integration has got a whole lot easier, both technically and politically. We delivered a standard interface via XML that allows any charting vendor to do their thing. Lots of neat portal integration too.   Also programmes now exist for this sort of partnership, and attitudes are changing too.


If you are interested in charting your evil hierarchies then check out orgpublisher and Nakisa as well. Another partner has also done some interesting stuff with Visio.  Here is an example from Orgpublisher, with HR and Financials integration.


This is a good example of how SAP is changing and how it needs to change more. If a third party vendor does something better than we do, we should embrace and help them. Make it easy for them to succeed. Connect them with our customers and deliver a better allround solution.  Make it simple for customers to find these solutions in the first place, and implement them quickly and safely. The powered by Netweaver initiative is a move in the right direction, but there is more to be done if we want to encourage a thriving ecosystem of ISVs.


Milano, prego.

I was on the 7.20am flight from Frankfurt to Milano Malpensa this morning.  I have several meetings at SAP Italy, so I won’t get the chance to do any siteseeing, but even so it is great to be in the land of espresso. I’m writing this in the cab on the way to SAP Italy.

The plane ride was very cheerful, lots of tired but smiling Italians dressed in the black and red of  AC Milan. They had been in Athens at the game.  I sat next to a father with his 10 year old son. The smile on both their faces was enough to cheer up the grumpiest business traveller. I’m glad I wasn’t flying to the UK today.

Doing business in different European countries is one of the joys of my job. It makes me realise that Europe is just a very thin crust on top of a deep pie of national cultures.  I’ve never yet met a European, yet I’ve lived in Europe for a decade.This is something that many US-based software companies don’t get. Long may their ignorance continue. Keep trying to build European payrolls and sell to Europeans.

Just to illustrate this, a photo from Sapphire Vienna.



I asked the SAP account manager of one of Italy’s largest companies why they had their own coffee machine, instead of using the one 5 metres to the left like everyone else. Viennese coffee is pretty good I figured. why lug an Italian machine (in this case a Saeco) and coffee halfway across Europe?

She looked at me as if I was a small boy who had just asked a really dumb question, and she said, “We cannot do business without making an Italian espresso first.” 

After an hour in the Milan traffic, I’ll be needing that espresso.


Technorati tags: , , ,

Governor, risk and compliance..

Good to see James Governor posting on GRC. I’d suggest you read the whole post, but a little snip for you here.

One of the characteristics of SAP’s GRC strategy is that its taking a wide view of the problem. Sarbanes-Oxley is just one regulation of many that companies need to deal with.

James mentioned the Cisco deal, here is the press release.He also picks up on IBM and some of other players in this space, so we don’t have it all to ourselves. BTW. I’m impressed with the Approva blog. (tip Dennis)   If you’d like some background on SAP’s GRC offerings click here. Or have a look at the Sapphire track.

Regular readers of this blog will be aware of my long suffering compliance PhD endeavours, but shock horror  I recently submitted an article to an HR journal on the implications of GRC for HR –  beyond SOX. Once it has been through editorial review I’ll link to it. I have said this a number of times but best paper I’ve read on compliance and  technology  remains S O’ Grady‘s  Compliance Orientated Architecture. It is due for a revision given the changing vendor landscape, but the core remains pertinent today.

“Organizations should deploy a services-based architecture that can deliver compliance specific services as necessary, based on specific acts and regulations.”

This is a big market:  AMR Research study  pegs the value of the GRM/GRC marketplace at $30 billion by 2008.  Read Gartner’s take here. One of the big growth sectors for GRC at the moment here in Europe is local government. They want to reduce fraud and significantly drive down the cost of audit. Other emerging drivers include REACH, a major environmental law impacting the chemical industry. Moving how companies react to laws and regulations from a project based panic reaction to a broader risk portfolio approach makes a whole lot of sense, and this is partly what GRC is all about. 

In the meantime, I’ll point you to the latest episode of Starship Enterprisey Radio, where rather than the Geeks explaining techie stuff to the suit, we turned it around. Have a listen to Craig, the übergeek asking me to explain what GRC is all about.  We plan to have some guests on the show to dig a little more deeply into this sort of thing.

Also at Sapphire in Atlanta I sat down and chatted with Denise Broady. She is responsible for the US GRC business and the Office of the CFO team. We recorded two podcasts, one on GRC and the other on the Office of the CFO.  I’ve finally uploaded them to my odeo podcast feed, but you may have already heard  them via Mark Crofton.

I’ll need to post later on the SOX revisions once I’ve studied them in a little more detail. I’m also speaking at GRC event in September, more details to follow once we get the agenda in order. 


Technorati tags: , , , tags: