Step 4: Get a Plan
Should you start throwing software at the problem? Not yetthough you may find Sarbanes-Oxley can kick-start some process discipline.
Some IT executives may find Sarbanes-Oxley can help create process discipline in the company that will ultimately lead to new technology initiatives, helping justify projects like that server consolidation you've been trying to fund. Having different versions of financial ERP software running around the company may create enough risk that those systems have to be merged. Just as with Y2K, that may open the door for projects that would allow your company to upgrade other processes. And some vendors are touting the act's rapid reporting requirements as an impetus to the development of the "real-time enterprise," friction-free business processes that allow information to roll up and decision-making processes to ripple down rapidly. You'll likely never reach such a lofty goal, but if the act makes your CXOs nervous enough, they'll start pushing IT to move in that direction.
Showcasing the software industry's never-ending ability to innovate, a variety of vendors are offering risk management applications designed to help automate processes that may make Sarbanes-Oxley reporting more efficient. These typically approach the challenge either by aggregating existing enterprise software into a portal that provides a one-stop site for compliance checking, or by focusing on business processes, streamlining steps that were formerly spread out through various applications.
Is a new application really necessary? Not for most companies, analysts say. "This is very much a pen-to-paper exercise right now," says AMR's Hagerty. "CFOs need to come up with a cogent approach before they start throwing technology at the problem." In fact, most of the Sarbanes-Oxley applications are still so newand most companies' understanding of the broad ramifications of compliance is still so much in fluxthat few CIOs are willing to stick their heads above the trenches to discuss their efforts yet.
But the clock is ticking. Larger public companies with fiscal years coinciding with the calendar year must be ready by December 2004. That may seem like a long time away. But because those requirements are still being updated, your CFO may find a new reason why IT has to scramble. Understand there are numerous gray areas, and that a variety of issuesand how to deal with themmay only be revealed in the coming months. Admits AMR's Hagerty: "Best practices don't exist at this point."
Ask Your IT Architect:
Ask Risk Management Software Vendors:
Ask Your CFO: