|
|
|
Features
< Back
Compliance : Sarbanes Oxley : Auditing : Management
Corporate Compliance Challenges and Escrow Management
By
Jeffrey Johnson
|
|
Jeffrey Johnson
Sr.VP. Intellectual Property Management
Iron Mountain
|
The growth and evolution of businesses' compliance with financial, reporting and operational requirements, including those imposed by regulations as well as those adopted pursuant to Sarbanes-Oxley, present significant challenges to business executives. Compliance is more than documentation; it also includes the control testing of systems, the tighter management of critical third party services, and the near real-time ability to report on all events that 'materially affect' the business. In a very real sense, compliance audits have now taken on the aura of legal discovery.
Fortunately, escrow management is evolving to meet these challenges. An established best practice of vendor management and business continuity, technology escrow has now become a valuable component of a corporate compliance strategy. Technology escrow tools provide real-time, secure access to critical vendor and strategic application contract data. These tools add visibility into and accountability to vendor management, as well as create an auditable business continuity plan.
Compliance has become a significant corporate initiative. The Sarbanes-Oxley Act of 2002 (SOA) is the most visible and challenging new regulation, though not the only one. Importantly, companies now recognize compliance is an on-going issue. According to a recent survey of over 200 business executives, spending on compliance with Sarbanes-Oxley requirements will increase 10% over 2004 spending, to $6.1 billion in 2005.
Though compliance efforts involve the entire organization, information technology (IT) has become the backbone of any corporate compliance effort. These compliance requirements have confronted IT executives and managers with new challenges in an era of tighter budgets. The new regulations require far more than documentation, and as such will require IT to coordinate closely with other business departments, namely Finance and Legal. Indeed, it is widely acknowledged that Sarbanes-Oxley has forced fundamental and significant changes in enterprise business practices.
Technology escrow has long been a best practice of vendor management and financial reporting. Sarbanes-Oxley and 'Staff Accounting Bulletins' (SAB's), which are clarifications by the Public Company Accounting Oversight Board, make specific mention of Service Organizations as they relate to financial reporting. Vendor relationships, specifically as they affect corporate financial status and reports, are of particular interest to regulators and the auditing community.
Though the details of new regulations compliance and enforcement continue to evolve, both compliance and vendor management activities will undergo increasing scrutiny. Correspondingly, the role of technology escrow in compliance initiatives will continue to increase.
It is important to see Sarbanes-Oxley in the context of other recent legislation:
- Financial Modernization Act (Gramm-Leach-Bliley, GLBA, 1999): regulates the safeguarding of personal information collected by financial institutions, or companies providing financial services.
- FDA Title 21 Code of Federal Regulations Part 11 Electronic Records, Electronic Signatures: addresses the electronic documentation for all pharmaceutical and medical device development and regulatory approval.
- NYSE Rule 446, and NASD Rules 3510 and 3520: initiated in the aftermath of September 11, 2001, when NASD surveys indicated many of its member companies were ill-prepared with basic business continuity procedures.
- The Transportation Recall Enhancement, Accountability, and Documentation Act (TREAD): regulates the automotive industry for, among other things, tracking and reporting on "production, warranty claims, consumer complaints, property damage claims, and field reports."
- In Europe, Basel II, or The New Capital Accord, builds upon the Capital Accord of 1998. Basel II addresses risk management programs at the world's largest financial institutions; it is scheduled to go into effect 2006.
Spurred by such high profile cases as Enron, WorldCom, Global Crossing, and Adelphia, the regulatory environment has become broader in scope, more intrusive, and more proactive. There is every reason to expect this evolution will continue.
COMPLIANCE AND RISK MANAGEMENT FRAMEWORKS
The SEC has relied upon the Public Company Accounting Oversight Board (PCAOB) to provide SOA guidance to the auditing and broader professional community primarily through Staff Accounting Bulletins. The PCAOB, and older organizations such as the American Institute of Certified Public Accountants and American Accounting Association, have long acknowledged the role of enterprise risk management frameworks and strategies to guide companies in preparing financial reports and achieving compliance. Specifically, these risk management frameworks help companies identify business activities requiring compliance as well as the procedures best suited to succeed.
The risk management frameworks agree on certain basics:
- Compliance is moving from passive (i.e. documentation) to active (internal controls and testing);
- Disclosure and reporting timeframes are becoming shorter;
- Scope has increased to include service organizations and vendors;
- IT will play a prominent role in achieving compliance.
COMPLIANCE SCOPE - INFORMATION SYSTEMS
Fundamentally, compliance is focused on the integrity of financial statements. However, regulators now recognize the significance and broader scope of information systems, especially those that materially affect financial status and reporting. These include:
- Supply Chain applications that affect delivery of products, and hence revenue recognition;
- Enterprise Resource Planning systems that provide data for a balance sheet;
- Service delivery applications or shipping systems that feed revenue recognition;
- Contract Management systems or even Sales Force Automation applications that impact strategic accounts and revenue.
The risk management frameworks help IT identify relevant component systems, as well as what must be included in a compliance initiative.
COMPLIANCE SCOPE - SERVICE ORGANIZATIONS AND VENDORS
Regulators also now recognize the significance of service organizations and vendors in accurate and complete financial reporting, and therefore compliance. There is a specific SEC Appendix covering the extent of testing required for different locations, business units, and service organizations.
Auditors must determine if these services have the potential to materially impact financial statements, and are part of your information system. For example, use of a payroll service may require you to design, implement, and test controls to verify whether all payroll transactions sent were indeed processed in a timely fashion. This level of scrutiny includes details of service level agreements.
Another example of a service included in your information system is a bank "acting as the custodian of your employee benefit plan's assets, including making investment decisions, maintaining records of each participants account, allocating income amongst participants, and preparing other types of recordkeeping."
The significance of third party data and input to your information system has increased, or at least come under increased regulatory scrutiny. In short, your compliance may rely on the procedures and control systems you put in place to manage your vendors and service organizations.
BUSINESS CONTINUITY AND COMPLIANCE
Sections 302, 404, and 906 of Sarbanes-Oxley attempted to assign management responsibility for the assessment of internal controls and the accuracy of financial reporting. However, the initial language left corporations and the auditing community confused regarding contingency planning, disaster recovery, and business continuity. Business continuity is an all-encompassing operational plan for the continued function of the enterprise. Contingency planning and disaster recovery are focused more on specific departments or systems. Specifically, the regulation did not define how any of these activities contributed to compliance, or 'an internal control related to financial reporting.'
Clarification by the PCAOB in March of 2004 in Auditing Standard No. 2 excluded business continuity from compliance requirements, for now. The limiting of continuity planning requirements in Sarbanes-Oxley had to do with the concept of financial reporting on current status, not futures.
Soon thereafter the SEC gave expedited approval to two nearly identical business continuity regulations by significant organizations: New York Stock Exchange Rule 446, and the National Association of Securities (NASD) Rules 3510 and 3520. These new rules are consistent with heightened regulatory interest in business continuity planning.
Initiated after NASD member surveys indicated a lack of disaster preparedness and continuity planning, these rules identify specific areas a business must address in continuity planning, including planning for continuity of mission-critical systems. Taken as a whole, these rules are more intrusive and encompassing:
Specific procedures must now be outlined, reviewed annually and adhered to in the event that an emergency or significant business disruption occurs. While the rules call for an annual review, if a material change in a firm's operations, structure, business, location or technology takes place that affects the business continuity strategy, the plans must be updated at the time of occurrence.
Here, too, these regulations apply not only to your mission-critical systems, but those of service organizations or vendors if critical to your business. The frequency of reviews and the conditions that prompt review are also in line with Sarbanes-Oxley.
DISCLOSURE TIMEFRAMES
The Sarbanes-Oxley regulation has also tightened timeframes for reporting events that have a direct and material effect on determining financial statement amounts.
Though the regulations themselves refer to disclosures on a 'rapid and current basis,' the current industry benchmark is within 48 hours. Initially this wording was seen as a call for real-time disclosures, and it is widely felt the move toward real-time reporting requirements is inevitable. Information systems being unavailable or down do not absolve you of these disclosure timeframe requirements.
COMPLIANCE TRENDS
Sarbanes-Oxley and subsequent clarifications signal a more hands-on approach by lawmakers to the preparations of public company financial statements. This and other recent legislation have ushered in a new era of more intrusive audits and evolving corporate compliance regulations. The SEC continues to issue clarifications, and new rules. The trends toward a broader scope are clear. As noted above, service organizations such as your payroll services, or your healthcare benefits management organization, have come under increasing compliance scrutiny, and this will likely continue.
Continuity plans are required by new NYSE and NASD rules, recently endorsed by the SEC. As the significance and scope of information systems continue to evolve, including certain service organizations and vendors, business continuity regulations are not likely to be far behind.
BENEFITS OF TECHNOLOGY ESCROW
Escrow management and technology escrow tools can help meet some of these compliance challenges. Technology escrow is already considered a best practice of vendor due diligence and contract management.
Escrow is a valuable tool in on-going vendor management, particularly with more broadly defined information systems. Given the broadening and defining role of information systems in compliance, comprehensive escrow provisions have become all the more important. Technology escrow can help document, control, and protect these information systems for compliance. Current escrow tools also can provide the real-time data required for management and compliance auditors.
Shuffling through file cabinets, or even searching through electronic folders looking for current escrow data (i.e. what is escrowed, release conditions, contact information) can be time consuming, error prone, and difficult to audit. A web-based tool with real-time access to current escrow data is clearly advantageous in a compliance initiative. Even better, it can help management ensure there are no surprises when the auditors arrive.
Another benefit of an escrow service with real-time data access is the ability to quickly generate regular reports and an audit trail. An audit trail of documenting when escrow provisions were established or changed and by whom would be extremely difficult and time-consuming to produce following a paper trail. Given the increasing scrutiny on service organizations such as employee benefits services and vendors considered part of your financial information system, such an audit trail could be critical.
Technology escrow has long been a valuable component of business continuity planning. Indeed, continuity is arguably where escrow originated. Business continuity regulations are evolving. Given the growing prominence of information systems in financial controls and reporting, tighter continuity regulations seem inevitable. Escrow documentation may be adequate for now, but real-time, process control testing is the standard for all other systems. A web-based escrow tool provides for the efficient testing and auditing of continuity processes, such as release conditions or verification. It also provides the real-time information foundation for compliance.
SUMMARY
Business managers facing the challenges of today's corporate compliance regulations should take a new look at the latest tools available through technology escrow. These tools reduce the risk of being found noncompliant by providing real-time, secure online access to critical vendor and strategic application contract data.
They also ease the burden of achieving compliance by adding both visibility into and accountability to vendor management, as well as creating an auditable business continuity plan.
Jeffrey Johnson
Sr.VP. Intellectual Property Management
Iron Mountain
Jeffrey Johnson Senior Vice President, General Manager Iron Mountain Intellectual Property Management, Inc.
Mr. Johnson currently serves as the senior vice president and general manager for Iron Mountain's Intellectual Property Management business unit and is responsible for leading all activities related to business strategy, marketing, selling, client service delivery, information technology, financial performance, and partnering with other internal support organizations.
Mr. Johnson is working to develop Iron Mountain's intellectual property business in North America, Europe, and select South American countries. In addition to these responsibilities, Mr. Johnson is providing leadership and support to other Enterprise initiatives as part of the Executive Management team.
Iron Mountain's Intellectual Property Management services Iron Mountain is the leading global service provider of intellectual property management services specializing in technology escrow and domain name records management. As the founder of the industry, Iron Mountain has the integrity, reputation, resources, and experience to ensure intellectual property is properly managed and protected. Iron Mountain's Intellectual Property Management services set the industry standard by providing quality customer service and unmatched solutions to three-fourths of the Fortune 500.
|
|
|
|
|
