For publicly traded enterprises like Telus Communications Inc., the impact of regulatory compliance legislation such as the U.S. Sarbanes-Oxley Act (SOX) has meant fine-tuning the existing culture of compliance.
The Vancouver-based telecommunications firm recently announced that it is using ACL Services Ltd.’s continuous controls monitoring (CCM) software within two business processes: its overall purchase-to-payment cycle and its purchasing card program. According to Telus, the technology enables the firm to automate internal controls testing, enhance corporate oversight and support SOX regulatory compliance.
In general, particularly affected by SOX are Canadian companies with a subsidiary that is traded on the U.S. market or those with a U.S. parent company. The effect of essentially being forced to document internal controls to comply with SOX means Canadian companies have had to structure the business so the costs of compliance with SOX do not outweigh the benefits.
In Telus’s case, the firm previously had a third party conduct the audit reviews of the accounts payable division but decided that it would be more cost-effective to use the CCM technology. It will help Telus monitor and document the internal controls in-house, said Gary Silsbe, director of operations excellence at Telus.
“We didn’t have a real robust process for reviewing the corporate credit card transactions, which we do now with the (ACL) product,” Silsbe said. This helps Telus monitor and recover any overpayments and duplicate transactions, he added. Those in the industry note that in general, the impact of SOX has been a huge driver in IT investments. There are enterprise concerns that issues around compliance threaten to obfuscate the focus on running the business.
“I think people do get confused on what compliance means,” said Nigel King, senior director of development, investment appraisal and audit products for Oracle Corp. Being compliant isn’t a judgment for a software vendor but really about the act itself, King added.
“It doesn’t mean that you have absolutely effective and total controls….It means that you have to be able to stand behind the assessment that you’ve done and to speak with authority on the degree of effectiveness of those internal controls,” King said.
Two years ago, no one really knew what the controls were, King said, adding that it’s really about making compliance demonstrable on a consistent and repeatable basis. “It’s taken time to digest what the lower-level activities should be and how to aggregate them and present them back to management at the high level.”
In both Canada and the U.S., the process of achieving successful compliance best practices has centred around adopting both a Committee of Sponsoring Organizations (COSO) framework, which is recognized as the internal controls standard for supporting Sarbanes-Oxley Section 404 compliance, and Control Objectives for Information and related Technology (COBIT), which ensures adherence to security standards laid out by the IT Governance Institute.
Most organizations have designed their efforts around this COSO/COBIT framework, said John Ingold, Canadian leader, risk management, IBM Business Consulting Services for Markham, Ont.-based IBM Canada Ltd. It is multi-industry applicable, and it allows enterprises to understand the overall compliance objective in terms of risks and the controls to mitigate those risks, Ingold said.
On a whole, regulations such as SOX have set new expectations when it comes to compliance, according to Bruce Moulton, vice-president, Symantec Corp. Moulton was in Toronto last month at IDC Canada Ltd.’s Security Counsel 2005 event. In terms of information security, Moulton said that enterprises are now faced with ensuring transparency and compliance while yielding strong financial results. But many organizations have made sound investments in compliance in the past and now it’s just a matter of applying these tools, Moulton said.
The good news is that auditors and examiners recognize that compliance isn’t easy, he added. “(Enterprises) can do a little research, find out what the best practice is, implement the best practice and as long as you can demonstrate that you’ve done it…it will most likely get you past the concerns of an audit,” Moulton said.