A recent series of high-profile Fortune 500 scandals have underscored the need for greater reporting accountability from corporate officers and managers. The Sarbanes-Oxley Act requires public companies – those that have sold securities of any sort to the public – to file various financial reports with the Securities and Exchange Commission (SEC).
These regulations have a direct impact on thousands of small and midsize companies, public or not, who must have the same strong corporate governances and financial control procedures in place as their big-company counterparts.
The requirements have created much confusion among these small and midsize businesses (SMBs), who aren’t sure what actions need to be taken, or how they’ll take those actions when their time and resources are already stretched too thin just running the company.
The good news for SAP customers is that their existing environment already includes valuable tools for tightening internal controls and reporting. mySAP Financials are steeped in financial control guidelines focused on corporate governance, helping SMBs lay the groundwork for compliance with regulations more easily.

Who, what, when?

The first step to compliance is understanding some Sarbanes-Oxley basics, i.e. who the law applies to, when it comes into force and what it entails.
A panel of consultants from PricewaterhouseCoopers LLP recently answered some of these questions during an SAP-sponsored web seminar entitled, “Sarbanes-Oxley for Small and Midsize Businesses: Leveraging Your SAP Environment to Enhance Financial Controls.”
According to Matthew Gunbie, Partner, Middle Market Advisory, for PricewaterhouseCoopers, all publicly held companies are impacted. U.S. companies with a public float exceeding $75 million must comply for fiscal years ending on or after November 15, 2004. Other companies, including small businesses, foreign private issuers and companies with registered debt securities, must comply for fiscal years ending on or after April 15, 2005.
Are privately held companies free from fretting over the new law? Not according to Gunbie. “You may be a company that’s been targeted for acquisition by a public company, and the acquisition may be material to the consolidated financial statements,” he said. “Perhaps you want to put your company in a more strategic position for acquisition, look more salient to lending institutions or participate in state and local business ventures that require adherence to the Sarbanes-Oxley Act. As a private company, you need to be concerned about compliance.”
During the event, Gunbie introduced key sections of the law, outlining the “must haves” for SMBs to reach compliance. To increase the timeliness, veracity and transparency of their financial reporting, public companies are required to:

  • Certify the accuracy of quarterly and annual financial statements and disclosures.
  • Design, establish and maintain disclosure controls and procedures.
  • Evaluate the effectiveness of disclosure controls and procedures within 90 days of the report filing date and report on the effectiveness of the controls.
  • Indicate, in each annual audit report, any significant changes in internal controls – including any deficiencies and material weaknesses that have occurred since the most recent evaluation.

Faced with too much work and too little time to do it already, Gunbie said that many SMBs ask why an annual financial statement can’t be used to address many of these requirements. But the controls imposed by Sarbanes-Oxley extend beyond the financial realm.
“There’s a shift from the traditional view of internal controls being the sole responsibility of finance,” he explained. “To comply, these controls must be considered throughout the enterprise. Companies must develop a fully integrated framework of internal controls that can be evaluated and tested across all business and functional areas.”
The challenge many organizations face is that there is little to no documentation for key processes with identified critical controls, i.e. revenue, procurement, payroll, etc. Additionally, IT controls are generally not documented and monitored for effectiveness.
This is a part of the Sarbanes-Oxley readiness assessment that many organizations are going through now. Mapping the configuration settings within SAP that support the key processes, in accordance with COSO, will likely accelerate documentation requirements. (COSO refers to the Committee of Sponsoring Organizations of the Treadway Commission, which provided the leading framework for Sarbanes-Oxley compliance around internal controls.)

Technology to the rescue

Concerned with keeping a cap on IT expenses, many SMBs wonder if they should just “throw people” at the problem to audit every process. While no one anticipates eliminating people from developing and monitoring internal controls, decreasing human interaction decreases the opportunity for more “accounting acrobatics” to take place – the very behavior that spawned the need for the Sarbanes-Oxley Act in the first place.
During the web seminar, William R. Shipley, Partner, Security and Privacy Practice for PricewaterhouseCoopers, explained how technology is critical to helping companies respond quickly to meet compliance.
“Technology is a cost-effective way of creating controls and demonstrating that those controls are working, which is critical to compliance,” said Shipley. “With technology, companies can create and automate repeatable and consistent controls. That’s hard to do when manual controls are in place.”
Shipley said the fragmented financial systems found in many SMBs – with an inherent variety of interfaces and reconciliation procedures – make compliance more difficult. In addition to increasing the risk of material errors in consolidating financial results, disparate systems lengthen the time it takes to close the books. This is a problem as some provisions of the Sarbanes-Oxley Act and other SEC requirements call for more accelerated disclosures and closings for those companies filing financial statements with the SEC.
Technology, then, is clearly an enabler in meeting compliance. “As long as there are sound accounting policies, procedures and controls in place,” said Shipley, citing comments from other industry analysts, “SAP users have the tools to handle the financial reporting requirements of the Sarbanes-Oxley Act.”

SAP: Reducing compliance complexity

What makes SAP customers so well prepared? Much of the functionality needed to support compliance with Sarbanes-Oxley is already there, within mySAP Financials.
Remember the integrated framework of internal controls Gunbie talked about? The groundwork’s been laid thanks to the enterprise-wide, cross-functional nature of SAP. The repeatable and consistent controls that Shipley mentioned? More easily accomplished thanks to the inherent controls within mySAP Financials. Further, SAP is working actively to deliver new functionality which is aimed at reducing compliance complexity for SMBs.
As companies rush to meet Sarbanes-Oxley regulations, one thing becomes clear – compliance is beginning to look a lot like the “Good Housekeeping Seal of Approval” for accounting, a label that says accounting practices are on the level and investor confidence is on the mend.
To hear a replay of the Sarbanes-Oxley web seminar, visit: http://sap.webex.com/sap/playback.php?FileName=http%3A//www.sap.com/fm/webex/sarbanes_smb_012704.wrf&Rnd=0.49751641622574.
To learn more about the Sarbanes-Oxley Act and SAP’s supporting applications, link to:

An IDC Report: http://www.sap.com/solutions/financials/ or an SAP brochure: http://www.sap.com/solutions/financials/brochures/.

Susan Twombly
Susan Twombly