Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
CIO and Chief People Officer
CIO Insight: Did you face resistance to your Sarbanes efforts?
Hofmann: We have grown through acquisitions. Often, separate operations were brought in under a new umbrella, and it was not at all unusual or even bad that each of those units would have their own processes. But given that we have to comply with Sarbanes-Oxley, we have a real driver to establish consistency around the world. And it's a much more powerful driver than, "Gee, it would be nice . . ." It's required. So those turf battles tend to become less important. Even so, if you tell people you have to do this because the law says you have to do it, then you're never going to get a passionate commitment. If you explain what the benefits areto the company and to them as an individualyou will always get greater buy-in. And what you're explaining to people is that you are eliminating inefficiencies, reducing risk, increasing communicationsall things that are really positive. And all of the activities my team undertakes are done with representation from the business units.
Was there an impact on your budget?
You better believe there was an impact. A big hit for us is the money we now have to pay for audit fee increases. Because we don't have an internal audit function, we also have to incur third-party fees to condense the expense before the auditors come in. For us in IT, I've had to do extensive portfolio management and address my service levels. I have another partner now, a very demanding one, called SOX.
Any surprise benefits from your compliance initiatives?
I would say Sarbanes-Oxley has strengthened the relationship between finance and IT. Finance and IT are often not the groups that get a lot of holiday cards to begin with, but we are equally part of the company infrastructure, so we share accountability. I definitely look to our CFO Mike Casey for the leadership in this, but it's more of a partnership because I have responsibility for the information assets in the company. It's not just about money anymore. I was our CFO's biggest spender, and now I am also his strongest advocate for controls. Of course, they don't ask the CIO to sign the certification, and that's pretty important.
Are you required to do any kind of sub-certification?
Yes. All the senior executives have a Sarbanes certification where we attest to our CEO our level of awareness. Before I sign, I share my information with all my direct reports to make sure they know I am getting ready to sign, and I ask them to share with me anything I might not yet be aware of. Sarbanes-Oxley has less to do with accounting and more to do with ethics.
So you're involved at the strategic level.
If the CIO is not part of the strategic planning within the company, chances are Sarbanes-Oxley means nothing more to your company than two senators. It's very important to establish a vision of where you want your company to be, to understand the links between the business strategies you have and the requirements dictated under Sarbanes. If you aren't involved in the strategic planning, get involved, because this is about the information, and that's a CIO's job every day.