Like time-crunched students preparing for a final exam, mostinsurers approached the first Sarbanes-Oxley compliance audit moreintent on making the grade than developing a good understanding ofthe subject. "In year one, companies really were focused on passingthe audit–finding control deficiencies and putting in place newcontrols, even if they were manual or workarounds," says SeanKracklauer, who leads the Sarbanes-Oxley research and consultingpractice at the Hackett Group, a business process advisory firm andbenchmarking group.

It didn't help that some IT departments often were faced withcramming for the exam, once they realized, already into year one,that even though Sarbanes-Oxley was advertised as a law focused onfinancial controls, it wasn't a finance-only issue. "There are somesystems that don't meet the threshold in terms of the overallimpact [on financial reports], but there's very little in IT thatdoes not need to be part of the [Sarbanes-Oxley compliance]process," notes John Van Decker, senior vice president andprincipal research fellow at research firm Robert Frances Group."IT also represents a significant investment and expenditure forthe enterprise, so those IT expenditures also needed to beconsidered and scrutinized."

However, with the stress of the first exam behind them,companies–unlike college students–are going back to the books. "Thesecond phase [of Sarbanes-Oxley compliance] is to achievesustainability, and the third phase is using compliance as a leverfor change and overall business improvement," says Van Decker."Companies need to understand how what they've done [for first-yearSarbanes-Oxley compliance] fits into an overall objective. Theyneed to understand what their strategy for IT governance,enterprise governance, and support for compliance will be."

The need for a repeatable, efficient compliance process is amatter of not only good business practice but also hard-dollarnecessity. Research from the Hackett Group shows the costs ofpost-Sarbanes-Oxley compliance activities ate up a significantlyhigher percentage of revenue than compliance activities done beforethe act was in effect (see graph). Creating sustainable complianceinvolves addressing three business areas: people, procedure, andtechnology. The "people" part of compliance covers the spectrumfrom top-management support down to line-level training andindividual understanding of new responsibilities and routines.

Sarbanes-Oxley already has caused profound changes in companiesat the organizational level, with companies creating compliancecommittees and establishing new individual responsibilities. Forinstance, in UnumProvident's first year of preparing for audit,which for the disability and supplemental benefits insurer was2004, the company divided responsibility for controls betweenprocess owners in business and application owners in IT. "It took awhile for everyone to understand what people's roles were," saysChris Bursch, vice president of IT risk management atUnumProvident.

In year two, the company created new IT/business alignmentcommittees that meet monthly to perform ongoing compliance reviews.Those committees report to UnumProvident's IT steering committee,which has oversight for overall IT governance, including IT assetmanagement, strategic project risk assessment, change control, andsecurity as well as compliance.

"We already were putting in place a lot of the governancepractices around assessing risk and understanding spending and ROIin IT. All that was bubbling up when Sarbanes-Oxley came in and putthat [requirement] in black and white" and led to UnumProvident'sorganizational changes, explains Bursch.

While a carrier's size has much to do with its ability to commitstaff resources solely to Sarbanes-Oxley, some companies havecreated dedicated Sarbanes-Oxley compliance units. For itsfirst-year compliance activities, Selective Insurance created a newSarbanes-Oxley project management department, part of the carrier'senterprise program management office that was created five yearsago to address larger governance issues. "The structure we had inplace at Selective really has established IT governance at the topof the organization," says Richard F. Connell, executive vicepresident and CIO at Selective.

In addition, Selective provides continued training to keepcompliance top of mind. "In the first year, we did a full day'straining at an outside firm. We then hired a consultant to assistus with the development of our training materials," reports NancyDeRiso, the carrier's vice president and director of internalaudit. "Today, we have regular, biweekly project meetings, where[Sarbanes-Oxley] subject matter experts can assist the businessowners as they come across things they aren't quite sure of. [Inyear two,] we continue to do an annual training for all employeeswho might be involved in the process to refresh them on terminologyrelated to risk and control."

As compliance has become a more self-sustaining process atSelective, DeRiso says the need for a dedicated compliancedepartment has diminished, which is by design. "In year two, we'refinding, if anything, the need to pare that back because it's nolonger a full-time focus. [The compliance process] is to the pointit's become a sustainable effort within the organization."

Despite the stresses and time pressures of the first-year audit,some insurers were pleased to find needed control proceduresalready were in place. "If companies had a strong governanceculture, where the board took its fiduciary responsibilitiesseriously, actively monitored the organization in terms of not justwanting reports from the CEO and CFO but from other areas, andassessed how the business is dealing with risk, when thosecompanies looked at Sarbanes-Oxley, it was more [a matter of]repackaging what they already were doing," Kracklauerindicates.

"We were in compliance from a control standpoint, butdocumentation was a bit of an issue as it was for 99 percent ofcompanies," says DeRiso.

"We did a couple things to make [documentation] easier," addsKen Pavlick, Selective's manager of internal audit. "We'vedeveloped templates to make sure testing is done in a completemanner throughout the organization. In addition to ensuringaccuracy and completeness, those templates have enough informationto enable transition of responsibility if need be to otheremployees who may come into the project or process or if theprocess owners are delegating responsibility within theirorganizations."

Selective additionally has been able to use the documentationand templates that were created for Sarbanes-Oxley for otherpurposes, such as other reviews by external auditors and examiners."We're also making sure we're following the COBIT [ControlObjectives for Information and related Technology] framework in ourdocumentation," DeRiso says.

Likewise, specialty P&C insurer RLI moved fromSarbanes-Oxley compliance toward adopting COBIT. "When we startedreviewing controls for year one, we found we were pretty muchaligned with COBIT already," says Jennifer Klobnak, director ofinternal controls at RLI. "In year two, we have realigned all theIT controls to fit with all the process areas identified by COBITwe think are part of the scope of Sarbanes-Oxley in our operationalcontrol environment. Auditors can see where the controls in placefit into COBIT and where and why we haven't adopted them."

Often, companies that looked to parts of the COBIT framework asa means of year-one compliance have looked to adopt the rest ofCOBIT as a best practice. "One of the areas of COBIT is ITstrategy," Kracklauer illustrates. "That's not important toSarbanes-Oxley; [section] 404 doesn't mandate you have a strategy.But from the perspective of the IT organization, it's veryimportant you have a strategy and can match that to the overallbusiness strategy."

Year two also involves looking at procedures and controlsadopted in year one and seeing which ones might not be needed. "Ifyou ask most CFOs and CIOs, they'll uniformly say the auditcommunity went overboard in terms of the level of detail,documentation, and number of controls that were deemed to benecessary to comply with Sarbanes-Oxley in year one," Kracklauersays.

"In the first year, whatever our auditors said we should do, wedid without question," Klobnak says. "In year two, now that we'rebetter educated and don't have the deadline looming over us, welook at it, think about it, but then determine if [a control] isappropriate or not. We won't make a process inefficient on anoncritical control. We reduced our list by a couple hundredcontrols, and that has helped our testing tremendously."

To achieve sustainable Sarbanes-Oxley compliance in IT in thethird area–technology–efforts are required on two fronts. The firstis simplifying and increasing the effectiveness of the currentenvironment. "Companies are looking to reduce the number ofapplications they have," Kracklauer says. "If you standardize andreduce the complexity of your environment, you're also reducing thecomplexity of managing your controls as well as your cost ofcontrols."

UnumProvident took aim at the number of different securityaccess processes it had in place. "Because we are the result ofseveral merged companies over the last six years, we had manydifferent access processes in place," Bursch says. "We collapsedthose into one single access request process and put in asemiannual review process to review the access [users have] andvalidate it's still appropriate,"

The other technological initiative involves carefully adding newsystems to manage the compliance process. "There have been a lot ofmanual processes put in place to do the tracking for compliance,"Van Decker observes. "Companies should be looking at tools to helpthem manage the collaboration required for the control process." Itwould appear companies are doing just that. In an August 2005 studyby CFO Research Services (Compliance and Technology: A SpecialReport on Process Improvement and Automation in the Age ofSarbanes-Oxley), more than 75 percent of respondents assignedeither "top priority" or "moderate priority" to automation of theircompanies' compliance and control environments over the next 12months

There are two types of compliance-related technology of mostinterest to insurers. With its process narratives, test plans,reports, and other content, Sarbanes-Oxley compliance is a heavilydocument-driven exercise; therefore, companies have first looked tocontent management systems. "In our second year [ofSarbanes-Oxley], many [documents] were sitting in the auditdepartment, and a lot of the process owners had to re-find themthis year," Bursch says. "We don't want the Sarbanes-Oxley reviewto be a big project each year. We want it to be an ongoing, normalreview and get it into maintenance mode."

UnumProvident is in the process of implementing theSarbanes-Oxley solution from content management vendor Stellent tohelp manage its control and compliance documentation. "We wanted tomake sure we understood the [audit] review before we put in anysoftware," Bursch notes. "What we are putting in that tool isdocumentation of all our significant business processes, risksassociated with those processes, and mitigating controls." Thesystem provides a central repository of control-related documentsto facilitate collaboration and retrieval and a workflow engine forautomated routing of those documents to responsible parties in theapproval sign-off process.

In addition, companies are showing strong interest in solutionsthat help them manage the control testing and overall changemanagement process. "In year one, many companies had very loosechange management programs," Kracklauer maintains. "By year two,they had better programs and now are looking for automated toolssuch as ticket tracking systems to make sure all changes getcaptured, logged, and sent to business users to approve what thechange actually looks like before it goes into production,"Kracklauer says.

RLI looked to better manage the control testing process as wellas shift the burden from a relatively small group of testers to alarge group of process owners. "In year two, with individual testsheets for more than 500 controls, and 80 controls in IT [alone]that we were trying to track, we were pulling our hair out," saysKlobnak. The company purchased Handysoft's SOXA Accelerator, aWeb-based application the insurer uses to automate and enforce theworkflow involved with assessing and monitoring controls andapplication changes that impact those controls. The system wasfully implemented in the second quarter of 2005.

"In the manual process, we were focused more on the testingprocess and documentation of testing," rather than whether or not acontrol still was appropriate, says Laurie Whitaker, senior systemsanalyst at RLI. In contrast, now "the system drives you so that thefirst thing you have to do [before testing] is review the controland determine whether it's still appropriate, and if you havechanges, to update that control before you can go into anytesting," she says. The system also gives RLI management visibilityinto processes, the controls in place, and the people responsiblefor both.

While making Sarbanes-Oxley compliance a sustainable process isan important objective, it should not be the end of the game."Rather than simply looking at Sarbanes-Oxley in the narrow senseof 'What do we have to do because the government says we have to doit,' we looked for a way to get some benefit out of it," says GaryKnoble, vice president of practice development at the InsuranceData Management Association and recently retired from The Hartfordas the company's vice president of data management. "The wholemessage is the concepts of Sarbanes-Oxley are much broader thanjust applying to the financial numbers that are published."

He illustrates that with an example from the data managementside of IT. "If it's important to apply and document a control andtesting process to financial data, it's also important to apply itto the data you use to price your products, not because you shareyour pricing data with stockholders or regulators but because youneed it as a company to be profitable," Knoble says.

In year two, Van Decker suggests companies are looking towardareas where compliance-driven projects can support overall ITgovernance. "Many companies have only scratched the surface," hesays. "They should come up with a strategy geared not only towardcompliance but toward helping them help guide research, allocation,and investment going forward."

"Sarbanes-Oxley afforded us the opportunity to enhance areas ofgovernance, such as change management, which we already were doing,but we now had the fortitude and backing to make sure we were doingit to the extent we needed to," asserts RLI's Whitaker. "It's alsoenhanced our standing with the user community because when we havethese controls in place, they're more understanding of the role IThas to play and why."

But there is opportunity for additional benefit, she believes."We have not gotten to the point where we are leveraging[Sarbanes-Oxley] for business improvement," she says. "That wouldbe the home run, and we're probably rounding first. The problem isalways where do you find the time?"

Overall, companies do appear to be deriving some added valuefrom the compliance process. In the CFO Research Services study,nearly two-thirds of respondents said the Sarbanes-Oxley complianceeffort has increased the understanding of their business andboosted the ability to communicate with staff.

"In year two, we've [also] seen companies go back and look atwhat types of risk they really manage, because financialmisstatement risk is only one type of risk companies manage,"Kracklauer says. "Companies are going back and putting in ERM[enterprise risk management] frameworks that are better documentedand more robust than they had in their initial compliance year.They're concerned with how a company monitors and manages all theirrisk, not just financial risk."

Perhaps most significant to insurers' IT departments, creating asustainable Sarbanes-Oxley compliance process will havefar-reaching impacts on the way those departments operate. "IT willbe called on increasingly to show it has plans and controls inplace and is moving toward an enterprise vision–that it hasenvironments in place that are effective and efficient," says VanDecker. "IT is an important enterprise asset that needs to beguarded and compliant in nature, needs to support the businesseffectively, and can be a trusted component of businessprocess."