Sarbanes-Oxley already has caused profound changes in companies at the organizational level, with companies creating compliance committees and establishing new individual responsibilities. For instance, in UnumProvident's first year of preparing for audit, which for the disability and supplemental benefits insurer was 2004, the company divided responsibility for controls between process owners in business and application owners in IT. "It took a while for everyone to understand what people's roles were," says Chris Bursch, vice president of IT risk management at UnumProvident.

In year two, the company created new IT/business alignment committees that meet monthly to perform ongoing compliance reviews. Those committees report to UnumProvident's IT steering committee, which has oversight for overall IT governance, including IT asset management, strategic project risk assessment, change control, and security as well as compliance.

"We already were putting in place a lot of the governance practices around assessing risk and understanding spending and ROI in IT. All that was bubbling up when Sarbanes-Oxley came in and put that [requirement] in black and white" and led to UnumProvident's organizational changes, explains Bursch.

While a carrier's size has much to do with its ability to commit staff resources solely to Sarbanes-Oxley, some companies have created dedicated Sarbanes-Oxley compliance units. For its first-year compliance activities, Selective Insurance created a new Sarbanes-Oxley project management department, part of the carrier's enterprise program management office that was created five years ago to address larger governance issues. "The structure we had in place at Selective really has established IT governance at the top of the organization," says Richard F. Connell, executive vice president and CIO at Selective.

In addition, Selective provides continued training to keep compliance top of mind. "In the first year, we did a full day's training at an outside firm. We then hired a consultant to assist us with the development of our training materials," reports Nancy DeRiso, the carrier's vice president and director of internal audit. "Today, we have regular, biweekly project meetings, where [Sarbanes-Oxley] subject matter experts can assist the business owners as they come across things they aren't quite sure of. [In year two,] we continue to do an annual training for all employees who might be involved in the process to refresh them on terminology related to risk and control."

As compliance has become a more self-sustaining process at Selective, DeRiso says the need for a dedicated compliance department has diminished, which is by design. "In year two, we're finding, if anything, the need to pare that back because it's no longer a full-time focus. [The compliance process] is to the point it's become a sustainable effort within the organization."

Despite the stresses and time pressures of the first-year audit, some insurers were pleased to find needed control procedures already were in place. "If companies had a strong governance culture, where the board took its fiduciary responsibilities seriously, actively monitored the organization in terms of not just wanting reports from the CEO and CFO but from other areas, and assessed how the business is dealing with risk, when those companies looked at Sarbanes-Oxley, it was more [a matter of] repackaging what they already were doing," Kracklauer indicates.

"We were in compliance from a control standpoint, but documentation was a bit of an issue as it was for 99 percent of companies," says DeRiso.

"We did a couple things to make [documentation] easier," adds Ken Pavlick, Selective's manager of internal audit. "We've developed templates to make sure testing is done in a complete manner throughout the organization. In addition to ensuring accuracy and completeness, those templates have enough information to enable transition of responsibility if need be to other employees who may come into the project or process or if the process owners are delegating responsibility within their organizations."

Selective additionally has been able to use the documentation and templates that were created for Sarbanes-Oxley for other purposes, such as other reviews by external auditors and examiners. "We're also making sure we're following the COBIT [Control Objectives for Information and related Technology] framework in our documentation," DeRiso says.

Likewise, specialty P&C insurer RLI moved from Sarbanes-Oxley compliance toward adopting COBIT. "When we started reviewing controls for year one, we found we were pretty much aligned with COBIT already," says Jennifer Klobnak, director of internal controls at RLI. "In year two, we have realigned all the IT controls to fit with all the process areas identified by COBIT we think are part of the scope of Sarbanes-Oxley in our operational control environment. Auditors can see where the controls in place fit into COBIT and where and why we haven't adopted them."

Often, companies that looked to parts of the COBIT framework as a means of year-one compliance have looked to adopt the rest of COBIT as a best practice. "One of the areas of COBIT is IT strategy," Kracklauer illustrates. "That's not important to Sarbanes-Oxley; [section] 404 doesn't mandate you have a strategy. But from the perspective of the IT organization, it's very important you have a strategy and can match that to the overall business strategy."

Year two also involves looking at procedures and controls adopted in year one and seeing which ones might not be needed. "If you ask most CFOs and CIOs, they'll uniformly say the audit community went overboard in terms of the level of detail, documentation, and number of controls that were deemed to be necessary to comply with Sarbanes-Oxley in year one," Kracklauer says.

"In the first year, whatever our auditors said we should do, we did without question," Klobnak says. "In year two, now that we're better educated and don't have the deadline looming over us, we look at it, think about it, but then determine if [a control] is appropriate or not. We won't make a process inefficient on a noncritical control. We reduced our list by a couple hundred controls, and that has helped our testing tremendously."

To achieve sustainable Sarbanes-Oxley compliance in IT in the third area–technology–efforts are required on two fronts. The first is simplifying and increasing the effectiveness of the current environment. "Companies are looking to reduce the number of applications they have," Kracklauer says. "If you standardize and reduce the complexity of your environment, you're also reducing the complexity of managing your controls as well as your cost of controls."

UnumProvident took aim at the number of different security access processes it had in place. "Because we are the result of several merged companies over the last six years, we had many different access processes in place," Bursch says. "We collapsed those into one single access request process and put in a semiannual review process to review the access [users have] and validate it's still appropriate,"

The other technological initiative involves carefully adding new systems to manage the compliance process. "There have been a lot of manual processes put in place to do the tracking for compliance," Van Decker observes. "Companies should be looking at tools to help them manage the collaboration required for the control process." It would appear companies are doing just that. In an August 2005 study by CFO Research Services (Compliance and Technology: A Special Report on Process Improvement and Automation in the Age of Sarbanes-Oxley), more than 75 percent of respondents assigned either "top priority" or "moderate priority" to automation of their companies' compliance and control environments over the next 12 months

There are two types of compliance-related technology of most interest to insurers. With its process narratives, test plans, reports, and other content, Sarbanes-Oxley compliance is a heavily document-driven exercise; therefore, companies have first looked to content management systems. "In our second year [of Sarbanes-Oxley], many [documents] were sitting in the audit department, and a lot of the process owners had to re-find them this year," Bursch says. "We don't want the Sarbanes-Oxley review to be a big project each year. We want it to be an ongoing, normal review and get it into maintenance mode."

UnumProvident is in the process of implementing the Sarbanes-Oxley solution from content management vendor Stellent to help manage its control and compliance documentation. "We wanted to make sure we understood the [audit] review before we put in any software," Bursch notes. "What we are putting in that tool is documentation of all our significant business processes, risks associated with those processes, and mitigating controls." The system provides a central repository of control-related documents to facilitate collaboration and retrieval and a workflow engine for automated routing of those documents to responsible parties in the approval sign-off process.

In addition, companies are showing strong interest in solutions that help them manage the control testing and overall change management process. "In year one, many companies had very loose change management programs," Kracklauer maintains. "By year two, they had better programs and now are looking for automated tools such as ticket tracking systems to make sure all changes get captured, logged, and sent to business users to approve what the change actually looks like before it goes into production," Kracklauer says.

RLI looked to better manage the control testing process as well as shift the burden from a relatively small group of testers to a large group of process owners. "In year two, with individual test sheets for more than 500 controls, and 80 controls in IT [alone] that we were trying to track, we were pulling our hair out," says Klobnak. The company purchased Handysoft's SOXA Accelerator, a Web-based application the insurer uses to automate and enforce the workflow involved with assessing and monitoring controls and application changes that impact those controls. The system was fully implemented in the second quarter of 2005.

"In the manual process, we were focused more on the testing process and documentation of testing," rather than whether or not a control still was appropriate, says Laurie Whitaker, senior systems analyst at RLI. In contrast, now "the system drives you so that the first thing you have to do [before testing] is review the control and determine whether it's still appropriate, and if you have changes, to update that control before you can go into any testing," she says. The system also gives RLI management visibility into processes, the controls in place, and the people responsible for both.

While making Sarbanes-Oxley compliance a sustainable process is an important objective, it should not be the end of the game. "Rather than simply looking at Sarbanes-Oxley in the narrow sense of 'What do we have to do because the government says we have to do it,' we looked for a way to get some benefit out of it," says Gary Knoble, vice president of practice development at the Insurance Data Management Association and recently retired from The Hartford as the company's vice president of data management. "The whole message is the concepts of Sarbanes-Oxley are much broader than just applying to the financial numbers that are published."

He illustrates that with an example from the data management side of IT. "If it's important to apply and document a control and testing process to financial data, it's also important to apply it to the data you use to price your products, not because you share your pricing data with stockholders or regulators but because you need it as a company to be profitable," Knoble says.

In year two, Van Decker suggests companies are looking toward areas where compliance-driven projects can support overall IT governance. "Many companies have only scratched the surface," he says. "They should come up with a strategy geared not only toward compliance but toward helping them help guide research, allocation, and investment going forward."

"Sarbanes-Oxley afforded us the opportunity to enhance areas of governance, such as change management, which we already were doing, but we now had the fortitude and backing to make sure we were doing it to the extent we needed to," asserts RLI's Whitaker. "It's also enhanced our standing with the user community because when we have these controls in place, they're more understanding of the role IT has to play and why."

But there is opportunity for additional benefit, she believes. "We have not gotten to the point where we are leveraging [Sarbanes-Oxley] for business improvement," she says. "That would be the home run, and we're probably rounding first. The problem is always where do you find the time?"

Overall, companies do appear to be deriving some added value from the compliance process. In the CFO Research Services study, nearly two-thirds of respondents said the Sarbanes-Oxley compliance effort has increased the understanding of their business and boosted the ability to communicate with staff.

"In year two, we've [also] seen companies go back and look at what types of risk they really manage, because financial misstatement risk is only one type of risk companies manage," Kracklauer says. "Companies are going back and putting in ERM [enterprise risk management] frameworks that are better documented and more robust than they had in their initial compliance year. They're concerned with how a company monitors and manages all their risk, not just financial risk."

Perhaps most significant to insurers' IT departments, creating a sustainable Sarbanes-Oxley compliance process will have far-reaching impacts on the way those departments operate. "IT will be called on increasingly to show it has plans and controls in place and is moving toward an enterprise vision–that it has environments in place that are effective and efficient," says Van Decker. "IT is an important enterprise asset that needs to be guarded and compliant in nature, needs to support the business effectively, and can be a trusted component of business process."