System-ready for Sarbanes-Oxley

-reg-eers-jpg
The new Sarbanes-Oxley Act sets stringent standards forcing software companiesto look at how their systems might aid client compliance. The Act, passed byCongress in 2002 in the wake of Enron’s demise and other corporate scandals,calls for a radical overhaul of how companies govern themselves, especially withregard to internal controls and financial reporting.

As a result, energy software suppliers are reviewing their systems in light ofSarbanes-Oxley’s requirements. Dale St Denis, vice-president of solutionsmarketing at Oklahoma-based energy trade management software vendor SolArc, says: “TheSarbanes-Oxley legislation establishes a new paradigm for corporate accountability.

Internal controls
“Energy supply and marketing operations – like the rest of a corporation – arerequired to define and enforce their accounting policies,” he says. “Theymust have documentation of internal controls and procedures. Furthermore, theyare required to have a documented basis for all certifications made by the chiefexecutive or chief financial officer.”

Matt Frye, managing director of the Houston office for New Jersey-based energyand financial trading and risk management systems supplier OpenLink, says thesame applies to energy traders. “If there is one clearly defined issuewith regard to Sarbanes-Oxley, it is the effectiveness of internal controls – whetheryou are an energy producer, consumer or trading company,” he says.

There are three main ways in which trading and risk management systems can helpenforce internal controls, says Frye: through authentication of data, accesscontrol and audit trails.

Authentication of data is dealt with by the security framework of the system – thiscovers password control, encryption of data, authentication of sources and soon.

The system should control access by offering the ability to set user privilegesand permissions, says Frye. “This could mean that only a select group hasthe capacity to enter or adjust a trade or change a price – in other words,to effect a record in the system,” he says.

And the system should keep an audit trail of every record and all the activityassociated with it – time-stamping the record when a change is made, recordingwho made the change and so on.

Houston-based energy trading and risk management systems supplier SunGard EnergySystems says security, audit trail and other features relevant to Sarbanes-Oxleyare already built into the infrastructure of its systems. Many of the specificissues of the Act relating to trading are covered by an optional FAS 133 modulethat SunGard originally developed to help firms comply with accounting regulationsfor hedging and the use of derivatives.

Mark Walker, senior vice-president at SunGard, says the ability of the moduleto determine how to report accounting on all energy contracts and to calculatethe fair value of deals and of balance-sheet and income-statement values canhelp firms meet the Act’s requirements on enhanced financial disclosure.

Like Sungard, SolArc and OpenLink, London-based energy trading systems supplierKWI says its system has the basic architecture and much of the functionalityto support Sarbanes-Oxley compliance, at least for trading and trade-processing.

Greg Keers, chief strategy officer at the company, acknowledges that KWI willhave to do further software development in order to more fully support Sarbanes-Oxley’srequirements. But users can achieve much by reconfiguring their systems to reflectthe changes in their organisation and procedures prompted by the Act, he says.And new users will want to ensure the system is set up so as as to provide thecontrols and reporting required by Sarbanes-Oxley.

Keers says the biggest issue for KWI’s clients is the “audibilityand documentation” of their business process and workflow. “So thathas some impact on software design, but the biggest impact is on the implementationand configuration process,” he says. “Sarbanes-Oxley changes theorganisation and processes of our customers and, therefore, the way we implementthe software, in terms of specifying who the users are, what data they have accessto and so on.”

The Act also affects how the system is integrated with the firm’s financialsystems, says Keers. “There is a now larger requirement to prove the workflowprocess, whereby an energy trading and risk management system has to feed throughinto a company’s finance function,” says Keers.

But the requirements in the Act relating to the feeding of market informationthrough to senior financial managers is still somewhat ambiguous, he says. Forexample, there is no clear definition of a “real-time process”, saysKeers.

Lack of clarity
Wes Rehm, financial intelligence strategist at SAS, an analytics, data and riskmanagement systems supplier based in North Carolina, echoes Keers’s view.Lack of clarity as to the implications of the Act is the greatest challenge tocompliance at the moment, says Rehm.

SAS sells a risk management system tailored to the energy sector, as well asgeneral corporate regulatory compliance applications. As a result, the firm islooking at Sarbanes-Oxley in broader terms than software suppliers who concentrateonly on trading and/or risk management.

SAS’s corporate compliance application already includes many functionsthat will help firms meet Sarbanes-Oxley requirements, says Rehm, but there isa difficulty in that there is no single, clear definition of what a complianceplatform needs to do or how it needs to be done. “This is brought aboutin part by the fact that the [US Securities Exchange Commission] has not finalisedall the regulations mandated by Congress in the Sarbanes-Oxley Act,” hesays.

What’s more, it seems firms could adopt one of several methodologies toachieve compliance. Hence, a compliance system must be adaptable to support avariety of approaches, says Rehm.

Yet KWI’s Keers says that although companies are taking a variety of approachesto compliance at the moment, a best-practice method will emerge. “In everyorganisation now, there are people who have to invent new business processes,create new roles and make changes in the organisation, and they have to havesoftware tools,” says Keers. “But inevitably, over the next 12 months – asmore of our customers achieve certification – some sort of definitive standardprocess will emerge.

“Some organisations have a senior-level person assigned to corporate governanceand Sarbanes-Oxley, but others haven’t,” he adds. “When thereis a definitive standard process that you can nail down, you can do softwaredevelopment that eases the corporate governance process.

“The cost of Sarbanes-Oxley compliance will be enormous, and if you can drop ina solution to automate parts of that process, you could achieve significant costsavings,” Keers says.

Compliance-ready
However, energy software suppliers have generally already designed their systemsto minimise manual intervention in transaction processing and trade management – so-calledstraight-through processing (STP) – and to give clients the ability toreflect their working practices in their system’s operation. As a result,the vendors feel they will not have to undertake any major rewriting of theirsoftware nor introduce new modules to support Sarbanes-Oxley compliance in theareas their systems cover.

Keers says although KWI looked at developing a specific Sarbanes-Oxley module,it has since scrapped the idea. “[A Sarbanes-Oxley module] was interestingfrom a marketing point of view, but it misses the point,” he says. “Sarbanes-Oxleyisn’t really a bolt-on – it runs across the entire process. You can’tencapsulate it in one component. [Sarbanes-Oxley] is about auditibility and workflowand process change.”

Other suppliers take a similar view. “We already had a good FAS 133 modulethat comes into play [with Sarbanes-Oxley],” says SunGard’s Walker. “Weare reviewing it for any gaps, but we generally feel they will be small.” SunGardclients that have not yet taken the FAS 133 module may intend to do so, but noneof the software suppliers EPRM spoke to was planning to introduce new Sarbanes-Oxleymodules or major upgrades to their systems.

SolArc’s St Denis says: “In a sense, we have been Sarbanes-Oxley-readyfor a long time. Our customers will not require any major changes to the existingsoftware platform to help with their compliance efforts. However, they will needto pay closer attention to the configuration and administration of security controlsto best use the system.”

And SAS says it has only had to adapt its corporate compliance application ratherthan redevelop it for the Act. “We have not had to modify our existingtechnology to support Sarbanes-Oxley,” says Rehm. “Therefore, ourexisting customers do not need to go through upgrades or re-implementations tosupport their compliance needs.”

Enhancements
However, this does not mean software suppliers have nothing further to do regardingSarbanes-Oxley. It is still early days for the Act, and as firms look at whatthey need to do in terms of compliance, new opportunities may emerge where softwarecan aid their efforts.

KWI’s Keers says: “The challenge for software providers is to enhanceand deploy our software in a way that will save our users costs. We can makea huge contribution in that area. Manual processes – where people do everythingwith spreadsheets and email – are just so expensive.” And manualprocesses tend to be more error-prone, he adds.

The Act also presents software suppliers with a potential way of boosting salesby offering automated systems. OpenLink’s Frye says: “The energycompanies that should be worried are those that still operate significantly offspreadsheets, because all the characteristics of standardised and historicalrecord-keeping and STP aren’t available in spreadsheet-based applications.

“When these companies start examining how they can make their internal controlmore effective to comply with Sarbanes-Oxley, they may find it impossible todo so using spreadsheets and ad hoc applications,” he says. “Thismay prompt them to look at the integrated STP systems offered by the energy softwarespecialists.”

Sarbanes-Oxley is a broad-ranging Act covering internal controls, ethical codes,the make-up of audit committees, the preparation of annual reports and more.The energy software vendors make no pretence that their applications addressany aspects of the Act other than those relating to the areas their systems cover.Hence, companies might need to seek more general compliance software to coverother areas of the Act.
  • LinkedIn  
  • Save this article
  • Print this page