Columns

Sarbanes-Oxley: A gift from the government?

• By Adrian J. Bowles
• January 1, 2004

According to the Cato Institute, more than 4,000 new final rules are approved by agencies of the U.S. Federal Government every year. Some, like the USA Patriot Act, generate lots of publicity because they impact personal privacy and are linked to national security issues. Others, like the Health Insurance Portability and Accountability Act (HIPAA) are noticeable because virtually every consumer of medical and insurance services now has to fill out more paperwork. In terms of impact and opportunity for IT, however, none of these compare to the innocuous-sounding Sarbanes-Oxley Act (SOX) of 2002. SOX imposes new constraints on all public firms operating in the U.S., and indirectly impacts many larger private firms that will have to comply to become serious merger/acquisition candidates or to partner with public firms.

Officially described as ''An act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes,'' SOX might have been called the full employment act for U.S. accountants and attorneys. With stringent requirements for improved visibility into business processes and financial disclosure, it demands rigor of process to an unprecedented degree. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission framework (www.coso.org), which provides the basis for auditing best practices, guided the development of SOX, and includes specific IT governance requirements.

As an overhaul of the Securities Exchange Act of 1934, SOX might sound like just so much governmental saber rattling to soothe public opinion after failures like Enron, LTCG and Barings, but it has teeth. For example, the last two provisions (sec. 1106 and 1107) increase the criminal penalties of the 1934 Act from $1M to $5M and from 10 years in prison to 20, and the corporate fines from $2.5M to $25M, and also provides a prison term of up to 10 years for retaliation against informants. That certainly has the attention of CFOs and CEOs, who must now attest to the accuracy of their SEC filings, and take legal responsibility for the processes and systems used to compile the figures. From workflow to data cleansing and integration, IT support will be critical as the required information is held in systems such as BI, ERP and General Ledger whose operation falls within the IT purview. Changes to these systems must also be tracked, so configuration management takes on new significance.

So, what's the gift? Sections 404 and 409 of SOX. A careful reading shows SOX as the opportunity of the decade for savvy CIOs who have long worried about aligning IT's interests with the business'. As the economy has languished, CIOs have been pressed to demonstrate value for each expenditure, and governance has become synonymous with thrift. The current climate has the potential to choke off innovation and projects with no clear justification using conventional discounted cash flow metrics like return on investment. Yet infrastructure upgrades are necessary, and new data integration and mining projects offer a hard-to-quantify upside. How can you afford them in this climate? Read SOX sections 404 and 409, and you will find that the government has an answer.

SOX 404 -- Management Assessment of Internal Controls -- has launched a frenzy of IT activity. Software vendors and service providers alike are attempting to capitalize on the fears of management by offering pre-audit preparation services and new features to ''support'' SOX. In general, a competent professional, reading the literature and guided by the spirit of the legislation and their auditor (who can no longer profit by recommending remediation activities), will not require extensive and expensive new initiatives for 404. They will need to map their processes and products to the requirements and possibly upgrade them. Careful attention to Section 404 will give IT management the experience and credibility to really benefit from Section 409.

Section 409 -- Real Time Issuer Disclosures -- mandates that firms disclose to the public, on a rapid and current basis, information that reflects a material change in financials or operating conditions. This wonderfully vague paragraph is almost buried within 66 pages of regulations, but it is perhaps the most significant clause to CIOs.

Where will the CEO and CFO find the information that reveals these changes? It might be a trend first detected as an anomaly in your supply chain and recorded in your ERP system. It might be an irregularity in the closing activities in your general ledger system(s) or a new pattern uncovered by your data mining software. Somewhere in the data are indicators that change is afoot, and unless a firm can identify and disclose them appropriately, the firm and its officers face severe penalties. Suddenly, investing in IT infrastructure and architecture to improve flexibility might seem like a bargain to general management.

Although compliance deadlines have been extended -- most firms don't have to comply with Section 404 until June 2004, for example -- the effort required still indicates that a sense of urgency is warranted. One problem for IT executives is that for practical purposes, they often can't lead SOX efforts, but in some cases they are left out of the loop for so long that they are in danger of becoming the scapegoats. The CIO who can approach a CFO and say, ''I read SOX and think I have a way to limit your exposure'' will have a new best friend. The CIO who waits for directions from an audit committee or CFO will miss an opportunity, and likely miss a deadline.

Improving the quality of data, BI, records management and configuration management are not only good business, they just might keep your CEO and CFO from a long prison sentence. Would now be a good time to bring this to their attention, along with your budget request for the necessary resources