Before signing the 2002 Sarbanes-Oxley Act (SOX) into law, President George W.

Bush concluded his introductory speech about the bill, saying: The American economy depends on fairness and honesty. The vast majority of businesses > uphold those values. With this law, we have new tools to enforce those values, and we will use those tools aggressively to defend our free enterprise system against corruption and crime. Minutes later, sweeping reforms to Americas long-standing corporate financial practices became law and compliance deadlines soon followed. Enacted in the wake of corporate accounting scandals that rocked the U.S. and undermined investor confidence, SOX threatens corporate officers with hefty fines and prison time, should financial statements be found inaccurate, fraudulent, or misleading. SOX-related troubles may eventually disappear just as the Year 2000 panic did, but for now, SOX continues to cause the IT world confusion and chaos of Y2K proportions. SOX has added incredible pressure to already stressed IT departments. The legislations requirement to quickly implement enhanced reporting and security features is proving a formidable challenge. Adding to the pain of looming implementation deadlines is the cost. According to Gartner, regulatory compliance spending is growing at a rate twice that of IT spending. Often, IT spending budgets are entirely consumed by regulatory compliance (Gartners Top Predictions for 2006 and Beyond, Jorge Lopez and French Caldwell, November 2005). Many organizations consider this to be wasted money. What they fail to realize is that the forced investment for compliance can actually benefit their bottom line. Organizations often make IT investments for purely reactive reasons, allocating budget only when a pain point becomes critical. While these ad hoc expenditures may result in a functional IT shop, the lack of a comprehensive vision leads ultimately to information silos and limited adaptability. Instead of viewing SOX compliance as a purely reactionary expense, visionary executives are leveraging SOX as an opportunity to streamline operations. Most first-round SOX audits have been completed. Organizations have shown their financial processes are theoretically compliant with the law, conform to accepted standards of disclosure, and employ approved accounting practices. However, second-round audits will require businesses to demonstrate that their approved theory has become a SOX-compliant practice that can pass an audit. The silver bullet to help organizations demonstrate functional IT compliance while fundamentally improving the way they do business is the implementation of business application process automation tools. The State of Compliance The U.S. Securities and Exchange Commission (SEC) financial burden estimate for companies trying to achieve compliance is $91,000. This conservative figure excludes the substantial cost associated with the auditors attestation report and doesnt attempt to estimate indirect costs of achieving full SOX compliance. According to the SEC, indirect costs could be defined as monies lost as non-U.S. firms seek investment capital elsewhere or the increased cost of being a SOX-compliant public company in the U.S. Preying on fear and the fresh infusion of cash to IT departments, snake-oil salesmen have flooded the market to capitalize on this opportunity. A Web search will expose dozens of software vendors and consulting firms with claims to possess the one-size-fits-all, out-of-the-box answer for any companys compliance needs. For most organizations, achieving compliance requires more than a bolt-on technology solution. Smart compliance demands a thorough examination of corporate processes on both the IT and business sides of the organization.

What many will find during this examination is that their business processes rely heavily on routine human intervention and manual labor to execute. Manual labor introduces the compliance issues of system access security and malfeasance and the business inefficiencies of human error and process latency. Gartner believes organizations can reduce the costs of compliance by automating manual process controls, and implementing solutions that reduce the amount of internal and consulting labor required to document and maintain internal controls (Gartners Top Predictions for 2006 and Beyond, Jorge Lopez and French Caldwell, November 2005). The new federal requirements underscore the fact that business processes and the IT structures that support them are often interconnected, if not inseparable. According to Milind Govekar, Gartner Research vice president, organizations should look at the entire business process from an end-to-end perspective and work to minimize the number of manual hand-offs that occur.

IT architects have to start looking at batch processes, which form the bulk of the integration requirements, to ensure that those business processes are auditable, are secure, and can provide integrity from a data and access perspective, says Govekar.

Section 404 is proving to be the most challenging portion of the SOX legislation. Pertaining to internal controls, Section 404 requires organizations to establish and maintain adequate structures and procedures for financial reporting and to employ external consultants to verify and attest to these controls. The vagueness of the language in Section 404 doesnt change the fact that responsibility for execution falls largely onto the shoulders of IT. Demands from corporate executives are clear: facilitate the bulletproof execution and reporting of business processes. The Impact of Automation Workflow software is well-known and widely employed by businesses to standardize and codify business processes. Similarly, tools such as job schedulers are widely used by IT departments to schedule routine processes. But compliance-driven initiatives call for solutions that bridge the gap between business workflow design and IT architectureoffering dynamically driven, near-real-time batch automation that drives business processes and monitor application processing enterprise wide. Solutions never previously considered offer organizations an opportunity to improve core business application processing, taking significant strides toward compliance and preparing the application infrastructure for emerging trends. Many executives have overlooked the fact that sophisticated application automation tools offer significant benefits to both the IT and business sides of an organization. Modern process automation and batch management tools allow complex, enterprise wide business processes to be designed with drag-and-drop ease. Parameters can be retrieved from production databases at run-time, ensuring that processes execute with timely, accurate data. Statements that perform error checking or before, during and/or after conditions can be introduced to create branching process flows that automatically deliver job output from one application to the next, with zero latency and zero human intervention.

Additionally, modern process automation tools ensure that errant data wont be introduced by users manually entering parameters and triggering processes. Instead, business processes can move straightthrough the enterprise. Corporate transparency is improved because the entire event is monitored and the results of each step are logged in a central repository. If a job should fail, intelligent software can halt the process and page an administrator for assistance, or invoke an automated recovery procedure. This functionality minimizes costly rollbacks and prevents bad data from corrupting a business process. While such automation tools may not be part of the typical front-office, they allow business people to architect hands-free IT processes using complex logic without relying on IT. These tools can provide seamless integration over multiple applications and across disparate platforms, better aligning the IT department with an organizations business practices. Process automation eliminates the opportunity for malfeasance, leading to accurate reporting and rock-solid data integrity. Using application process automation software to design an object-oriented batch environment provides compliant segregation of duties while slashing development times. It also can drastically reduce script maintenance and eliminate much of ITs current manual labor. By defining pieces of a business process at the object level, an organization removes the security risk of hard-coded database logins in integration and scheduling scripts. Security roles are easily assigned, allowing only authorized staff to access logins and other sensitive data before it becomes an encrypted object. However, once an object is defined, any member of the IT staff can use it to assemble complex process flowswithout ever seeing the sensitive contents. In the same way, financial processes can be restricted to authorized personnel, who can request the job but be restricted from viewing the output. This methodology is a quantum leap when compared to the brittle, custom-scripted solutions widely used today. Finally, because application process automation software provides an enterprise with a single point of control for all batch processing, detailed reports can be generated that demonstrate exactly what processes were run, by whom and when, along with the jobs outcome. This singular view lets IT staff easily satisfy audit requests with comprehensive reports and gives corporate directors assurance that the processes they own can demonstrate transparency, integrity and accuracy. Identifying the ROI Many companies are struggling to find the ROI for SOX compliance initiatives. While the expense of compliance cannot be avoided and will undoubtedly affect an organizations bottom line, complying with SOX ensures that firms stay in business and that corporate officers stay out of jail. Executives who are considering only the immediate burden of the forced change are failing to recognize that SOX can actually help improve the way they do business. In the past, it was enough for corporate business analysts to create a procedure, then throw the application and workflow design over the wall for IT to handle. In todays environment, ensuring that compliance-based business rules are reliably executed and accurately recorded in the IT processing landscape has become a matter of vital importance. Second-round audits will require substantial documentation of business processes. By automating and integrating batch processing enterprise wide, an organization adds transparency to corporate practices and helps ensure that its next audit successfully demonstrates compliance theory as process execution. The regulation-initiated examination of current IT practice allows organizations to expose, identify and eliminate inefficiencies that had previously gone unnoticed. SOX puts new emphasis on how an organization handles its business application processing. To a visionary, SOX provides an opportunity to

achieve greater alignment of business and IT by building a flexible foundation that efficiently drives business processes while preparing the infrastructure for emerging trends such as the service-oriented enterprise model. The bottom line is that next-generation application process automation tools can help deal with this government-mandated, regulatory headache while delivering overall business accelerationand that benefits your bottom line.