Get Involved

You'll have to build a close relationship with your internal financial management group. But remember: It's not about you.

To any company with solid auditing processes, especially those that have implemented ISO 9000's quality management standards, the general requirements for complying with Sarbanes-Oxley are relatively straightforward.

Your CFO already has fairly good guidelines for financial discipline. The SEC has recommended a series of financial reporting standards defined by COSO, the Committee of Sponsoring Organizations of the Treadway Commission, developed in response to the savings-and-loan crisis of the late 1980s. Says Pamela Fredericks, senior security consultant with IT advisory Forsythe Solutions Group, "The IT side [of the house] probably is blissfully unaware of these things." But your CFO should be intimately familiar with its requirements, since it's likely your company has been following at least some part of the framework for some time.

The devil is in the regulatory details, however, so it's critical to determine how Sarbanes-Oxley could affect your company specifically. Your CFO has to outline as clear a picture as possible of the internal processes that feed financial reports and determine how much the company has to clean up its act. Taking those steps will be toughest for smaller public companies, many of which don't have large finance departments and may lack robust internal audit processes. Only after this work is done, though, can the ramifications for IT be made clear.

Initial discussions on compliance can be far-reaching, drawing in executives from operations, finance, audit and legal. Don't be shy about asking to be involved in these meetings, because sooner or later they'll be generating requirements for IT. But don't expect all the answers to come immediately, since in many cases the ramifications for IT at your company will only become clear over time.

Remember, though, that Sarbanes-Oxley processes are really the province of your CFO. It's that person's job to ensure that tight fiscal management policies are in place, whether they're supported by technology or by handwritten Post-it Notes. "In this situation, the CIO should not even attempt to take charge," says John Hagerty, vice president at AMR Research.

Ask Your CFO: