Contracts Management Software as a Tool for SOX Compliance

Transcription

1 Contracts Management Software as a Tool for SOX Compliance White Paper (281) sales@prodagio.com

2 In 2002, following the scandals involving corporations such as Enron, WorldCom, and Tyco International, the Sarbanes-Oxley Act became law, mandating for the most comprehensive corporate governance reform in decades. New duties addressing the corporate internal control structure fall upon both managing agents and auditors. Specifically, SOX addresses internal controls in its Sections 302 and 404. Section 302 requires that officers signing periodic financial reports certify that they are responsible for internal controls, have evaluated those controls within the previous 90 days, and have reported on what they found in that evaluation. They are required to list the deficiencies in those controls, any significant changes in those controls, and factors that could negatively impact those controls. Section 404 contains similar requirements, but this time is directed to the business entity and its auditors. Specifically, the reporting business is to publish information about its internal controls scope, adequacy, and effectiveness. The auditors are to report on the business assessment of its controls effectiveness. Ok. So what are Internal Controls? SOX itself does not define internal control, though the term is featured prominently in several of its operative sections. The Committee of Sponsoring Organizations of the Treadway Commission (COSO,) however, has. Its candid definition begins as follows: This disclaimer having been made, COSO frames internal control as a process designed to provide reasonable assurance regarding the effectiveness and efficiency of operations, reliability of financial reporting, [and] compliance with applicable laws and regulations. This process is proposed to have five interrelated components : (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. Component #3: Control Activities COSO elaborates upon control activities as follows: (281) sales@prodagio.com 2

3 This definition begs an important question: how are control activities to be identified? The range of activities can only be circumscribed once the specific business objective to be controlled is determined. The development of industry best practices has addressed many of the risks to achievement of the entity s objectives. In the case of contracting, commonly identified risks that lead to increased liability exposure, inflated obligations, and/or minimized benefits include: Contracting officers use of unapproved, inapplicable language during drafting; Absence of, or non-compliance with, internal requirements for approval of contracts before execution; Lost contract benefits due to slow and/or inefficient workflows for drafting, editing, approval, and execution; Risks associated with variances among internal business units in contracting procedures; Inability to take advantage of economies of scale, manifest in redundant contracts, multiple obligations and/or minimized aggregate benefits; Risks of off-contract dealings, including maverick buying ; Risks of non-compliance with industry regulatory requirements; Inability to locate contracts due to absence of centralized or systemic storage; Absence of checks and balances in contract management authority within the business entity; Breach of confidentiality or trade secret integrity due to lax security controls; Risks of insurance coverage denial due to non-compliance with policy requirements for contracting; Inability to leverage bargaining power due to inadequate visibility into contract groups; Unknown contract benefits, obligations, and risks due to inadequate reporting; Tested best practice measures that minimize these risks have included the following: Contracting processes that are implemented uniformly across the entire business entity; Enforced use of vetted and standardized language for contract templates and clauses; Robust searching and reporting capacities, both within that repository and throughout the entity s entire universe of contracting information; Use of automated systems for alerting to contract milestones and deadlines. Use of a centralized contract repository; Use of systems that support collaboration in the authoring, monitoring, analysis, and reporting functions; Alignment of contract administrators according to functional groups; Uniformity and coordination in contracting decision-making; and Proactive compliance enforcement. (281) sales@prodagio.com 3

4 Component #3: Control Activities About information, COSO said: The regulatory organization birthed by SOX, the Public Company Accounting Oversight Board, has acknowledged that SOX is not directed to broad IT changes or information security controls. However, SOX does come to bear upon controls around accounting and financial processes, and by extension the information technology used in those areas. In that light, an indispensable element of SOX compliance is a contract management system that affords uniformity, integrity, and visibility into the contract lifecycle. How does Prodagio Contract maximize value extraction? Goldman Sachs estimates that a typical Fortune 1000 organization has between 20,000 and 40,000 contracts. Contract management for such a company can consume 100 basis points of revenue for sell-side contracts, and 25 basis points for buy-side agreements. Goldman estimates organizational savings realized by using software to manage contracts at 40 basis points of revenue. PricewaterhouseCoopers calculates that savings to be 2% of total organizational costs. More specifically, Goldman estimates that implementing contract management software could result in (a) negotiation cycles that are 50% shorter, (b) reduction in payment errors by 70% to 90%; (c) processing costs that are 10% to 30% smaller; and (d) a 10% to 20% headcount reduction. Prodagio Contract has been designed to serve as an integral part of corporate SOX compliance. Its functionality closely adheres to current best practice standards. It is updated with each release to keep pace as those standards evolve. Initial Drafting. Prodagio Contract s drafting functions ensure uniformity in content, and therefore consistency in contract bargaining, benefits, obligations, and risk exposures. Begin creating new contracts within Prodagio s template library, which houses language that has been tailored to your business rules and vetted by your legal advisors. Based upon these templates, your people can complete a contract that not only contains conditions that you demand, but also accommodates differing contract types and transactions. Document Control after Drafting. Whether through error or fraud, businesses are exposed to risk as they grow larger and more complex. Prodagio Contract ensures that each action on every contract is date and time stamped, and that the identity of the person taking the action is recorded. New versions must be created with each document edit; meanwhile, the prior version remains in the system. As each action on a document is taken, an audit trail is created the document s audit trail never needs to be forensically reconstructed. Reporting. A centerpiece of Prodagio Contract s functionality is its capacity to render reports tailored for specific uses. Even before any client-specific configuration, Prodagio can report on around 20 different contract variables. (281) sales@prodagio.com 4

5 Moreover, during configuration, Prodagio analyzes your specific enterprise rules and business requirements, so that the software will report around user-specific contract variables in a form generated according to that client s organizational preference. Contract Lifecycle Management. After a contract is executed, Prodagio Contract tracks obligations, conditions, critical dates, and the course of performance. Alerts let contracting officers take advantage of time-sensitive terms and conditions. Document Association and Searching. According to an IDC study, an average knowledge worker spends 475 hours per work year searching for information. Of those, 175 hours are devoted to fruitless searches that are ultimately unsuccessful. Information must then be re-created, resulting in additional wasted time and unreliable results. With Prodagio, when a critical document or pivotal language must be found, a powerful search tool allows you to easily locate it within any contract in the system. Trips to the file room are eliminated, paper reduced, and productivity increased. Moreover, Prodagio links contracts and other documents with one another according to enterprise business parameters, so that master agreements, related agreements versions, amendments, and attachments can be accessed in seconds. Document Retention. In this era, courts and auditors impose drastic costs on business by requiring the production, sorting, and analysis of vast numbers of documents. Prodagio Contract enables uniform adherence to document retention policies and archiving practices, eliminating time-consuming searches through filing cabinets and shared computer drives. Security. In addition to each of the measures discussed to this point, Prodagio Contract can restrict the access to and use of documents according to the enterprise s own security rules and requirements. Different users or different user groups can be disallowed the access rights required to delete a document, edit it, view it, or even know that it exists. The same control exists around the document and clause templates used during contract creation. Enterprise Control through Designated User Administrators. As Prodagio Contract maintains the process integrity using the functions discussed up to this point, it affords the enterprise extensive control over its functionality. It is highly user-configurable; control over that configuration rests in the hands of those the enterprise designates as its Prodagio administrators. Those administrators can exercise control over: The template language from which all contracts are created; Organizational workflow structures for each contract type; The enterprise s reporting criteria, forms, and functions; The extent to which Prodagio s life-cycle management functions are available to each user or user group; Enforcement and modification of document retention policies and document access. In short, the control activities COSO and SOX address are undertaken by Prodagio Contract itself. As a corporation s auditors assess its internal control policies and practices, they will find that Prodagio Contract satisfies their search for implementation of best practices, for a standardized IT framework around contract management, and ultimately for assurance that adequate controls around accounting and financial processes exist. Such best practices, framework, and controls are built into Prodagio Contract s design. Learn more at (281) sales@prodagio.com 5

6 2525 South Shore Blvd. Suite 202 League City TX (281)