Whether it’s the latest health and safety rule, security standard or accounting regulation, an increasing reliance on automation to track company assets and trading activities has made IT a major part of the compliance agenda.
The example of mergers and acquisitions (M&A) provides an excellent example of IT’s role, not only because it calls for unprecedented levels of management control, but also because it is a key focus of yet another looming piece of European Union (EU) corporate legislation.
In a nutshell, European Sarbanes-Oxley or EuroSOX, as it has become known, requires that any new business created through either merger or acquisition should be able to produce consolidated accounts within a month of joining forces (See box).
How does your IT infrastructure measure up?
Receive the 2008 UK company IT infrastructure benchmarking report, by completing the CIO survey.
This survey will uncover the latest industry trends, highlight rising CIO concerns and popular IT investments in various vertical sectors. Participation is free and qualifies you to receive a complimentary copy of the 2008 CIO Benchmarking Report so you can evaluate how your organisation compares.
One company that is more aware of the implications of EuroSOX than many others is fixed, mobile and broadband telecoms operator, The Carphone Warehouse. The company has rapidly expanded by acquisition from humble beginnings as a UK high street mobile phone retailer in 1989 to having nearly 2,500 stores in 10 countries across Europe today, and having added almost three million broadband customers in the last five years.
Last year, Carphone bought AOL’s broadband business and its 2.1 million customers to complement its existing broadband subsidiary, TalkTalk. “We’ve expanded quite a lot in the M&A space,” says Jason McCreight, Carphone’s head of business change management.
“The work I do is at the forefront of mopping up after M&A activity in a lot of different operational areas, including finance and [human resources],” he says.
“The acquisition of AOL’s broadband business in late 2006 was by far the largest and most complex. We had to find a way of moving all transferring employees onto Carphone’s human resources and payroll system, but to also do so in a reusable way so we could use the mechanisms for integration in future, and to develop better integrated systems more quickly.”
For some time now, The Carphone Warehouse has pursued an IT strategy that serves it well from both operational and regulatory standpoints, by offering, to borrow McCreight’s use of the word, “reusable” components. Reusability is also a key strategic building block in service oriented architecture (SOA), the highly fashionable current approach to building IT systems that are flexible and dynamic. SOA has been touted as a way for technology to become a tool for strategic integration rather than dumb resource and The Carphone Warehouse has invested heavily in SOA-related technologies over recent years to manage its complex integration challenges.
Carphone has also made full use of data warehousing and integration tools in order to forge links between old and new systems and achieve compliance.
The birth of EuroSOX
Since Enron became a symbol of wilful corporate fraud and corruption in the US, publicly traded companies across the world have had to come to terms with far-reaching requirements to demonstrate diligent corporate financial responsibility. By far the most influential legislation passed in the wake of the Enron scandal was the Sarbanes-Oxley (SOX) Act of 2002.
Originally established to create new or tougher accounting and financial reporting standards for any company trading publicly on the US financial markets, the US legislation also brought with it vast changes in the way companies store and re-use data. The Act contained 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties for negligence.
For IT departments, SOX heralded a raft of new technology-dependent requirements designed to make them protect, manage, retain and retrieve digital assets in order to comply with its regulations. In particular, SOX sections 302 and 404 mandated that a company’s auditor should “certify the timely review and analysis of financial reporting information” and identify “any material internal control weakness” or “significant deficiency” in verifying that management has sufficient operational command to produce reliable and compliant financial reports.
Now, EuroSOX looms. So will history repeat itself? No sooner had SOX begun to take full effect, with final deadlines for compliance in 2004, than the European Commission began to draw up new European Union legislation with similar aims and requirements. The new proposed European regulations on corporate financial responsibility also show scandals – not only like Enron, Tyco and WorldCom in the US, but also Parmalat and others in the EU – are still fresh in legislators’ minds.
“Like most data warehouse technology customers, we started off using Informatica products in the ETL [extract, transfer and load] space,” McCreight says. “Large data warehouses form a central part of the systems that are integral to our business operations. With a number of legacy systems, in the area of billing for example, they may have had no credit checking or payment collection functionality. Historically, we’ve used data warehousing technology to pump billing through to systems that can perform these functions in what was first set up as a temporary measure, but soon became a standard operational process. We’re quite used to moving large amounts of data around between systems as a consequence.”
Although the telecoms operator could not have foreseen the tide of regulation it would be subject to when it first embarked on either its SOA technology or M&A business growth strategies, integrating huge amounts of complex data and systems has stood it in good stead.
“The company is very good in the financial space in particular,” says McCreight. “It usually takes one month after a merger or acquisition to produce consolidated accounts, so our systems can meet EuroSOX regulations. But such compliance does mean there is quite a significant financial bias to M&A deals as a result, so any M&A is judged on a purely commercial basis.”
Carphone has now developed its IT strategy to include web services-based SOA technology from the likes of business process management (BPM) vendor Tibco, supplementing the heavy data lifting and moving work carried out by its Informatica ETL tools.
The EuroSOX timeline
Software to support compliance, with functionality including document, event and contract management tools; supplier and customer collaboration portals; data storage and retention programmes; and advanced business intelligence and reporting tools.
2003: 10-point plan revealed by the European Commission on Corporate Governance as part of 8th directive.
2004: 10-point plan received common adoption in the Economic and Financial Affairs (ECOFIN) Council.
March 2004: First draft of the 8th directive published.
June 2005: The draft is adopted by The Legal Affairs Committee.
September 2005: The European Union (EU) Parliament adopts the directive.
October 2005: The directive receives political acceptance of adoption in The Council of Ministers.
December 2005: The EU establishes the European Group of Auditors’ Oversight Bodies (EGAOB) to oversee, regulate, inspect and discipline accounting firms in their roles as auditors of public companies. The step is similar to the way in which the US’s Sarbanes-Oxley Act created the Public Company Accounting Oversight Board (PCAOB) for the same purpose.
April 2006: The council achieves final adoption of the 8th directive.
April 2008: 24-month adoption period begins.
“We use ETL tools in our move to becoming a full telecommunications company,” he says. “Handling the corresponding volumes of data involved can sometimes run to migrating hundreds of millions of rows of data on a one-off basis. A key driver of using ETL tools to manage this process in business terms is to make cost savings as a result of M&A activity.”
Analyst firm Gartner agrees with The Carphone Warehouse’s data integration strategy.
Dave Aron, vice president and research director at Gartner Executive Programmes, says: “We advise CIOs [undergoing projects related to an M&A] to have their processes, human resources and assets well documented and to take an honest view of their position. In the early days, we would recommend trying to learn as much as possible about your suitor and developing a plan accordingly that will keep staff motivated and onside.”
Although compliance may be not the first consideration when it comes to business combinations, good data governance could also be the key to maintaining trust and confidence in your newly expanded brand footprint, as McCreight describes.
“In 2006, we bought a number of data integration tools and are in the middle of doing a large data integration project involving over 15 financial systems with an awful lot of internal data,” McCreight says. “We are using the tools both for profiling and migrating the data. However, we are still in the fairly early stages. Having agreed on internal partners and bought the tools, we are creating teams to carry out the work and will be working on the project in earnest throughout 2008.”
This work will in turn feed into strengthening reporting on progress in integrating merger and acquisition partners.
IT implications of EuroSOX
EuroSOX is a set of EU directives designed to enforce financial transparency and prevent market abuse that includes:
The EU’s Financial Services Action Plan (FSAP)
The 4th directive on annual accounts of specific types of companies
The 7th directive on consolidated accounts
The 8th Company Law Directive on Statutory Audit
EuroSOX IT requirements include:
Auditor support software, containing questionnaires, narratives, process flows and control matrices, as well as testing and remediation reports.
“There is a greater need for consistency with reporting as we become bigger, so the IT implications of any deal are factored in much earlier. IT is involved in the very early stages of planning. Right now, we’re in a period of consolidation in terms of M&A, where IT is more involved upfront. For example, in the AOL deal, joining networks was a quite different piece for the business and needed more IT involvement. IT is also more important because the business is structured in a federated way that allows each separate business to carry on doing its own thing. The technology is there to exploit the synergies and facilitate effective integration.”
Gartner’s Aron adds that an effective integration process can create systems that are stronger than those of the individual pre-merger companies.
“If the [integration] process is handled in the right way, it can provide the opportunity to upgrade and update existing systems for overall business benefit,” he says.
“Proactive CIO involvement in the M&A process can also play a significant role in identifying and reducing information- and process-based risks that span multiple business areas, as well as spotting opportunities related to that information.”
But in order to maximise the benefits from IT, timing the involvement of the IT function in any activity that may have regulatory implications is also important.
“As a consequence of a concentration on financial integration, the business probably doesn’t always follow that up with operational systems integration until later,” McCreight says. “At Carphone, we have pockets of excellence in finance and HR but [change to] operations usually comes at a later date, with point-of-sale and billing systems taking much longer to complete. There is a very pragmatic view in the financial part of the business,” concludes McCreight. “Complying with all regulations locally is a key part of this. There is an ongoing programme of work to improve controls and rationalise our corporate structure that’s characterised by a no-nonsense approach.”