Trends: Sarbanes-Oxley - SEC Puts Pressure on CIOs
When one of the biggest corporate reform packages since the Great Depression was passed by Congress and signed into law by President George W. Bush in Julynew rules forcing companies to cough up more timely, accurate and detailed accountings of their financial healthNovell Inc. scrambled to try to meet the requirements.
Bush signed the Sarbanes-Oxley package of reforms, named for its Senate sponsors, into law on July 30just a day before the end of Novell's fiscal 2002 third quarter. That meant Novell, one of the first companies to have to file quarterly and year-end reports to the Securities and Exchange Commission under the new rules, would now have 10 fewer days in which to file quarterly reports and 30 fewer days to file its annual report, come November. (Later, the SEC agreed to phase in the tighter deadlines over time, giving Novell and other companies at least three or four more quarters to comply.)
But the new deadlines are just one of several hurdles for Novell. The law also created new SEC rules forcing top corporate executives to sign off, for the first time, on the integrity of their internal financial controls. "We had a really short, small window within which to react and put policies in place," says Novell General Counsel Joseph LaSala.
The new regulations are proving time-consuming and cumbersome to many corporate executives. And no wonder. Besides hiring lawyers to brief managers on the new rules, Novell also whipped up a new set of in-house procedures for assembling financial reports every quarter, which includes asking 30 corporate managers to sign statements vouching for the accuracy of Novell's reporting systems. Novell CIO Debra Anderson wasn't among those needed to sign off on the integrity of the company's reporting systems. But she says that's just a matter of time. "I definitely think the onus is on CIOs to a more heightened degree now to look at the validity of the infrastructureand also identify opportunities for improvement."
Why the new scrutiny? Under the new law, CEOs and CFOs whose certifications "do not comport" with the stiffer accountability requirements of the new law will be fined $1 million or be sent off to prison for up to 10 yearsor both. Further, anyone who "willfully certifies any statement...knowing that the periodic report accompanying the financial statement does not comport with the requirements set forth" will be fined up to $5 million or be sent off to prison for up to 20 years, or both.
Now for the hard part: Compliance with the new rules will mean that companies of all sizes may need to overhaul or upgrade their financial reporting networks and software in the coming months and years to meet the SEC's new demands for more accurate, detailed and speedier filings.
Stuart Robbins, founder and director of the CIO Collective, a network of senior IT executives, believes the legislation could trigger new IT spending in the next four to six months as companies begin to analyze the requirement for clear accountability, which includes setting up digital auditing trails, knowledge summaries and new archiving policies aimed at flagging financial irregularities as they occur. According to Gary Riske, partner in charge of KPMG's risk management practice in San Francisco, abiding by the new rules could be the single biggest spending item of the first quarter of 2003.
"This really shines a spotlight on the inadequacy of a lot of legacy systems out there," says Brian Kinman, a partner in strategic risk services at Pricewaterhouse-Coopers. "Can companies meet these new requirements with existing systems? Maybe. But these new reporting requirements tighten up the deadlines significantly, and now there's zero tolerance for error. This is going to put a lot of pressure on people to throw out a lot of the old and bring in the newfaster." Says SEC special counsel Mark Borges: "These changes are moving us closer to a real-time reporting system. It's likely to present challenges for many companies as they adjust to shorter reporting deadlines."