For CIO Insight's May 2004 issue, reporter Debra D'Agostino spoke to Bob Tillman, director of public affairs for the Association of Records Managers and Administrators (ARMA International). What follows is an edited transcript of her interview in which Tillman discusses the deliberate ambiguity of the Sarbanes-Oxley Act, predicts aggressive enforcement by the Securities and Exchange Commission and explains why, even though the act doesn't mention CIOs, they've been thrust to the front lines of Sarbanes compliance efforts.
CIO Insight: How will Sarbanes-Oxley change the way companies do business?
Tillman: If you want to understand Sarbanes-Oxley, go back to the Securities and Exchange Act of 1934. Markets were melting down, people didn't trust Wall Street or their banks. To restore order and confidence, they came out with the most sweeping legislation that Wall Street had ever seen. Sarbanes-Oxley is volume two of the Securities and Exchange Act. It's a shot across the bow to tell CEOs and CFOs that, yes, we will send you to prison and, yes, we will fine the heck out of you if we catch you doing something illegal. It's penance paid by the corporations because of certain CEOs using their corporations as personal piggy banks. The problem with Sarbanes is the way they wrote the law. In terms of records management, what's a record? A record is anything a litigator or the federal government says it is. The SEC is not going to be so stupid as to push themselves into a box and say, "You will do A, B and C." They say you will do certain things, such as an internal controls scenario. You will have the CFO sign off on the quarterly statement. You will have to restate your earnings if they are found to be not correct, things like that. Then they kind of leave it to you and your lawyers to interpret. Sarbanes-Oxley says you will do these things. It doesn't say how you will do these things.
You're saying the Senate purposely left the law vague?
Well, you've got to remember, the law was written by lawyers. That's our federal government at work.
Are companies casting too wide a net in order to make sure they're compliant?
Personally, I think companies are investing in Sarbanes solutions because they know they have to. Better to spend $4 million to show we're at least trying to make these things happen than to say, no, we're not going to spend any money at all. The reality is, what is compliance? I don't think anybody's compliant. I think at heart most companies are good companies, and I think that's why so many executives resent what's going on because, in essence, they're being told they now have to prove they're good guys. Before, it was just assumed.
Where does the CIO fit in all of this?
Nowhere in Sarbanes-Oxley does it say anything about a chief information officer. It spells out the CEO and the CFO, but nowhere does it say the CIO is responsible. Right now, however, it seems everybody who talks about compliance is talking about technology. Whether they're named or not, CIOs are the people who are going to be required to implement this inside the corporation. The CFO is going to tell the CIO to do it, and the CIO had better figure out a way to do it, and do it right.
So the CIO is on the hook as well, albeit indirectly.
Yes. It's almost like the CIO is in a footrace with reality. As soon as he or she solves one problem, a new problem crops up and creates a whole new group of associated dilemmas. That's got to be in some respects the most thankless job inside the corporation, because they're always on the end of the spear.
Meanwhile, no one knows how any of this will be enforced.
Exactly. The question remains, after we spend billions of dollars on Sarbanes-Oxley: Is it smoke and mirrors? Is it like in Casablanca-"I'm shocked, shocked that gambling is going on here . Oh, here are your winnings, Sir." Will it truly be enforced or will people get a little slap on the wrist? Quite frankly, I think the enforcement aspect for the first five years is going to be very aggressive. If you look at the enforcement of federal regulations, they like to get somebody early.
Now that the SEC has pushed back the deadline, do you think companies will feel more prepared?
The funny thing about that, the deadline is right after the presidential election. November 2 is Election Day; the Sarbanes deadline is November 15. I think the bottom line is you've got to do the right thing. If the right thing isn't pretty, you've got to accept it. Of course, that's easy to say-but difficult for the CEO of a publicly owned corporation to stand up and say, "Gee whiz, guys, we lost several tens of millions of dollars this year."