Automating regulatory compliance can save money and jail time

Here's an uncomfortable scenario: You're the company chief financial officer, responsible for keeping organizational spending in check, among other things. Now, sitting in front of the chief executive, you have to explain why spending in the finance department - your own backyard - has increased over 800 percent with absolutely no related increase in revenue or productivity, or any other performance metric.

Of course, you have a perfectly reasonable explanation: compliance reporting.

You have to answer to the auditors, and that means paying a bunch of people to perform the tasks needed to address questions about control metrics, material weaknesses and deficiencies in your financial reports. But still, costs that increase by a factor of eight while benefits increase by a factor of zero? That's a little embarrassing.

On top of any personal embarrassment, there's a far more sobering legal issue. As the CFO, you've got to assure the CEO that the figures in those financial reports are, in fact, accurate and supportable and auditable.

And then both you and the CEO must sign those reports, which makes you both criminally liable for the reported information, including any mistakes or misrepresentations that may have been made, either intentionally or accidentally.

I've personally witnessed finance department spending and staffing swell from $300,000 annually with a team of three people to $2.5 million with 12 internal people and six outside consultants. Most of that extra $2.2 million was for manual reporting to prove to auditors that we were complying with Sarbanes-Oxley Act mandates.


The argument for automating compliance reporting has largely focused on driving down the costs of compliance. Using automated GRC control systems to perform the time-consuming regulatory compliance tasks previously done by hand can dramatically drive down those multi-million-dollar outlays. That's a welcome boost to the company's bottom line, as well as the CFO's pride.

Overlooked, however, has been the boost that automated compliance reporting can give to what I'll call "prosecutorial immunity."

Automated GRC control systems continuously monitor the source data and key business controls of a financial application, giving companies persuasive evidence that proves something did or, more important, did not happen to the source data or controls during the monitoring period.

That capability prevents the costly manual testing and review of unchanged data and controls that inflate compliance costs. And that capability delivers the accuracy that is paramount when you sign a document under the penalty of criminal action.

Compliance reporting is still a "CYA" exercise. But there's a certain amount of comfort in knowing that your you-know-what is covered. Whether you want to avoid being the butt of office jokes or avoid being the defendant in a criminal lawsuit, automated compliance reporting can provide comfort in compliance.

John H. Capobianco is president and chief executive at Lumigent, a provider of GRC systems for financial applications.

(c) 2009 Accounting Today and SourceMedia, Inc. All Rights Reserved.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access