The effects of the Sarbanes-Oxley Act of 2002 may ripple throughout your IT organization. Not a public company? You may still have to worryand even if you don't, you need to learn more about compliance.
Decision-making processes in your company are no doubt a mishmash of manual and electronic steps. Determining who's responsible for which information and what decisions, and making sure the system contains checks and balances to guarantee that those decisions are justified, can be a hair-pulling exercise for the most straightforward tasks in business-process analysis.
But getting the process down cold is no longer simply an intellectual exercise. Driven by laws such as the Sarbanes-Oxley Act, your CEO and CFO are now personally responsible for ensuring the accuracy of processes like financial reporting. That means they'll be breathing down IT's neck to guarantee the company's information systems are helping accuracy, not hurting it.
IT is responding. According to a survey conducted in April by AMR Research Inc., about 85 percent of all public companies intend to change their IT systems as part of their efforts to comply with the law. And those companies are planning to spend $2.5 billion in 2003 alone on projects related to compliance.
Why the worry? Born out of post-Enron angst, the Sarbanes-Oxley Act, variously called SOA, SOX or Sarbox, defines a set of standards for tracking and reporting requirements intended to hold top executives' feet to the fire on corporate financial statements. CEOs and CFOs of publicly traded companies must attest to the accuracy of those statements, and anything that looks fishy may elicit sweat-inducing questions from the Securities and Exchange Commissionand, potentially, penalties ranging from personal fines to jail time.
What makes top executives and board members wake up in a cold sweat is worrying about the shakiness of the foundation of financial controls on which their companies sit. In a nutshell, Sarbanes-Oxley says public businesses have to vet every internal process that feeds into a financial statement. The challenge is "walking the dog" through all the information sources that roll up into those reports, especially where any kind of information technology is involved.
In small public companies with uncomplicated products or services, those processes may be relatively straightforward. In large multinational companies, however, financial reporting may have its roots deep in the supply chain, or be buried in a customer relationship management system, or managed differently, depending on your company's global locations and the kind of software each location uses. Those intricacies can make the financial reporting excavation process a complicated exercise at bestand at worst, a minefield fraught with potential financial explosions.
Public companies are the act's main targets, but that doesn't mean all private companies are immune. If your company could be acquired by another that's already public, the CFO of the new parent is responsible as soon as the first dollar flows through the combined entity. And that means substantialand potentially deal-breakingrisk if the acquiree isn't already following deep financial discipline.
So how clear are the ramifications of Sarbanes-Oxley for most companies? "It's probably not very clear to the CIO yet," says Melinda Litherland, an audit partner at Deloitte & Touche. "It's probably very clear to the CFO."