The World is Flat—Compliance Goes Global

The Sarbanes-Oxley Act has been a catalyst for increased, intense focus on financial compliance, corporate governance and business best practices. It has led to renewed interest and reinforcement of existing laws. And, it has spurred the creation of new regulations stateside and around the world.

This heightened regulatory environment has fostered a pervasive business culture that is more risk-averse than ever. Companies are struggling to determine the best way to comply with the growing number of mandates at home and globally, while also minimizing risks associated with regulatory non-compliance, litigation and poor operational practices.

Financial Compliance in North America

The US Congress passed the Sarbanes-Oxley Act in 2002 as a direct response to corporate indiscretions, such as the Enron and Tyco scandals, which cost investors billions of dollars and shook the foundations of prominent financial institutions.

This landmark legislation prompted the US federal government to re-examine its own existing internal control requirements. The result is a renewed focus on the Office of Management and Budget's (OMB) Circular A-123, which defines management's responsibility for internal controls within federal agencies. In 2004, the OMB released Appendix A to this circular to clarify and align its requirements based on learnings from Sarbanes-Oxley.

To meet the requirements of A-123, management must provide assurances on internal control in its annual Performance and Accountability Report (PAR), including a separate assurance on internal control over financial reporting. It also must report on identified material weaknesses and corrective actions. Currently, agencies are putting the systems and processes in place to help ensure they receive an "all green" PAR score when the first compliance deadline arrives at the end of this year.

Similar compliance activities are taking place in Canada, where the Canadian Securities Administrators (CSA) updated Multilateral Instrument MI 52-109. It has provisions similar to Section 302 of the Sarbanes-Oxley Act. Part of this mandate requires all companies whose year-end falls after June 30, 2006, to certify they have designed internal controls over financial reporting. They also must disclose material changes affecting financial reporting.

This mandate applies to all companies listed on the Toronto Stock Exchange (TSX) or TSX Venture Exchange, regardless of size.

Compliance in the European Union and Asia Pacific

Increasing cooperation and business relationships between companies across the world have created a renewed interest in, and expectation for, formalizing existing compliance and governance programs. The hoped-for results would be an increase in external confidence in the strength of their businesses and risk mitigation between the parties in such relationships.

For example, the French Securities Law was passed on Aug. 1, 2003. It specifies a company's annual report should include details surrounding the responsibility of management with regards to the establishment and maintenance of a sufficient internal control structure, as well as procedures for financial reporting.

Additionally, the report should contain an assessment of the end-effectiveness of the internal control structure and procedures for financial reporting. All public French companies are currently required to comply with the law, with foreign companies following suit by Dec. 31, 2006.

In a comparable move, Germany revised the German Corporate Governance Code in May, 2003. The aim of the Code is to make Germany's corporate governance rules transparent for both national and international investors, strengthening confidence in the management of German corporations. The rules are not legally binding, but companies that fail to comply with the recommendations must disclose publicly how their practices differ from those recommended by the Code.

Another example of Europe's increased focus on compliance is the United Kingdom's Companies Act of 2004, which placed a statutory duty on officers and employees. They must provide auditors information and explanations with respect to any accounting issue arising from an audit. The act also requires directors to state they have disclosed all relevant information to the auditors and makes a false statement a criminal offense.

In Japan, the term typically used for similar evolving legislation is JSOX. It refers to the legislative draft provisionally known as the Financial Instruments and Exchange Laws, which covers new mandates as well as amendments to the Securities and Exchange Law and other laws related to financial instruments. Under the current proposal, companies must be in compliance with JSOX requirements by their fiscal years beginning on or after April 1, 2008.

In Korea, the Korean Securities Exchange Act, the External Audit Act and the CPA Act were amended in December 2003 to incorporate legislation similar to Sarbanes-Oxley. Collectively known as KSOX, these acts took effect in April 2004.

And in China, there's evidence of an increasing awareness of the importance of corporate governance as Chinese entities seek investment from and partnerships with multinational corporations requiring evidence of sound corporate compliance and risk management practices.

The Platform Technology Approach

Complying with a broad spectrum of mandates across multiple countries can often be an overwhelming task. Increasingly, companies are turning to information technology (IT) solutions to help them establish and optimize their compliance processes. But, with the growing number of technology offerings available to address compliance, it can be challenging for companies to determine which option will best fulfill their needs.

While a customized Sarbanes-Oxley application may effectively support this particular regulation, it may do little to help organizations tackle other critical mandates—forcing them to make additional IT investments for each regulation with which they must comply. A more efficient and cost-effective alternative to this scenario is implementing a comprehensive content management platform to support all compliance initiatives, including those conducted on a global scale.

The graph on page 57, (Best Practices in Records Management and Regulatory Compliance, a supplement to KMWorld October 2006) outlines the key technology components of Stellent, Inc.'s unified compliance platform.

By managing all compliance-related documentation and content processes within a single, Web-accessible repository—and leveraging business process management technology to optimize control execution and capture evidence—companies can more easily compare and prioritize the risks and activities related to each regulatory mandate. This process provides organizations with the visibility required to carry out effective enterprise risk management. For example, an enterprise-wide view of compliance needs can help management teams appropriately allocate compliance resources by grouping risks into high, moderate and low categories (see Figure 1). With a variety of departments and geographic locations often competing for these resources, it is critical for companies to be able to easily prioritize various compliance initiatives based on risk.

A unified compliance platform also allows organizations to avoid various compliance-related costs. According to some industry analysts, public companies that adopt a comprehensive compliance management architecture will spend 50% less per year than those that don't. This cost savings is driven by the fact that organizations do not need to purchase as much software or spend as much money on integration services if they implement a unified compliance platform that offers pure-play applications for specific regulatory mandates.