Winning the business compliance game

Manufacturers will need to comply with a raft of new corporate governance regulations both now and into the future. We are entering an era of tighter scrutiny when it comes to accounting and auditing, following well-publicised corporate failures – with Enron and WorldCom among the more notorious examples. False accounting led to the Sarbanes-Oxley (SOX) Act in the US, requiring all publicly quoted enterprises to adhere to a code of conduct and practice, ensuring that all financial activities remain transparent and auditable. Thus SOX involves beefing up auditing, quality control, ethics and independence factors, along with formal reporting. In addition, all companies trading with a public enterprise will also have to adopt the same strict accounting processes at some point in the future. This is already the case for US subsidiaries operating overseas and their contacts with local partners. And the next version of the Companies Act in the UK is widely anticipated to take a SOX line on governance. It is a truism that most business regulation originating in America has an impact on the global community before very long. Less publicised regulations are also emerging. One is the IFRS, or International Financial Reporting Standard, with which UK companies must comply this year. There will be severe penalties for failure to report accounts that are not IFRS compliant, and this code goes a lot further than earlier GAAP regulations, which simply set out accounting principles within a particular jurisdiction. Then looking more broadly there are more: for instance, the Food Standards Agency is toughening up required reporting process for problems with food and beverage products. The list goes on. There is no choice here: IT can and must enable the highest level of business governance, and there are going to be additional costs. The good news is that, in technology terms, some of the compliance journey is about no more complex a discipline than IT best practice – recently reinvented as IT governance and bringing together all the various strands of essential IT management. IT governance, for example, aims to ensure that infrastructure is in the best shape possible. The smart enterprise will embrace business continuity and put risk management at the core of its strategy supported by IT: it helps to reduce dependence on a disaster recovery plan – although that too still has to be in place. But there are additional requirements: IT infrastructure has to be reviewed constantly to meet governance requirements. Key criteria include robustness, availability and security, along now with high performance reporting capability. Depending on the delicate nature of the data, it may also be necessary to closely monitor access to files and databases, and to have alert mechanisms installed. Archives and recovery Another key requirement in any governance regime is to provide for a permanent record of important documentation. Inevitably, that means acquiring information and document management solutions, if they are not already in place. And the ultimate permanent record remains good old microfiche, with imprints now needing to be held at mirrored sites and stored in fire proof, dry environments. For some, the whole business has already proved very expensive. BP spent around $125 million on SOX, while Microsoft shelled out around $100 million to achieve the same compliance level. Nobody says compliance is going to be easy, but the fact is complying with corporate regulation is always ultimately a necessary evil. Limiting that evil and turning it as much as possible to an engine for business improvement is the key. Rob Graham, product manager at Datawatch Europe, which supplies software that can extract data from a range of sources – including archived documents – to display them on-screen, reckons that at the base level, this type of functionality will be essential. And indeed, reporting systems are among the best enablers to help manufacturers achieve relatively safe and easy compliance, not least because for any company trading with a SOX-compliant enterprise, it helps meet the rather confused catch-all Directive of Clause 404 in SOX. Companies affected by the legislation have to notify the regulatory authorities if the accounting function is adversely impacted by a lack of proper reporting. As Graham puts it, it's the equivalent of going to IT management and saying 'Does this system work?' That said, the single most crucial compliance issue is to find an efficient way of managing and sustaining compliance over the longer term. "Most organisations caught by the legislation have completed all the groundwork – documenting their financial reporting structure and processes and the control fence around them," says Graham. "But it is a very time intensive struggle to maintain compliance." The next challenge is to identify and adopt a sustainable solution that distributes responsibility for monitoring of controls to appropriate managers. This minimises the time and effort required to perform maintenance activities. Data and report mining, including automated versions of such software, can and will play a vital role in making it stick. Such software allows governance processes to fit into a business-as-usual environment. And the add-on benefit is that managers get the accountability they need for systematic review and sign-off through defined workflows. But there is one other issue for manufacturers in particular: the complexity that arises where companies operate over multiple sites – and that includes supply chains. If your business needs to comply with SOX-style regulations, all partners involved have to be operating to the same governance standards. Why? Manufacturers need to understand what activity is taking place in the supply chain so that any impact on corporate performance is mitigated. Mark Mills, business development director at financial performance management software company Information Edge, gives examples like workers striking, or the impact of a natural calamity. Things happen, and this is about ensuring good governance in they eyes of stakeholders and customers. "We provide a complete picture of the enterprise over time, which is a crucial factor in achieving compliance – and not just over a two-day period," says Mills. "It is essential to cover all past and present decisions." While manufacturers have not been particularly implicated in compliance-busting activities, the possibility of some form of irregular or criminal activity taking place is not restricted to the financial services industry, or an IT vendor with an excessively flat financial reporting structure. Compliance is in many ways a drag, but its discipline, once mastered, will make the business better managed.