Perspectives: Early AdoptersBy CIOinsight | Posted 05-01-2004
Perspectives: Early Adopters
Even now, no one knows exactly how the Sarbanes-Oxley Act of 2002 will be enforced, or the precise criteria the SEC will use to justify and launch investigations. What we do know is that the speed with which the act became law surprised many executives, several of whom had to reset fiscal budgets, reshuffle projects and renegotiate service-level agreements in an effort to meet shifting compliance deadlines. With so much in flux, it seemed wise to talk to some executives who got a jump on their own compliance efforts and learn from their experience. Some key lessons: How Sarbanes reveals who your best managers are; how modeling tools can play an enormous role in helping companies recordand in some cases, optimizetheir business processes; how e-learning saves time and money on education; and most profoundly, how CIOs and IT directors are using Sarbanes to achieve not only compliance, but also alignment.
Oscar De Jongh
Managing Director, Corporate Program Management Office
E.W. Scripps Co.
CIO Insight: How much of a pain has Sarbanes been so far?
De Jongh: It has definitely been a disruption for us. Last September, everyone was putting together their budgets for 2004, and they all had a series of projects and things they wanted to accomplish. I wouldn't say we were caught off guard, but clearly it was not taken into consideration as we were planning for 2004. We have had to divert a lot of resources.
What were your first steps?
We started off with an overarching list of critical systems, and that's what we assessed, so we took everything from servers, file servers, desktop printerswe had a pretty extensive list of about 80 systems. We were recently told that the list is actually shorter, due to the fact that the external auditing firms don't have the manpower to go out and actually audit everything. But you have to look at things from two directionsfrom inside the accounting department out, and from outside in. We are a distributed environment, and there are other systems in other locations that are used to generate forecasts and such. So you really have to get a handle on what systems you have, what's out of compliance, and how significant those systems are for 404 compliance and so forth.
We have a self-assessment system that our business-information group is building for the entire enterprise. It tells us by division, by business unit, by system and by some other data points we collect whether we are in compliance. The first round of self-assessment was a series of Excel spreadsheets we developed that provided a standard data-gathering format so we could aggregate all the information from the business units, and get a good snapshot of where we stood before we started to remediate. Then we uploaded that data into a Web-based application so the business units didn't have to re-key all their information. All they had to do was review it, make changes and certify the data. To indicate compliance, we use yes/no, as well as numerical scoring, so if a system is in compliance, it's a 10. If we have a project that's almost finished, or we have a disaster-recovery plan in draft form, but a significant amount of the work is completed, it's an 8. It's a zero if no work has been accomplished.
We look at every control that we are not compliant with, regardless of the platform or product it's related to, and we average it out for all the systems. Then we look at them at an enterprise level and determine which ones have significant costs and level of effort to get them in place. The next piece is to prioritize and put together a rough order of magnitude cost related to each system. So, for example, if we have a system that's worth $200,000, and it's going to cost $500,000 to make it compliant, that's notable. This allows us to make intelligent business decisions about technology.
Any unexpected benefits?
When we first started doing this, there were some people who kicked and screamed. It was really interesting to see, when the self-assessments were done, that those who screamed the loudest had the worst results. Those who didn't scream had their departments pretty well under control.
So the self-assessments help you identify your best managers?
Absolutely. That is more evident now than it's ever been.
Vice President, Business Transformation and Customer Value
Xcel Energy Inc.
CIO Insight: Where did you begin?
Carlson: Before Sarbanes came onto our radar screen, in January 2003, we centralized our IT shop from six autonomous groups into one corporatewide IT-services group. When we got into the SOX details last fall, it was evident that consolidation was going to make compliance cheaper and easier. If we had those IT groups running their best-of-breed apps, you can imagine the amount of IT control complexity that would have had to be built. We weren't clairvoyant, but because we have a centralized model, we have been able to avoid some of the complexity and some of the risk.
But not all companies have a centralized IT department.
Yes, and there's justification for a more decentralized model when you have enough disparate business objectives. But I'd say that if a centralized IT model can support your business needs, you're much better off going that way.
How has the Act affected your budgets?
Well, it's definitely going to impact our portfolio. When we kicked off the compliance effort last November, it involved a group of about 20 people from finance and IT. But at our meeting in March, there were more than 100 people involved.
Do employees understand the importance of compliance?
I would say no, actually, not to the level that they need to. So we have an aggressive communication and training program attached to this. Though it's not a requirement under the act, we are rolling out a series of nine e-learning courses that are aligned with our ethics and code of conduct. Every employee will go through at least one, depending on his or her job. My IT group, for example, will get a much different training session than, say, our accounting group will. That rollout is a recognition process that's combined with a corporate communications program that includes a semi-monthly newsletter, monthly corporate briefings and an intranet site. In fact, if you walk through any of our buildings right now, in every elevator and at every employee entrance you'll see something about Sarbanes-Oxley.
That's a major investment in communication.
When we started breaking all of this down, we realized that compliance goes all the way to the front lines of our company. We have 11,000 employees, and our revenue is made up primarily of monthly meter reads. That can mean anything from a computer collecting that data to a person physically checking it and writing it down. One way or another, everyone has a role in compliance.
Executive Vice President, Strategic Planning and CIO
CKE Restaurants Inc.
CIO Insight: How did you form your Sarbanes strategy?
Chasney: Let me go back a little bit. With Y2K, the vast majority of companies reacted out of panic. After all was said and done, it became apparent how high the level of spending was, and people began trying to justify the expense. I see the same thing happening with Sarbanes-Oxley. Who are the most risk-averse people in your company? The financial folks. If you want something out of your CFO, all you have to do is tell him you're at risk, and you've got it. Combined with the fact that CEOs and CFOs can now be sent to jail, they want to do whatever it takes, at whatever the cost, to protect themselves. It's that fear, uncertainty and doubt that's driving a lot of the expenditures. I think they are all wrong. Our budget is $500,000, and we have not allowed any of the scope to expand beyond compliance.
That figure seems low.
And I think that figure is excessive. My job is to make sure that we temper our actions and not try to go overboard and control how many paper clips are going out to departments. We're not doing that. I want to make sure our company has the best controls in place, but I don't need to spend a bunch of money on tools that aren't necessary. There are a number of people who are doing that today. They are using it as an opportunity to fund their other agendas.
Let's say I want to put in some neat knowledge management system that can cross reference and categorize and build a table of contents of virtually everything, but I haven't been able to get it justified because it's very expensive, it would cost millions. Sarbanes-Oxley now offers me an opportunity to work the fear factor and get the green light. But that's not what's best for the company. Indeed, when I take a look at the act and the requirements that we are under, I would suggest that all of them can be done without touching a single computer.
So where are you spending your Sarbanes dollars?
The spending has been in two dominant categories: business continuity, and consultants assisting us with modeling. The majority of the money we have spent has been to get everything mapped out and documented, and in making sure the controls work. We don't have a compliance department or a compliance officer; our internal audit department is handling that.
Have you had to shift any projects around?
We have not stopped any other projects in the company. That's not to say that nothing has been shifted, because to say that, one would have to assume we have resources like the Maytag repairman sitting around waiting for work, which is not the case. The constraining resource is not the dollars, it's people. You must have expertise available.
In terms of what's most difficult to do, it's creating your process models. We have done a lot of modeling here, and the challenge is always trying to extract information from people to find out what's really happening. It's painstaking and resource intensive. But those who understand how to do model analysis will reap rewards off the back side of Sarbanes-Oxley; someone can now take all of those models and look for ways to optimize. That is a huge opportunity.
CIO and Chief People Officer
CIO Insight: Did you face resistance to your Sarbanes efforts?
Hofmann: We have grown through acquisitions. Often, separate operations were brought in under a new umbrella, and it was not at all unusual or even bad that each of those units would have their own processes. But given that we have to comply with Sarbanes-Oxley, we have a real driver to establish consistency around the world. And it's a much more powerful driver than, "Gee, it would be nice . . ." It's required. So those turf battles tend to become less important. Even so, if you tell people you have to do this because the law says you have to do it, then you're never going to get a passionate commitment. If you explain what the benefits areto the company and to them as an individualyou will always get greater buy-in. And what you're explaining to people is that you are eliminating inefficiencies, reducing risk, increasing communicationsall things that are really positive. And all of the activities my team undertakes are done with representation from the business units.
Was there an impact on your budget?
You better believe there was an impact. A big hit for us is the money we now have to pay for audit fee increases. Because we don't have an internal audit function, we also have to incur third-party fees to condense the expense before the auditors come in. For us in IT, I've had to do extensive portfolio management and address my service levels. I have another partner now, a very demanding one, called SOX.
Any surprise benefits from your compliance initiatives?
I would say Sarbanes-Oxley has strengthened the relationship between finance and IT. Finance and IT are often not the groups that get a lot of holiday cards to begin with, but we are equally part of the company infrastructure, so we share accountability. I definitely look to our CFO Mike Casey for the leadership in this, but it's more of a partnership because I have responsibility for the information assets in the company. It's not just about money anymore. I was our CFO's biggest spender, and now I am also his strongest advocate for controls. Of course, they don't ask the CIO to sign the certification, and that's pretty important.
Are you required to do any kind of sub-certification?
Yes. All the senior executives have a Sarbanes certification where we attest to our CEO our level of awareness. Before I sign, I share my information with all my direct reports to make sure they know I am getting ready to sign, and I ask them to share with me anything I might not yet be aware of. Sarbanes-Oxley has less to do with accounting and more to do with ethics.
So you're involved at the strategic level.
If the CIO is not part of the strategic planning within the company, chances are Sarbanes-Oxley means nothing more to your company than two senators. It's very important to establish a vision of where you want your company to be, to understand the links between the business strategies you have and the requirements dictated under Sarbanes. If you aren't involved in the strategic planning, get involved, because this is about the information, and that's a CIO's job every day.