Symmetricom Inc. could be a poster child for the toll Sarbanes-Oxley (SOX) regulations exact on small public companies. One of the world's top makers of high-precision timing devices, the San Jose, Calif.-based company generated $189 million in revenue last year.
Counting an additional $1 million in audit fees, the outside consultants hired to help document the company's 575 procedures, and the software used to automate the process, Symmetricom has spent close to $2 million on SOX compliance.
"For a company our size, it is really, really tough, because obviously we have to comply with the rules in the same way that a General Motors or Cisco or any big public company does," said John Cunningham, manager of financial compliance. "That is why using a software solution is a must."
The company's own IT functions have long been outsourced, most recently to Oracle Corp., using Oracle's E-Business Suite On Demand. To get ready for year one of SOX compliance, the company used Oracle Tutor and brought in New York-based PricewaterhouseCoopers LLP to help document controls and procedures.
"As we were using Oracle Tutor, the company started asking what software solution was out there to help us out. Integration was a big thing for us," Cunningham said.
Symmetricom decided to stick with Oracle, and chose Oracle's Internal Controls Manager (ICM), a product introduced in August 2003. One of ICM's big selling points, he said, was the time it saved on discerning whether the segregation of duties (SoD) "was proper."
"In the first year, that saved me a lot of time. I probably would have had to hire a consultant for a month to sift through all that, or figure out how to do it myself with some sort of programming tool," Cunningham said.
SoD is a basic internal control to ensure that one individual does not participate in more than one key trading or operational function. A report published last fall by AMR Research Inc. on software compliance noted that security gaps have emerged in recent years, as companies have fewer staffers taking on increasing work responsibilities. Turnover, new job responsibilities and a tendency at some companies to treat system access as an afterthought also opens avenues for potential abuse and fraud. "Although fraud concerns are top of mind, a thorough review of SoD policies is essential for long-term monitoring of a compliance business process environment," Boston-based AMR advised.
AMR Sarbanes-Oxley software market review
AMR conducted a comprehensive review in September 2005 of 24 software vendors that deliver at least one of the three components the research firm deems integral to managing long-term, sustainable compliance. In the review, ICM is described as a "best fit" for companies looking for a tight link between business process and application configurations in Oracle or PeopleSoft with SOX and internal controls compliance.
Because it's "beginning to plug the gap that exists in SoD features," AMR reports, Oracle is picking up traction among best-of-breed SOX software competitors.
Symmetricom's Cunningham said the company relied heavily on Oracle ICM's SoD functionality for the first year of compliance, and was also able to upload all the information it had on spreadsheets to the program. "Year one was a mad scramble. If you look at from the first year to the second and third, there is definitely a payoff big time as we leverage the software," Cunningham said. He added, however, that the compliance software "won't pay for itself," in the same way that, say, replacing an old enterprise resource planning system with a new one would. SOX, he said, is like paying your taxes -- something the company has to do.
"Is our company run better in terms of internal controls -- absolutely. But if you look at what was invested, in terms of consultants, audit fees, ICM and all that, I don't think there is a payback for a company our size at all. And I think most companies are telling the [Securities and Exchange Commission] that," Cunningham said.