Trends: Sarbanes-Oxley - SEC Puts Pressure on CIOs - ' Faster, Faster '

Faster, Faster

How much of a challenge? Aimed at enhancing the SEC's ability to root out and punish corporate fraud in the wake of the recent flood of scandals at Enron, WorldCom and others, the new rules will affect CIOs and IT departments in a number of ways. First, they reduce the time companies have to file their regular quarterly reports, from 45 to 35 days after the quarter ends, and shortens the deadline for annual reports from 90 to 60 days after the end of the fiscal year—a squeeze that will encourage the building of speedier systems at many companies. While companies are rushing to meet these deadlines now, the SEC says the new timetables will be phased in over a period of three years, with the new rules completely in effect by Dec. 15, 2005.

In addition, the CEO and the CFO will be required to verify the effectiveness of the financial controls they use to keep auditors up to date on daily figures, a request that will necessarily involve a detailed review of corporate information systems and how executives use them to keep tabs on corporate earnings and spending. As a result, some companies are taking it upon themselves to ask other executives—including the CIO—to vouch for the integrity of the company's systems. Already, says PwC's Kinman, CIOs are among those being asked by corporate counsel at some companies to "sub-certify" the company's ability "to quickly record, process, summarize and report financial data," to meet legal standards.

There's more. Another new SEC requirement that will have some bearing on IT departments asks that information about significant events that could affect a company's quarterly earnings must now be stated "in plain English" and be disclosed "on a rapid and current basis"—two days after the triggering event rather than five to 15 days. It's a provision that will, again, test the speed of a company's financial information systems and software. Further, the SEC is asking companies to report within 48 hours any trading in company stock by corporate officers. In the past, companies needed only to report such activity once a month.

All this might not seem like much for companies with cutting-edge technology and state-of-the-art financial information systems. Indeed, says Suresh Srinivasan, director of enterprise architecture at American Express Co.: "Big companies will be in compliance mode. It's just mining new data." But the additional requirements for certification of internal financial controls, together with the overall push for faster reporting times, will affect all companies and IT departments, experts say. "This is huge," says IBM financial services consultant Henry Schweppe. "This represents a sea change in how technology is going to have to support the organization." Adds John Burke, CFO of New World Business Ventures Group, a Manhattan-based business consulting firm: "The challenge going forward is going to be to get financial information to flow from the bottom to the top."

The idea behind the SEC's push for more detailed certification rules is a desire to establish a broad, digital paper trail proving that in-depth reviews of corporate ledgers are being conducted continuously by the people responsible for keeping the books open and honest. The goal: to protect investors by holding executives' feet to the fire over the veracity of each and every report. Alan Beller, the director of the SEC's corporate finance division, told reporters during a Nov. 8 press conference that a "substantial majority" of Fortune 500 companies' financial statements reviewed by the agency during the past year have raised questions warranting further investigation. "I don't think anybody, given the current environment, is feeling like these steps are not necessary," says the SEC's Borges.