When a task has to be undertaken, it's often best to view it as a challenge rather than a burden. Such is clearly the case with regulatory compliance where the escalating costs have forced companies to adopt strategies that can transform a regulatory burden into a competitive advantage. Learn how several companies used Oracle E-Business Suite and Oracle Internal Controls Manager to set up a single, fully integrated operating system with common terminology and nomenclature; put systems in place that can adapt quickly to changing circumstances; maintain all control activities, policies and procedures in one central repository; provide management with a dashboard for monitoring performance.

As Published In November 2005

Intelligent Compliance
By Molly Rose Teuke

Finding opportunity in compliance mandates

The cost of regulatory compliance is soaring in response to an alphabet soup of mandates—HIPAA, ISO, FDICIA—and now SOX, or the Sarbanes-Oxley Act of 2002. AMR Research estimates that global spending on compliance initiatives will reach US$80 billion between 2005 and 2009. With this growing financial burden comes a strong interest in adopting compliance strategies that yield benefits beyond legal compliance. Increasingly, companies are finding that the human and financial costs of responding to each regulatory challenge with one-off solutions are not yielding a positive return on investment.

"The extent to which you can measure ROI is going to be dependent on the extent to which you see this as an opportunity as opposed to a compliance burden," says Paul Barbour, director, Deloitte & Touche. "Some of the more forward-thinking companies are asking, 'Now that we had to do this, how can we use this to benefit the company in the future? How can we redirect our compliance efforts away from risk aversion and toward risk intelligence? How can we take what could be a regulatory burden and turn it into a competitive advantage?' These companies will realize a return on their investment. Other companies will treat it as a necessary but sunk cost, and I think they will be missing an opportunity."

Eye on the Competition

Thinking positively about compliance is likely to yield more than a competitive edge; it will also keep costs down. "That means focusing on three elements," says Kathleen Wilhide, director of compliance and business performance management solutions research at IDC, a Framingham, Massachusetts-based IT and telecommunications research firm. "Compliance is fundamentally about people, process, and technology," she says. "Organizations should be looking at solving the compliance challenge from these three perspectives, the goal being to move from manual to automated to sustainable processes using technology."

Change Is Good

For companies that have disparate systems and multiple siloed data repositories, the challenge will be greater, with SOX providing an impetus for change. "Some companies are seeing that, for the first time, they have the business case to transform the organization, to centralize and standardize technologies," says Bethany Larson, a partner at Deloitte & Touche. "They know they can't afford to have similar business processes being conducted on different technologies and in different ways across an extended enterprise. They're using compliance to do things that are going to reduce the overall cost structure, with the rationale that they just can't afford the risk anymore."

Companies that already have centralized, standardized systems have a head start, but other challenges remain. A universal challenge—and benefit—of SOX is implementing individual ownership of controls, spreading compliance accountability throughout the enterprise. In the past, that accountability has typically resided primarily with internal audit departments and executive management. "For a lot of companies, that's a new concept," says Larson. "There are employees who have never been responsible for controls and never really understood what controls were."

"Sarbanes gave us a common terminology related to risk and controls," adds Barbour. "That common understanding has elevated the importance of the role of internal audit and its value to the organization."

Another key to proactive, sustainable compliance is what Barbour calls "tone at the top," with executive management embracing and communicating a holistic approach to compliance. "Sustainability," he says, "is going to be measured in how much this compliance process is becoming part of the DNA of an organization; how it's integrated into existing processes, into technology infrastructure, and into people's day-to-day jobs; and how well all of that is communicated from the top."

The vision, he adds, is that "if we're going to react more quickly to changes in our industry, to changes that occur day to day, we certainly ought to put systems in place that can adapt more quickly to what's changed."

Viasat: From Compliance to Daily Business Intelligence

San Diego-based ViaSat is a rapidly growing company in a dynamic communications sector. The company produces advanced digital wireless communications and signal processing products and has made several acquisitions in the last decade, growing from US$60 million in revenue just six years ago to US$380 million today. With a strong presence in both government and commercial markets, ViaSat is accustomed to regulatory compliance issues. Yet, like many others in the trenches of compliance initiatives, Aaron Sager, ViaSat's manager of business systems, had to take a deep breath as he faced the reality of SOX.

The immediate concerns were universal: lack of clarity in understanding the legislation and a scarcity of staff people with the skills and insights required for SOX compliance. At ViaSat, those challenges were compounded by an April 2 fiscal year end, which tightened the company's timeline. The good news was a supportive, proactive attitude by executive management and a coherent set of best business practices across divisions.

"Our decision to go with Oracle E-Business Suite was really the foundation that positioned us for compliance in Year One as well as for ongoing compliance," says Sager. "Having all our divisions on a single operating system, fully integrated so that we're not looking at different business processes across several different organizations, allowed us to create what we consider our shared service model, which helped us gain huge efficiencies in terms of managing those processes centrally. From a Section 404 standpoint, it allowed us to cut down on the number of controls and on auditing that needs to be done."

Internal Controls Management

Because ViaSat is an Oracle shop, Sager turned to Oracle Internal Controls Manager to facilitate compliance. "We were an early adopter of the product, so our core decision wasn't 'Where is this product right now?' It was 'How is this product going to evolve?' and we knew that it was going to highly leverage the integration points within Oracle E-Business Suite. With every release, we continually reaffirm our decision. We have yet to see other products that even come close to leveraging the Oracle E-Business Suite like Oracle Internal Controls Manager does."

Fundamentally, SOX compliance is about the transparency and reliability of financial reporting. Oracle Internal Controls Manager helps achieve those functional aims, by facilitating enterprisewide visibility, real-time data, and enhanced internal controls. ViaSat has leveraged many of Oracle E-Business Suite's automated controls, because they underlie sustainability and, says Sager, they're easy to test, the security level is high, and they're built on a foundation of monitoring.

But Sager recognized that in order to rely on automated controls, he needed strong general computer controls to guard against unauthorized users gaining access and diverting or changing parameters that would render those controls ineffective. A unique feature of Oracle Internal Controls Manager, called application controls monitoring, shows benchmark setups of controls within Oracle E-Business Suite and how long they've existed, which allows transparency into whether setups have been changed recently.

"It's a very powerful tool in terms of auditing those parameters," says Sager. "By using application controls monitoring, ViaSat is able to look across the organization at critical setups to ensure that automated controls aren't being compromised. The cost benefit is that it brings the testing of these automated controls back to functional areas so users can adequately manage their own controls, as opposed to someone more technical within IT going through and validating them all. From an efficiency standpoint, it allows review and monitoring to happen very quickly."

One benefit of pushing controls ownership down to process owners is that they become aware of changes that could compromise compliance or operations or both. "You're really creating a pipeline that each of the process owners can use to feed information upward about any changes, and at that point, it becomes a compliance manager's responsibility to absorb that information and determine whether we created a gap," says Sager.

"We're building an architecture that will give management a bulletproof level of security and a level of assurance that it's continually informed of business events and situations. We're looking at daily business intelligence and giving executive management a dashboard for continually monitoring key performance indicators throughout the company."

Seeing Value from Compliance

Anticipating the value-added benefits of compliance made it easier to swallow the expenditure of US$1.3 million for external SOX-related activities—a number that, Sager points out, is neither sustainable nor acceptable to shareholders.

"Our vision for sustainable compliance starts with what ViaSat is functioning on, which is Oracle's core financial modules, coupled with Oracle Internal Controls Manager," he notes.

"My function now is to shift away from creating this architecture and move in the direction of greater automation and greater efficiency among our operations. As ViaSat grows, my goal is to keep the efficiency curve greater than the growth curve."

Loral Space & Communications: Creating a Central Repository

Loral Space & Communications is made up of two core businesses: Bedminster, New Jersey-based Loral Skynet, which operates a global fleet of five satellites, and Palo Alto, California-based Space Systems/Loral, which manufactures commercial satellites. The two businesses are regulated by the International Telecommunications Union, Federal Communications Commission (FCC), and the telecommunications laws of the dozens of countries in which Loral operates.

Thanks to ISO compliance, both business units are also grounded in best-practice methods and processes. The demands of SOX on operating efficiency of controls, however, put a strain on the corporation when it came to Section 404 compliance.

Critical Documentation

"All of our control activities for each entity were in spreadsheets, and they weren't linked," says Barry Goldfeder, senior director of business controls, systems, and processes. "Consolidating such a system manually would have been an exhausting task. We have only three people in our group, and they're not dedicated to Sarbanes-Oxley."

Snapshot ViaSat www.viasat.com Year founded: 1986 Headquarters: Carlsbad, California Revenue: US$380 million in FY2004 Number of employees: More than 1,000 Products and services: Oracle Database; Oracle E-Business Suite, including Internal Controls Manager and Projects Loral Space & Communications www.loral.com Year founded: 1997 Headquarters: New York City Revenue: US$200 million in 2004 Number of employees: 2,200 Products and services: Oracle Database; Oracle E-Business Suite, including Financials and Internal Controls Manager; Oracle Consulting

According to a March 2005 Financial Executives International survey, it can take up to 14,000 internal staff hours for companies the size of Loral to identify and define a company's business processes, link documentation to those processes, and identify risks and controls associated with those processes. Because both Loral Skynet and Space Systems/Loral were already using Oracle E-Business Suite, the solution was to standardize control activities on Oracle Internal Controls Manager. "Sarbanes-Oxley is all about documentation, especially during the first-year certification process," says Cindy Kwan, network administrator in Loral's corporate IT division. "The templates within Oracle Internal Controls Manager made it very easy to upload huge amounts of data on Loral's business processes, risks, and controls into the tool, making what could have been a very daunting task much easier. And now we have one central repository for all that documentation that can be accessed and updated automatically by authorized users."

Controls Frameworks

Oracle Internal Controls Manager was attractive for another reason: It's based on COSO, a widely used framework for internal controls over financial reporting, and supports CobiT, the framework Loral uses for IT controls. Using those two frameworks, Goldfeder and his team identified hundreds of internal control activities across operating divisions that required testing, certification, and ongoing monitoring under Section 404. Those control activities and their associated risks are now stored in the Oracle Internal Controls Manager risk library, giving Loral's executive management a 360-degree view of risks associated with each control activity and who within the organization has responsibility over that control.

"We're able to use the dashboard in Oracle Internal Controls Manager to see how we stand at any given time in the 404 certification process," says Goldfeder. "We can also see when process owners have evaluated and signed off on the effectiveness of internal controls associated with a specific business process. Having that level of accountability really gives us that much more comfort in the entire process."

Goldfeder has turned on most of the internal controls already embedded in Oracle Financials; Oracle Internal Controls Manager and its auditing features enable Loral to further strengthen those controls. "If you have a person who wasn't allowed to procure and, for some reason, an exception was granted, Oracle Internal Controls Manager has the ability to send notification to an internal audit group. That's the type of functionality I see Loral really benefiting from, going forward."

Complying With Sections 404 and 302

For More Information Learn more about Oracle's compliance solutions: www.oracle.com/start

A value added to Oracle Internal Controls Manager's capacity for Section 404 monitoring is that Goldfeder can use the same tool to meet Section 302 requirements. "That means we'll be doing our 404 certification quarterly, because we believe that this is the way things should be. Beginning with the first quarter of 2005, we've required process owners to go in and touch Oracle Internal Controls Manager every quarter."

Goldfeder also plans to use Oracle Internal Controls Manager's document management capabilities to handle all control and process documentation. "We're looking to eventually make our Oracle Internal Controls Manager library a central repository for all of our ISO standards, so our operating divisions could possibly have all their control activities, policies, and procedures in one central repository."