Technology: Sarbanes-Oxley - ' Get Involved' (
Page 3 of 5 )
Step 2: Get Involved
You'll have to build a close relationship with your internal financial
management group. But remember: It's not about you.
To any company with solid auditing processes, especially those that have
implemented ISO 9000's quality management standards, the general requirements
for complying with Sarbanes-Oxley are relatively straightforward.
Your CFO already has fairly good guidelines for financial discipline. The
SEC has recommended a series of financial reporting standards defined by COSO,
the Committee of Sponsoring Organizations of the Treadway Commission, developed
in response to the savings-and-loan crisis of the late 1980s. Says Pamela
Fredericks, senior security consultant with IT advisory Forsythe Solutions
Group, "The IT side [of the house] probably is blissfully unaware
of these things." But your CFO should be intimately familiar with its requirements,
since it's likely your company has been following at least some part of the
framework for some time.
The devil is in the regulatory details, however, so it's critical to determine
how Sarbanes-Oxley could affect your company specifically. Your CFO has to
outline as clear a picture as possible of the internal processes that feed
financial reports and determine how much the company has to clean up its act.
Taking those steps will be toughest for smaller public companies, many of
which don't have large finance departments and may lack robust internal audit
processes. Only after this work is done, though, can the ramifications for
IT be made clear.
Initial discussions on compliance can be far-reaching, drawing in executives
from operations, finance, audit and legal. Don't be shy about asking to be
involved in these meetings, because sooner or later they'll be generating
requirements for IT. But don't expect all the answers to come immediately,
since in many cases the ramifications for IT at your company will only become
clear over time.
Remember, though, that Sarbanes-Oxley processes are really the province of
your CFO. It's that person's job to ensure that tight fiscal management policies
are in place, whether they're supported by technology or by handwritten Post-it
Notes. "In this situation, the CIO should not even attempt to take charge,"
says John Hagerty, vice president at AMR Research.
Ask Your CFO:
What indications have our auditors given us about the impact on IT for
companies like ours?
Tell IT Staff:
We need to become educated about the act's effects on IT.
Tell Your CFO:
I'd like to attend any training classes with you that might touch on the
ramifications of Sarbanes-Oxley for IT.
Technology 
