Web Extra: Sarbox Puts CIOs “On the End of the Spear”

For CIO Insight’s May 2004 issue, reporter Debra D’Agostino spoke to
Bob Tillman, director of public affairs for the Association of Records Managers
and Administrators (ARMA International). What follows is an edited transcript
of her interview in which Tillman discusses the deliberate ambiguity of the
Sarbanes-Oxley Act, predicts aggressive enforcement by the Securities and Exchange
Commission and explains why, even though the act doesn’t mention CIOs, they’ve
been thrust to the front lines of Sarbanes compliance efforts.

CIO Insight: How will Sarbanes-Oxley change the way companies do business?

Tillman: If you want to understand Sarbanes-Oxley, go back to the Securities
and Exchange Act of 1934. Markets were melting down, people didn’t trust Wall
Street or their banks. To restore order and confidence, they came out with the
most sweeping legislation that Wall Street had ever seen. Sarbanes-Oxley is
volume two of the Securities and Exchange Act. It’s a shot across the bow to
tell CEOs and CFOs that, yes, we will send you to prison and, yes, we will fine
the heck out of you if we catch you doing something illegal. It’s penance paid
by the corporations because of certain CEOs using their corporations as personal
piggy banks. The problem with Sarbanes is the way they wrote the law. In terms
of records management, what’s a record? A record is anything a litigator or
the federal government says it is. The SEC is not going to be so stupid as to
push themselves into a box and say, “You will do A, B and C.” They say you will
do certain things, such as an internal controls scenario. You will have the
CFO sign off on the quarterly statement. You will have to restate your earnings
if they are found to be not correct, things like that. Then they kind of leave
it to you and your lawyers to interpret. Sarbanes-Oxley says you will do these
things. It doesn’t say how you will do these things.

You’re saying the Senate purposely left the law vague?

Well, you’ve got to remember, the law was written by lawyers. That’s our federal
government at work.

Are companies casting too wide a net in order to make sure they’re compliant?

Personally, I think companies are investing in Sarbanes solutions because they
know they have to. Better to spend $4 million to show we’re at least trying
to make these things happen than to say, no, we’re not going to spend any money
at all. The reality is, what is compliance? I don’t think anybody’s compliant.
I think at heart most companies are good companies, and I think that’s why so
many executives resent what’s going on because, in essence, they’re being told
they now have to prove they’re good guys. Before, it was just assumed.

Where does the CIO fit in all of this?

Nowhere in Sarbanes-Oxley does it say anything about a chief information officer.
It spells out the CEO and the CFO, but nowhere does it say the CIO is responsible.
Right now, however, it seems everybody who talks about compliance is talking
about technology. Whether they’re named or not, CIOs are the people who are
going to be required to implement this inside the corporation. The CFO is going
to tell the CIO to do it, and the CIO had better figure out a way to do it,
and do it right.

So the CIO is on the hook as well, albeit indirectly.

Yes. It’s almost like the CIO is in a footrace with reality. As soon as he
or she solves one problem, a new problem crops up and creates a whole new group
of associated dilemmas. That’s got to be in some respects the most thankless
job inside the corporation, because they’re always on the end of the spear.

Meanwhile, no one knows how any of this will be enforced.

Exactly. The question remains, after we spend billions of dollars on Sarbanes-Oxley:
Is it smoke and mirrors? Is it like in Casablanca-“I’m shocked, shocked that
gambling is going on here…. Oh, here are your winnings, Sir.” Will it truly
be enforced or will people get a little slap on the wrist? Quite frankly, I
think the enforcement aspect for the first five years is going to be very aggressive.
If you look at the enforcement of federal regulations, they like to get somebody

Now that the SEC has pushed back the deadline, do you think companies will
feel more prepared?

The funny thing about that, the deadline is right after the presidential election.
November 2 is Election Day; the Sarbanes deadline is November 15. I think the
bottom line is you’ve got to do the right thing. If the right thing isn’t pretty,
you’ve got to accept it. Of course, that’s easy to say-but difficult for the
CEO of a publicly owned corporation to stand up and say, “Gee whiz, guys, we
lost several tens of millions of dollars this year.”

CIO Insight Staff
CIO Insight Staff
CIO Insight offers thought leadership and best practices in the IT security and management industry while providing expert recommendations on software solutions for IT leaders. It is the trusted resource for security professionals who need network monitoring technology and solutions to maintain regulatory compliance for their teams and organizations.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles