Compliance, they say, is like bitter medicine. The end result is wonderful, but the process makes you grimace.
And that grimace is usually more intense when the business trying to comply with the morass of government standards and regulations is a small or mid-sized firm.
Abiomed Inc. knows the feeling.
This 400-employee manufacturer of heart support products located in Danvers, Mass. had to meet its Sarbanes-Oxley (SOX) obligations the same way as any large publicly traded firm.
But with far fewer resources.
Smaller firms don’t have the same people power and budgets as their big business counterparts, noted Sharon Kaiser, chief information office (CIO) of Abiomed. “But we still have to jump through the same compliance hoops.”
For ever so long Abiomed was saddled with a compliance process that was costly as well as time- and labour-intensive.
But all this changed, the company says, when it rolled out a new compliance software product from SymSoft Corp.
Milwaukee-based SymSoft is a provider of governance, risk and compliance software for use within SAP application environments.
According to Kaiser, the SymSoft rollout helped Abiomed radically streamline its compliance processes.
One critical compliance issue, she noted, was segregation of roles and duties. “For instance, a worker receiving products in the shipping area, should not also be posting invoices.”
Without any checks-and-balances in place, such a situation could lead to potential fraud.
Before using the new software tool, Kaiser said, the SAP reporting system provided a view of employees’ roles, and helped managers decide what level of authorization to give certain personnel.
Though partially automated, critical parts of Abiomed’s compliance chores were still manually done and this tied up the company’s IT staff.
“Our manager of applications would spend about 10 hours a quarter pulling Segregation of Duties analysis reports for review and approval by department heads involved,” Kaiser recalled.
After that, reports on recommendations and actions taken were manually compiled.
This tedious, labour-intensive process, she said, was replaced by a far more efficient one, when the company started using ControlPanel’s automated Risk Analyzer and User Analyzer modules last December.
“We now have dashboards on our computer screens that show potential compliance issues and risks. If something interests me, I can drill down further for details,” said Kaiser.
Rather than wade through reams of paper work to identify potential risk or fraud, managers are now alerted by the system when a potential risk occurs.
If the benefits of compliance are so evident, why are so many Canadian small and mid-sized firms holding back?
Even though a firm’s reputation may be on the line, it’s still difficult to sell the idea of compliance to some companies, noted Jeff Dunmall, CEO of imason Inc., an information management and implementation firm in Toronto.
Some organizations see compliance as another layer of regulation that will cost them money, he said.
He said businesses need an advocate within the organization, who can highlight the benefits of compliance to the user from the very beginning.
Abiomed’s challenges are typical of most small and mid-sized firms that have recently gone public and now have to comply with SOX, says Dan Wilhelms, president and CEO of SymSoft.
Over the years, these organizations became good at running their business but now they have to shift gears and worry about compliance as well, he said.
Many such firms hadn’t anticipated the urgency to meet compliance and audit demands.
The U.S. Security and Exchange Commission delayed its deadline for public companies to comply with SOX several times. The first deadline was August 2006, later extended to June 2008. Businesses were recently granted another reprieve, when the deadline was extended to June 15, 2010.
Intentions to deploy reporting systems are often hampered by budgetary constraints and system complexity, Wilhelms said.
“The first generation systems were very expensive. They cost at least half a million dollars and had a long implementation time.”
Wilhelms estimates that tools and software maintenance typically pushed the total cost of ownership to $1 million or more. “By comparison, a seven module SymSoft’s ControlPanel GRC system would cost just about a third of that” he said.