Technology: Sarbanes-OxleyBy Gary Bolles
Comply With Me
Step 1: Get Educated
The effects of the Sarbanes-Oxley Act of 2002 may ripple throughout your IT organization. Not a public company? You may still have to worryand even if you don't, you need to learn more about compliance.
Decision-making processes in your company are no doubt a mishmash of manual and electronic steps. Determining who's responsible for which information and what decisions, and making sure the system contains checks and balances to guarantee that those decisions are justified, can be a hair-pulling exercise for the most straightforward tasks in business-process analysis.
But getting the process down cold is no longer simply an intellectual exercise. Driven by laws such as the Sarbanes-Oxley Act, your CEO and CFO are now personally responsible for ensuring the accuracy of processes like financial reporting. That means they'll be breathing down IT's neck to guarantee the company's information systems are helping accuracy, not hurting it.
IT is responding. According to a survey conducted in April by AMR Research Inc., about 85 percent of all public companies intend to change their IT systems as part of their efforts to comply with the law. And those companies are planning to spend $2.5 billion in 2003 alone on projects related to compliance.
Why the worry? Born out of post-Enron angst, the Sarbanes-Oxley Act, variously called SOA, SOX or Sarbox, defines a set of standards for tracking and reporting requirements intended to hold top executives' feet to the fire on corporate financial statements. CEOs and CFOs of publicly traded companies must attest to the accuracy of those statements, and anything that looks fishy may elicit sweat-inducing questions from the Securities and Exchange Commissionand, potentially, penalties ranging from personal fines to jail time.
What makes top executives and board members wake up in a cold sweat is worrying about the shakiness of the foundation of financial controls on which their companies sit. In a nutshell, Sarbanes-Oxley says public businesses have to vet every internal process that feeds into a financial statement. The challenge is "walking the dog" through all the information sources that roll up into those reports, especially where any kind of information technology is involved.
In small public companies with uncomplicated products or services, those processes may be relatively straightforward. In large multinational companies, however, financial reporting may have its roots deep in the supply chain, or be buried in a customer relationship management system, or managed differently, depending on your company's global locations and the kind of software each location uses. Those intricacies can make the financial reporting excavation process a complicated exercise at bestand at worst, a minefield fraught with potential financial explosions.
Public companies are the act's main targets, but that doesn't mean all private companies are immune. If your company could be acquired by another that's already public, the CFO of the new parent is responsible as soon as the first dollar flows through the combined entity. And that means substantialand potentially deal-breakingrisk if the acquiree isn't already following deep financial discipline.
So how clear are the ramifications of Sarbanes-Oxley for most companies? "It's probably not very clear to the CIO yet," says Melinda Litherland, an audit partner at Deloitte & Touche. "It's probably very clear to the CFO."
Questions for Your CFO:
Step 2: Get Involved
You'll have to build a close relationship with your internal financial
management group. But remember: It's not about you.
To any company with solid auditing processes, especially those that have implemented ISO 9000's quality management standards, the general requirements for complying with Sarbanes-Oxley are relatively straightforward.
Your CFO already has fairly good guidelines for financial discipline. The SEC has recommended a series of financial reporting standards defined by COSO, the Committee of Sponsoring Organizations of the Treadway Commission, developed in response to the savings-and-loan crisis of the late 1980s. Says Pamela Fredericks, senior security consultant with IT advisory Forsythe Solutions Group, "The IT side [of the house] probably is blissfully unaware of these things." But your CFO should be intimately familiar with its requirements, since it's likely your company has been following at least some part of the framework for some time.
The devil is in the regulatory details, however, so it's critical to determine how Sarbanes-Oxley could affect your company specifically. Your CFO has to outline as clear a picture as possible of the internal processes that feed financial reports and determine how much the company has to clean up its act. Taking those steps will be toughest for smaller public companies, many of which don't have large finance departments and may lack robust internal audit processes. Only after this work is done, though, can the ramifications for IT be made clear.
Initial discussions on compliance can be far-reaching, drawing in executives from operations, finance, audit and legal. Don't be shy about asking to be involved in these meetings, because sooner or later they'll be generating requirements for IT. But don't expect all the answers to come immediately, since in many cases the ramifications for IT at your company will only become clear over time.
Remember, though, that Sarbanes-Oxley processes are really the province of your CFO. It's that person's job to ensure that tight fiscal management policies are in place, whether they're supported by technology or by handwritten Post-it Notes. "In this situation, the CIO should not even attempt to take charge," says John Hagerty, vice president at AMR Research.
Ask Your CFO:
Tell IT Staff:
Tell Your CFO:
The sleuthing game for IT involves figuring out where systems issues, such as the processes baked into customer relationship management and sales force automation, affect financial reporting. You must be able to document how the chain of financial reporting works and how your information systems support it. And you must have a clear idea of where that chain can break down, and be prepared to survive an audit of those processes in case something does break.The trick is knowing just how IT systems grease the flow of any potentially erroneous or inconsistent informationor even help create it.
Step 3: Avoid Garbage
What's the role of technology? Make sure the quality of the data going into reports means there's nothing inaccurate coming out.
Suppose a hypothetical widget manufacturer has a relatively loose process for recording orders and payments. While no fraud may be intended whatsoever, salespeople are allowed to book orders lacking absolute certainty that a sale will be completed.
Or suppose a software company allows revenues to be recognized before an application was signed off as a released product. The result under Sarbanes-Oxley: Your company may be overstating revenue in one quarter that requires restatement the next. That was bad enough in the pre-Enron world, but it's tantamount to Russian roulette today.
There's also the speed with which the SEC wants to be notified if "germane" events occur that could affect financial reports. For some issues, 15 business days are allowed to lapse before notification must be provided. For others, it's rumored that the SEC may get anxious after only two days.
Ask Your CFFO:
Ask Your IT Staff:
Ask Your Outsourcers:
Get a Plan
Step 4: Get a Plan
Should you start throwing software at the problem? Not yetthough you may find Sarbanes-Oxley can kick-start some process discipline.
Some IT executives may find Sarbanes-Oxley can help create process discipline in the company that will ultimately lead to new technology initiatives, helping justify projects like that server consolidation you've been trying to fund. Having different versions of financial ERP software running around the company may create enough risk that those systems have to be merged. Just as with Y2K, that may open the door for projects that would allow your company to upgrade other processes. And some vendors are touting the act's rapid reporting requirements as an impetus to the development of the "real-time enterprise," friction-free business processes that allow information to roll up and decision-making processes to ripple down rapidly. You'll likely never reach such a lofty goal, but if the act makes your CXOs nervous enough, they'll start pushing IT to move in that direction.
Showcasing the software industry's never-ending ability to innovate, a variety of vendors are offering risk management applications designed to help automate processes that may make Sarbanes-Oxley reporting more efficient. These typically approach the challenge either by aggregating existing enterprise software into a portal that provides a one-stop site for compliance checking, or by focusing on business processes, streamlining steps that were formerly spread out through various applications.
Is a new application really necessary? Not for most companies, analysts say. "This is very much a pen-to-paper exercise right now," says AMR's Hagerty. "CFOs need to come up with a cogent approach before they start throwing technology at the problem." In fact, most of the Sarbanes-Oxley applications are still so newand most companies' understanding of the broad ramifications of compliance is still so much in fluxthat few CIOs are willing to stick their heads above the trenches to discuss their efforts yet.
But the clock is ticking. Larger public companies with fiscal years coinciding with the calendar year must be ready by December 2004. That may seem like a long time away. But because those requirements are still being updated, your CFO may find a new reason why IT has to scramble. Understand there are numerous gray areas, and that a variety of issuesand how to deal with themmay only be revealed in the coming months. Admits AMR's Hagerty: "Best practices don't exist at this point."
Ask Your IT Architect:
Ask Risk Management Software Vendors:
Ask Your CFO:
Complying With SARBANES-OXLEY