Compliance with laws such as the Sarbanes-Oxley Act of 2002 and the Health Information Portability and Accountability Act HIPAA) entails both process and content. Information must be seen and validated by specific individuals, and controls must be set up, which implies a workflow, whether automated or manual. Those procedures must also be documented, which requires some form of content management, and the records must be maintained. Organizations subject to such laws and regulations can launch their compliance initiatives either from a process-centric approach or a content-centric approach, but eventually have to blend the two.
Pearson is a U.K.-based international media company with businesses in education, business information and consumer publishing. In addition to its listing on the London Stock Exchange, Pearson is registered on the New York Stock Exchange. As a foreign private issuer, Pearson must file Form 20-F with the Securities and Exchange Commission. Form 20-F is similar to Form 10-K, which must be filed annually by U.S. publicly held corporations. Also as an FPI, Pearson must be compliant with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) for the first time in December 2006. In order to be compliant, Pearson must document and test its controls over financial reporting, and management must attest to the effectiveness of the controls.
Pearson has been working on its SOX 404 project since 2003, initially using a basic documentation tool to meet its compliance requirements. Going forward, the company recognized that it needed a more sustainable approach
"We realized that viewing Sarbanes-Oxley as a one-time audit exercise would not accomplish what the law intended," says Michael Fortini, director of compliance at Pearson. "We wanted to make our controls an embedded part of everyone's day-to-day jobs, baking it in so that everyone sees it as an integral part of their work ... It gives our employees ‘muscle memory' so they do not have to rethink their actions every time they carry out a compliance-related action."
As a way to support that approach, Pearson sought a software solution that would provide visibility into what was taking place throughout the company. "The system had to do the reporting and manage it for us," Fortini says, "without our needing armies of people capturing the information." As a result, Pearson sought a system that would have workflow as a core element. When they saw a demonstration using a business process management solution from Appian (appian.com), it seemed like a good match.
Pearson is in the process of implementing Appian's Compliance Process Management Suite for Sarbanes-Oxley, and so far, has found the solution to be clear and intuitive for its employees to use.
"Everything we do will be captured as we do it, and can be seen by management," Fortini says.
Not all of the elements of the Appian Suite for Sarbanes-Oxley have been implemented, so the company is still using some spreadsheets for reporting. Over the next year, the system will be fully deployed. Pearson plans to port data from its legacy records management (RM) system into the Appian solution.
"We will need to do some work on this semi-structured data to make it a more concise documentation of our key controls," says Fortini. "We want to create something that is easily maintained." One selling point of Appian's solution is that all of the required components—BPM, test results reporting and RM—are contained in one suite, eliminating integration issues.
Companies tend to go through three phases of compliance, according to Malcolm Ross, director of the solutions consulting group at Appian. The first phase typically involves approaching compliance as a one-time project. The goal of the project is to achieve compliance for the first time but not necessarily establish long-lasting policies, procedures and software infrastructure to maintain that compliance year after year. In the second stage, corporations begin to introduce enterprise compliance software packages to provide a central repository of compliance data, better reporting into the level of compliance achieved and regular auditor testing procedures to enforce regular compliance.
Finally, in the third phase, corporations can move into a self-complying enterprise through effective deployment of BPM and BI tools, lowering the amount of work required to maintain compliance.
"The ultimate goal is to automate the enforcement of rules," says Ross, "so that if someone tries to bypass a rule, the compliance manager is notified in real time instead of discovering the violation in the next audit cycle several weeks or months after it occurred."
In addition, being able to correlate events with business and compliance data is of great value. "Process automation alone for compliance is not a differentiator," explains Ross, "but being able to correlate compliance data--such as control objectives, risks and key controls--with process metric data gives managers a powerful insight into the effectiveness of business processes."