August, 2005

Pull up your SOX!

By Barbara Axelson - August, 2005

The Sarbanes-Oxley Act has been sliced and diced by the business press, but there’s a lot to be learned and business is moving forward to embrace best practice, Barbara Axelson discovers.

The advent of the Sarbanes-Oxley Act (SOX) has generated a flurry of activity in America’s boardrooms and its IT enclaves. The worthy intent of SOX is of course to prevent future disasters in the sometimes-heady world of fast-paced wheeling and dealing that accompanies the more mundane processes of creating products and services and making them available to the rest of us.

Human resources, that data-rich environment where the processing is of people rather than product, is shifting to a new focus. As the arbiter of good practice in how a company dedicates itself to the workforce and related issues, HR is poised to back up facts about change. As business addresses the most recent SOX deadline for summer 2005, manufacturers of HR-related software offer almost endless solutions.

According to the What is the Sarbanes-Oxley Act of 2002? white paper from Best/Sage Software, Section 404 of SOX has the most relevance to HR/payroll functions. It requires companies to establish, maintain and evaluate adequate internal control structures related to financial transactions and financial reporting and report on its assessment of internal controls annually. Companies must also identify the framework used to assess the effectiveness of the internal controls. This section pertains only to corporations registered with the SEC. Deadlines for complying were recently extended and depend on the SEC status of the corporation as follows:

Accelerated filers, generally US companies with equity market capitalization over $75 million, a large portion of Fortune 500 companies, that file at least one annual report with the SEC, had until November 15, 2004 to comply with Section 404. Non-accelerated filers were required to comply for their first fiscal years ending on or after July 15, 2005.

Tom Tillman, director of product marketing for Sage Abra HRMS products at Sage Software (formerly Best Software), says: “About 10 percent of our customers are public companies. We target the mid-market (companies with 100 to 5,000 employees) and an estimated 20 to 25 percent of this market in the U.S. is public companies.

“People try to understand the SOX Act itself, which clearly states that publicly-traded companies must comply. There is confusion as to exactly where it applies. Private companies who do business with public companies may, at some point in the future, be impacted as auditors look at trading partners. Any company that wants to go public will have to show compliance.”

Tillman adds that the auditing function is key. More than 18,000 businesses and organizations have purchased Sage Abra Human Resources Management System, part of the Specialized Business Solutions business unit in St. Petersburg, FL. Version 8, with support for multiple databases, debuting this September, already had existed as a “best practices” solution and fits well with SOX requirements.

The system was designed to capture, track and report employee data and transactions, including salaries, bonuses, withholding, voluntary deductions, benefit plans, employer contributions to benefits and to track areas of risk, particularly under OSHA, which oversees workplace safety in manufacturing.

SOX requires separation of duties in certain areas. Sage Abra provides primary data reports to define job responsibilities and build organizational charts.

According to Tillman, many small vendors provide HR software, but the market is not saturated. “Perhaps a third of our customers are enabling formal HRMS systems for the first time. They see it as a driver to automate business.”
Manufacturing and distribution, around 30 percent of the company’s customer base, has specific needs related to the workforce—salaried, hourly and seasonal employees, plus contractors, not just 40-hour work weeks. Tillman explained that some other systems don’t have as much to offer toward SOX compliance in full features, especially audit trails. His company offers 11 modules, each with audit trail capabilities, so a customer can buy just what is necessary.

Another leader in related software, CyberShift, a nine-year old private company based in Parsippany, NJ, doesn’t compete with payroll software providers. “We provide products that automate and control business processes that affect payroll,” says CEO Robert Farina. “We see what SOX has done to the market with public companies that are clearly within its sights and private companies that may have thought they’d dodged a bullet, but companies of any size who will raise capital or sell the business need to take a look at this too. Even if you’re a private company, you need to look at procedures to meet the public standard. You could characterize it as ‘raising the bar.’

“From a systems perspective, any transactions that affect financial statements must be scrutinized—time records, leaves, vacations, time off and overtime affect payroll and benefits plus Social Security and Medicare. All ancillary processes affect finance.”

Farina maintains that companies worry about auditing the payroll process. How, for instance, does time get approved? On the time and attendance side, many companies collect time data from the factory floor via raw time input. Who approves it? Who approves variations to company policy? Do supervisors apply rules consistently and correctly? If someone disputes time, is there an audit trail? Does the company adhere to union contracts?

Now there is a time clock in real time and a web browser to track this. There are no variations in rules. Changing a time record requires a time stamp and audit. Notification processes, workflow and consistent application of pay and work rules are automated and proactively alert people.

“What’s new in the last couple of years,” he adds, “is not just auditing, but proactive management of processes and extension of security controls and audit trails. SOX also affects upgrades; there needs to be accountability of movement in the development and test environments.”

CyberShift has passed the SAS70 Type 2 audit, which validates service functions of an outsource software provider and its data center and security controls. Companies who choose to outsource to a third party are not relieved of accountability and must assure their partner’s accountability. It takes up to six to nine months to pass the audit, which, in the last couple of years, has been driven by SOX.

Farina suggests that for a company with 10,000 people and 10 percent turnover, new employees should be able to use a system without formal training—“a huge cost if you don’t have an intuitive system such as ours, one that promotes ease of use.

“We’ve been surprised and gratified by our success as we address complex business problems with our workforce management software. It takes time and money and significant domain expertise to address concerns connected with workforce management and SOX.”

Among mega-entities providing software to Human Resources is Oracle. According to director of product marketing Glen Tillman (no relation to Tom Tillman of Sage Software), “HR systems play a key role in compliance. Section 404 requires the CEO and CFO and any outside auditors attest that the corporation has internal controls for financial reporting. Section 409 requires that companies report material changes in their financial condition as real-time disclosures.

“Oracle’s complete suite of Financial, HR, Procurement and Business Intelligence software applications gives customers a strategy for compliance and a way to provide timely information across the organization. Oracle employees are required to have annual training on business ethics, sexual harassment and codes of conduct. Approved executives can look at the Daily Business Intelligence Portal, which they can personalize for themselves, and see all training records. Compliance training is a hot button with auditors.”

Tillman notes that SOX filings differ by industry. Many public companies have to adhere to the same SOX regulations; depending on their industry, they might already have tough regulatory and legislative rules; e.g., HIPAA in healthcare.

Additionally, the i-Learning product, available hosted or installed by Oracle, is an enterprise Learning Management System for corporate-wide learning, delivering personalized education on the web. Learners interact with content, instructors and peers at their own pace.

He describes the strategy puzzle comprising visibility (access across company) and control (secure central data repository), documented by Oracle Tutor where pre-built best practices, policies and procedures are available for different industries. Tutor integrates into Oracle Internal Controls Manager built to address SOX compliance and connects to the libraries of major audit firms. Efficiency, another piece of the puzzle, involves cost perspective and time. Companies need to mitigate risk, but at what cost? Oracle characterizes it as “consolidating and reconciling data quickly while minimizing administrative overhead.”

“SOX is not a revolution. It’s an evolution,” declares Oracle customer Barry Goldfeder, senior director of business controls, systems and processes for Loral Space & Communications in Palo Alto, CA, one of the world’s largest designers and manufacturers of satellites and satellite systems.

Goldfeder explains that Loral previously employed Excel spreadsheets, which was “tedious and it was a monumental task to tie everything together. SOX was the driver for new software and we looked at different possibilities. We already had Oracle financials in place at two of our business units.

“The [HR software] industry was immature,” says Goldfeder. “Oracle had one of the better software packages. Now it keeps us all connected. The good news is that people have taken ownership of their control activities. SOX has touched each individual in our organization. We have this program in place in every one of our business units; each has its own set of control options. The key is to have a central repository of data.”

About CyberShift

CyberShift, Inc. (www.cybershift.com) is a leading provider of workforce management software and services focused on helping large, complex organizations optimize and manage the deployment of their people. CyberShift's rules-based platform delivers a fully integrated solution for the management of all aspects of time and attendance, scheduling, self-service functions and workforce reporting and analytics. The enterprise-class workforce management suite reduces costs and improves processes for a variety of industries, including media and entertainment, retail, manufacturing, transportation, financial services, healthcare and the public sector. CyberShift is the workforce management solution provider of choice for more than 100 major organizations throughout the United States and Canada.

# # #

<< Back to Media Coverage

NEWS & EVENTS

	Webinars
	White Papers
	Press Releases

Strategic Workforce & Expense Management