Trends: Sarbanes-Oxley - SEC Puts Pressure on CIOsBy Elizabeth Wasserman | Posted 12-13-2002
Trends: Sarbanes-Oxley - SEC Puts Pressure on CIOs
When one of the biggest corporate reform packages since the Great Depression was passed by Congress and signed into law by President George W. Bush in Julynew rules forcing companies to cough up more timely, accurate and detailed accountings of their financial healthNovell Inc. scrambled to try to meet the requirements.
Bush signed the Sarbanes-Oxley package of reforms, named for its Senate sponsors, into law on July 30just a day before the end of Novell's fiscal 2002 third quarter. That meant Novell, one of the first companies to have to file quarterly and year-end reports to the Securities and Exchange Commission under the new rules, would now have 10 fewer days in which to file quarterly reports and 30 fewer days to file its annual report, come November. (Later, the SEC agreed to phase in the tighter deadlines over time, giving Novell and other companies at least three or four more quarters to comply.)
But the new deadlines are just one of several hurdles for Novell. The law also created new SEC rules forcing top corporate executives to sign off, for the first time, on the integrity of their internal financial controls. "We had a really short, small window within which to react and put policies in place," says Novell General Counsel Joseph LaSala.
The new regulations are proving time-consuming and cumbersome to many corporate executives. And no wonder. Besides hiring lawyers to brief managers on the new rules, Novell also whipped up a new set of in-house procedures for assembling financial reports every quarter, which includes asking 30 corporate managers to sign statements vouching for the accuracy of Novell's reporting systems. Novell CIO Debra Anderson wasn't among those needed to sign off on the integrity of the company's reporting systems. But she says that's just a matter of time. "I definitely think the onus is on CIOs to a more heightened degree now to look at the validity of the infrastructureand also identify opportunities for improvement."
Why the new scrutiny? Under the new law, CEOs and CFOs whose certifications "do not comport" with the stiffer accountability requirements of the new law will be fined $1 million or be sent off to prison for up to 10 yearsor both. Further, anyone who "willfully certifies any statement...knowing that the periodic report accompanying the financial statement does not comport with the requirements set forth" will be fined up to $5 million or be sent off to prison for up to 20 years, or both.
Now for the hard part: Compliance with the new rules will mean that companies of all sizes may need to overhaul or upgrade their financial reporting networks and software in the coming months and years to meet the SEC's new demands for more accurate, detailed and speedier filings.
Stuart Robbins, founder and director of the CIO Collective, a network of senior IT executives, believes the legislation could trigger new IT spending in the next four to six months as companies begin to analyze the requirement for clear accountability, which includes setting up digital auditing trails, knowledge summaries and new archiving policies aimed at flagging financial irregularities as they occur. According to Gary Riske, partner in charge of KPMG's risk management practice in San Francisco, abiding by the new rules could be the single biggest spending item of the first quarter of 2003.
"This really shines a spotlight on the inadequacy of a lot of legacy systems out there," says Brian Kinman, a partner in strategic risk services at Pricewaterhouse-Coopers. "Can companies meet these new requirements with existing systems? Maybe. But these new reporting requirements tighten up the deadlines significantly, and now there's zero tolerance for error. This is going to put a lot of pressure on people to throw out a lot of the old and bring in the newfaster." Says SEC special counsel Mark Borges: "These changes are moving us closer to a real-time reporting system. It's likely to present challenges for many companies as they adjust to shorter reporting deadlines."
How much of a challenge? Aimed at enhancing the SEC's ability to root out and punish corporate fraud in the wake of the recent flood of scandals at Enron, WorldCom and others, the new rules will affect CIOs and IT departments in a number of ways. First, they reduce the time companies have to file their regular quarterly reports, from 45 to 35 days after the quarter ends, and shortens the deadline for annual reports from 90 to 60 days after the end of the fiscal yeara squeeze that will encourage the building of speedier systems at many companies. While companies are rushing to meet these deadlines now, the SEC says the new timetables will be phased in over a period of three years, with the new rules completely in effect by Dec. 15, 2005.
In addition, the CEO and the CFO will be required to verify the effectiveness of the financial controls they use to keep auditors up to date on daily figures, a request that will necessarily involve a detailed review of corporate information systems and how executives use them to keep tabs on corporate earnings and spending. As a result, some companies are taking it upon themselves to ask other executivesincluding the CIOto vouch for the integrity of the company's systems. Already, says PwC's Kinman, CIOs are among those being asked by corporate counsel at some companies to "sub-certify" the company's ability "to quickly record, process, summarize and report financial data," to meet legal standards.
There's more. Another new SEC requirement that will have some bearing on IT departments asks that information about significant events that could affect a company's quarterly earnings must now be stated "in plain English" and be disclosed "on a rapid and current basis"two days after the triggering event rather than five to 15 days. It's a provision that will, again, test the speed of a company's financial information systems and software. Further, the SEC is asking companies to report within 48 hours any trading in company stock by corporate officers. In the past, companies needed only to report such activity once a month.
All this might not seem like much for companies with cutting-edge technology and state-of-the-art financial information systems. Indeed, says Suresh Srinivasan, director of enterprise architecture at American Express Co.: "Big companies will be in compliance mode. It's just mining new data." But the additional requirements for certification of internal financial controls, together with the overall push for faster reporting times, will affect all companies and IT departments, experts say. "This is huge," says IBM financial services consultant Henry Schweppe. "This represents a sea change in how technology is going to have to support the organization." Adds John Burke, CFO of New World Business Ventures Group, a Manhattan-based business consulting firm: "The challenge going forward is going to be to get financial information to flow from the bottom to the top."
The idea behind the SEC's push for more detailed certification rules is a desire to establish a broad, digital paper trail proving that in-depth reviews of corporate ledgers are being conducted continuously by the people responsible for keeping the books open and honest. The goal: to protect investors by holding executives' feet to the fire over the veracity of each and every report. Alan Beller, the director of the SEC's corporate finance division, told reporters during a Nov. 8 press conference that a "substantial majority" of Fortune 500 companies' financial statements reviewed by the agency during the past year have raised questions warranting further investigation. "I don't think anybody, given the current environment, is feeling like these steps are not necessary," says the SEC's Borges.
While many companies "are just starting to figure out what hit them," says IBM's Schweppe, many otherseven some companies that have overhauled their financial reporting systems in recent yearsare pressing ahead with new spending for upgrades to respond to the new requirements. Novell's Anderson, for one, says her company is going to "rethink this as a chance to have more real-time reporting systems in place," such as a more extensive set of digital dashboards.
Allstate Corp., the nation's largest publicly held personal insurer, began to overhaul its financial reporting process a few years ago by collecting data from "more than a handful" of different legacy systems that track data from the company's various administrative and claims processes with an enterprise resource planning system from SAP.
After Bush signed the reforms into law, the company decided it needed more. So it set about retooling its financial reporting system so that it could meet the new deadlines. Moreover, it started compiling company performance and operational metrics into real-time electronic "scorecards," to meet new rules calling for companies to write a special report in their year-end filings that describes the extent and quality of their internal auditing controlsand the effectiveness of the information systems they use to keep the top brass up to date on the numbers. "It not only requires the use of technology but it requires your leadership team to understand how the data is processed through it, and what changes are being made to it so we can say that this truly represents our financial position at a certain point in time," says Kathleen Swain, Allstate's assistant vice president of enterprise financial solutions. Longer-term, Swain says, the new regulations may add to the "business case" being made by IT officials inside the company for more IT spending.
At Richardson, Tex.-based Fossil Inc., it's a similar story. According to Randy Kercho, Fossil's executive vice president, the fashion watch company is in the process of implementing various business intelligence applications from Cognos, some in response to the new deadlines. In addition, the company is moving forward with new Web-based applications and a new enterprise system from SAP. "These systems, implemented or in the process of implementation by our IT department, will help us have the tools we need to better analyze our financial results, in addition to reducing the time it takes to obtain financial and operational data," Kercho says.
The company is also asking 18 people to sign off on the integrity of the numbers and financial reporting systems used to obtain them, including the country managers and top financial officers of each of Fossil's eight foreign subsidiaries. "We then also obtain a verbal affirmation from our division presidents, legal and operations group," Kercho says, "and we're considering obtaining a sign-off from our CIO. It would certainly be an additional measure of comfort if the CIO would verify that no known breaches of the system have been identified and that no breakdowns of controls were identified or changed during the quarter."
Even before the new rules were put in place, collating the information needed for quarterly reports, for some companies, was a huge task involving business units that might be spread across the globe. Fossil's Kercho, for one, says the need to assimilate information from disparate systems around the world "is really where a lot of the time comes in" that's needed to meet filing deadlines. Adds Sandra Kinsey, partner at Hogan & Hartson and former SEC senior counsel from 1990 to 2000: "Getting these financial reports filed earlier is going to be challenging for companies, especially big multinationals with diverse operations spread over different countries. But it will be hardest on small public companies that don't necessarily have the teams of in-house compliance people in place."
Ahead of the Game
Ahead of the Game
How many companies can already meet the new deadlines? Not many, says Scott Parker, managing director of Parson Consulting, a London-based consulting firm with clients in the U.S. and U.K. affected by the new law. According to a recent Parson survey of executives at almost all 500 companies in the S&P 500, only 11 percent now file quarterly reports within 35 daysthe new deadline. The average for healthcare and pharmaceuticals is 42.5 days; finance and insurance, 43.1 days; consumer products, 40.4 days; chemicals, energy and utilities, 42.7 days; and services, 40.2 days. Industrial and defense firms, meanwhile, average 39.5 days, according to the survey.
Former SEC commissioner Steven Wallman, a staunch advocate of digital systems during his 1994-97 term, cautions CIOs against underestimating the impact of the new laws on company IT systems. "This will be more costly than people think because it's not just the IT equipment but the software, training, upgrades and people that will be needed to put in the new real-time information systems the SEC is seeking," he says. "And then there will need to be people and systems set up that are able to check it all to make sure that there is better and faster reporting of the numbers. Hopefully, CIOs can rise to the occasion."
Technology researcher IDC is forecasting that financial and business performance management software, combined with strategic planning and financial consolidation software, is expected to be a $1 billion market in 2002, jumping to more than $1.5 billion by 2006thanks, in part, to the new regulations.
Indeed, some vendors are already coming forward with new offerings aimed at helping firms meet the challenge. New York City-based start-up eRestrictedStock Inc., for example, is offering companies Web-driven software that can help them file insider trading reports within the SEC's new two-day deadline. BoardVantage Inc., of Berkeley, Calif., meanwhile, is pushing messaging system and collaboration software for use by members of boards of directors so they can better oversee the companies they govern rather than simply show up at meetings and play golf. "What we find is that creative accounting is usually accompanied by 100 to 200 catch phrases, like 'change in accounting,' or 'uncollectible loans,'" says A.K. Pradeep, founder and CEO of BoardVantage. "Now, [with our software,] if you are thumbing through 500 pages of an M&A proposal, imagine you have a little angel that tells you that on page four in line 25 there is a certain phrase you want to pay attention to." In Pradeep's view, "the boardroom is almost the last bastion where the light of technology has not really crept in."
Indeed, the long-term lesson of the recent financial scandals is that IT executives may need to be more strategic about their company's financial information, focusing not just on systems management but on the way business information of all types is managedfrom gathering to distributionespecially as the sheer volume of information now stored digitally grows by leaps and bounds. "CIOs and IT directors are the first responders on the front lines of electronic document and information management," says Michele Lange, a staff attorney with the global risk consulting company Kroll Inc. "The lawyers understand the law. But the president and CEO don't understand how their electronic document policies or servers work. That's not their job. That's the purview of IT directors."
Bottom line: Now, perhaps as much as CFOs, IT is on the hot seat to make sure the changes happen well, and quickly. Says Jonathan Low, senior fellow at the Cap Gemini Ernst & Young Center for Business Innovation: "The CEO and CFO now have a lot riding on whether the company's financial information is good or not, and whether it can be reported with enough detail and speed to meet the new regulations." The message: It's time to stop sweating the small stuff. Advises Forrester Research Inc. Senior Analyst Jim Walker: "Stop worrying about a particular implementation of some server installation or whether you're going to go to XP versus Windows 2000. These new financial reporting rules should be your highest priority right now. Why? Because this is directly important to shareholder value."
Elizabeth Wasserman is a Washington, D.C.-based writer. Formerly, she was the Washington Bureau Chief for The Industry Standard. CIO Insight Copy Chief Debra D'Agostino also contributed to this article.
Rules of the Game
Rules of the Game
Last summer's passage of the Sarbanes-Oxley Act means that many of the rules for quarterly and annual reporting to the SEC have changed.
Resources: Web Sites
In-depth information on the Sarbanes-Oxley bill and new SEC rules
The Sarbanes-Oxley bill
A summary of the new Act from the American Institute of Certified Accountants
The House of Representative's conference committee report on the new Act
The new SEC rules