Comply With Me

By Gary Bolles

Technology: Sarbanes-Oxley


Comply With Me

Step 1: Get Educated

The effects of the Sarbanes-Oxley Act of 2002 may ripple throughout your IT organization. Not a public company? You may still have to worry—and even if you don't, you need to learn more about compliance.

Decision-making processes in your company are no doubt a mishmash of manual and electronic steps. Determining who's responsible for which information and what decisions, and making sure the system contains checks and balances to guarantee that those decisions are justified, can be a hair-pulling exercise for the most straightforward tasks in business-process analysis.

But getting the process down cold is no longer simply an intellectual exercise. Driven by laws such as the Sarbanes-Oxley Act, your CEO and CFO are now personally responsible for ensuring the accuracy of processes like financial reporting. That means they'll be breathing down IT's neck to guarantee the company's information systems are helping accuracy, not hurting it.

IT is responding. According to a survey conducted in April by AMR Research Inc., about 85 percent of all public companies intend to change their IT systems as part of their efforts to comply with the law. And those companies are planning to spend $2.5 billion in 2003 alone on projects related to compliance.

Why the worry? Born out of post-Enron angst, the Sarbanes-Oxley Act, variously called SOA, SOX or Sarbox, defines a set of standards for tracking and reporting requirements intended to hold top executives' feet to the fire on corporate financial statements. CEOs and CFOs of publicly traded companies must attest to the accuracy of those statements, and anything that looks fishy may elicit sweat-inducing questions from the Securities and Exchange Commission—and, potentially, penalties ranging from personal fines to jail time.

What makes top executives and board members wake up in a cold sweat is worrying about the shakiness of the foundation of financial controls on which their companies sit. In a nutshell, Sarbanes-Oxley says public businesses have to vet every internal process that feeds into a financial statement. The challenge is "walking the dog" through all the information sources that roll up into those reports, especially where any kind of information technology is involved.

In small public companies with uncomplicated products or services, those processes may be relatively straightforward. In large multinational companies, however, financial reporting may have its roots deep in the supply chain, or be buried in a customer relationship management system, or managed differently, depending on your company's global locations and the kind of software each location uses. Those intricacies can make the financial reporting excavation process a complicated exercise at best—and at worst, a minefield fraught with potential financial explosions.

Public companies are the act's main targets, but that doesn't mean all private companies are immune. If your company could be acquired by another that's already public, the CFO of the new parent is responsible as soon as the first dollar flows through the combined entity. And that means substantial—and potentially deal-breaking—risk if the acquiree isn't already following deep financial discipline.

So how clear are the ramifications of Sarbanes-Oxley for most companies? "It's probably not very clear to the CIO yet," says Melinda Litherland, an audit partner at Deloitte & Touche. "It's probably very clear to the CFO."

Questions for Your CFO:

  • What are the major issues for our company on compliance with Sarbanes-Oxley?
  • Do we know if we have any internal processes that can potentially create risk for us?
  • How many of those processes are supported by software?

    Get Involved

    Step 2: Get Involved

    You'll have to build a close relationship with your internal financial management group. But remember: It's not about you.

    To any company with solid auditing processes, especially those that have implemented ISO 9000's quality management standards, the general requirements for complying with Sarbanes-Oxley are relatively straightforward.

    Your CFO already has fairly good guidelines for financial discipline. The SEC has recommended a series of financial reporting standards defined by COSO, the Committee of Sponsoring Organizations of the Treadway Commission, developed in response to the savings-and-loan crisis of the late 1980s. Says Pamela Fredericks, senior security consultant with IT advisory Forsythe Solutions Group, "The IT side [of the house] probably is blissfully unaware of these things." But your CFO should be intimately familiar with its requirements, since it's likely your company has been following at least some part of the framework for some time.

    The devil is in the regulatory details, however, so it's critical to determine how Sarbanes-Oxley could affect your company specifically. Your CFO has to outline as clear a picture as possible of the internal processes that feed financial reports and determine how much the company has to clean up its act. Taking those steps will be toughest for smaller public companies, many of which don't have large finance departments and may lack robust internal audit processes. Only after this work is done, though, can the ramifications for IT be made clear.

    Initial discussions on compliance can be far-reaching, drawing in executives from operations, finance, audit and legal. Don't be shy about asking to be involved in these meetings, because sooner or later they'll be generating requirements for IT. But don't expect all the answers to come immediately, since in many cases the ramifications for IT at your company will only become clear over time.

    Remember, though, that Sarbanes-Oxley processes are really the province of your CFO. It's that person's job to ensure that tight fiscal management policies are in place, whether they're supported by technology or by handwritten Post-it Notes. "In this situation, the CIO should not even attempt to take charge," says John Hagerty, vice president at AMR Research.

    Ask Your CFO:

  • What indications have our auditors given us about the impact on IT for companies like ours?

    Tell IT Staff:
  • We need to become educated about the act's effects on IT.

    Tell Your CFO:
  • I'd like to attend any training classes with you that might touch on the ramifications of Sarbanes-Oxley for IT.

    Avoid Garbage

    Step 3: Avoid Garbage

    What's the role of technology? Make sure the quality of the data going into reports means there's nothing inaccurate coming out.

    The sleuthing game for IT involves figuring out where systems issues, such as the processes baked into customer relationship management and sales force automation, affect financial reporting. You must be able to document how the chain of financial reporting works and how your information systems support it. And you must have a clear idea of where that chain can break down, and be prepared to survive an audit of those processes in case something does break.The trick is knowing just how IT systems grease the flow of any potentially erroneous or inconsistent information—or even help create it.

    Suppose a hypothetical widget manufacturer has a relatively loose process for recording orders and payments. While no fraud may be intended whatsoever, salespeople are allowed to book orders lacking absolute certainty that a sale will be completed.

    Or suppose a software company allows revenues to be recognized before an application was signed off as a released product. The result under Sarbanes-Oxley: Your company may be overstating revenue in one quarter that requires restatement the next. That was bad enough in the pre-Enron world, but it's tantamount to Russian roulette today.

    Decision Tree
    The SEC also has some strong ideas about the records you have to keep, and how long you must keep them. A potential problem in a report today may mean a long audit chain going back numerous quarters. There are many possible pieces of information that federal auditors will want to review, including relevant e-mail messages, such as communications between the CFO and the sales organization about actual bookings. Osterman Research Inc. points to the $8 million in fines that five Wall Street brokerage houses paid in December 2002—in part because they didn't maintain e-mail archives for SEC- mandated periods. The advice of some companies: Keep everything, because you still don't quite know what will be considered germane.

    There's also the speed with which the SEC wants to be notified if "germane" events occur that could affect financial reports. For some issues, 15 business days are allowed to lapse before notification must be provided. For others, it's rumored that the SEC may get anxious after only two days.

    Ask Your CFFO:

  • Exactly what information do we have to report, and how quickly must we report it?

    Ask Your IT Staff:
  • What are our current standards for how long we maintain different kinds of data?

    Ask Your Outsourcers:
  • Could our batch systems affect our ability to get timely information our CFO might need?

    Get a Plan

    Step 4: Get a Plan

    Should you start throwing software at the problem? Not yet—though you may find Sarbanes-Oxley can kick-start some process discipline.

    Some IT executives may find Sarbanes-Oxley can help create process discipline in the company that will ultimately lead to new technology initiatives, helping justify projects like that server consolidation you've been trying to fund. Having different versions of financial ERP software running around the company may create enough risk that those systems have to be merged. Just as with Y2K, that may open the door for projects that would allow your company to upgrade other processes. And some vendors are touting the act's rapid reporting requirements as an impetus to the development of the "real-time enterprise," friction-free business processes that allow information to roll up and decision-making processes to ripple down rapidly. You'll likely never reach such a lofty goal, but if the act makes your CXOs nervous enough, they'll start pushing IT to move in that direction.

    Showcasing the software industry's never-ending ability to innovate, a variety of vendors are offering risk management applications designed to help automate processes that may make Sarbanes-Oxley reporting more efficient. These typically approach the challenge either by aggregating existing enterprise software into a portal that provides a one-stop site for compliance checking, or by focusing on business processes, streamlining steps that were formerly spread out through various applications.

    Is a new application really necessary? Not for most companies, analysts say. "This is very much a pen-to-paper exercise right now," says AMR's Hagerty. "CFOs need to come up with a cogent approach before they start throwing technology at the problem." In fact, most of the Sarbanes-Oxley applications are still so new—and most companies' understanding of the broad ramifications of compliance is still so much in flux—that few CIOs are willing to stick their heads above the trenches to discuss their efforts yet.

    But the clock is ticking. Larger public companies with fiscal years coinciding with the calendar year must be ready by December 2004. That may seem like a long time away. But because those requirements are still being updated, your CFO may find a new reason why IT has to scramble. Understand there are numerous gray areas, and that a variety of issues—and how to deal with them—may only be revealed in the coming months. Admits AMR's Hagerty: "Best practices don't exist at this point."

    Ask Your IT Architect:

  • How can we weave compliance-related initiatives into our overall IT architecture?

    Ask Risk Management Software Vendors:
  • How could your offerings help us eliminate risk—with some kind of guaranteed ROI?

    Ask Your CFO:
  • How can we have the most efficient process for notifying IT of new compliance-related issues?

    The results are available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in, click here.
    • Complying With SARBANES-OXLEY

  • This article was originally published on 08-08-2003