Sarbanes-Oxley: A gift from the government?
According to the Cato Institute, more than 4,000 new final rules are approved
by agencies of the U.S. Federal Government every year. Some, like the USA
Patriot Act, generate lots of publicity because they impact personal privacy and
are linked to national security issues. Others, like the Health Insurance
Portability and Accountability Act (HIPAA) are noticeable because virtually
every consumer of medical and insurance services now has to fill out more
paperwork. In terms of impact and opportunity for IT, however, none of these
compare to the innocuous-sounding Sarbanes-Oxley Act (SOX) of 2002. SOX imposes
new constraints on all public firms operating in the U.S., and indirectly
impacts many larger private firms that will have to comply to become serious
merger/acquisition candidates or to partner with public firms.
Officially described as ''An act to protect investors by improving the
accuracy and reliability of corporate disclosures made pursuant to the
securities laws, and for other purposes,'' SOX might have been called the full
employment act for U.S. accountants and attorneys. With stringent requirements
for improved visibility into business processes and financial disclosure, it
demands rigor of process to an unprecedented degree. The Committee of Sponsoring
Organizations (COSO) of the Treadway Commission framework (www.coso.org), which provides the basis
for auditing best practices, guided the development of SOX, and includes
specific IT governance requirements.
As an overhaul of the Securities Exchange Act of 1934, SOX might sound like
just so much governmental saber rattling to soothe public opinion after failures
like Enron, LTCG and Barings, but it has teeth. For example, the last two
provisions (sec. 1106 and 1107) increase the criminal penalties of the 1934 Act
from $1M to $5M and from 10 years in prison to 20, and the corporate fines from
$2.5M to $25M, and also provides a prison term of up to 10 years for retaliation
against informants. That certainly has the attention of CFOs and CEOs, who must
now attest to the accuracy of their SEC filings, and take legal responsibility
for the processes and systems used to compile the figures. From workflow to data
cleansing and integration, IT support will be critical as the required
information is held in systems such as BI, ERP and General Ledger whose
operation falls within the IT purview. Changes to these systems must also be
tracked, so configuration management takes on new significance.
So, what's the gift? Sections 404 and 409 of SOX. A careful reading shows SOX
as the opportunity of the decade for savvy CIOs who have long worried about
aligning IT's interests with the business'. As the economy has languished, CIOs
have been pressed to demonstrate value for each expenditure, and governance has
become synonymous with thrift. The current climate has the potential to choke
off innovation and projects with no clear justification using conventional
discounted cash flow metrics like return on investment. Yet infrastructure
upgrades are necessary, and new data integration and mining projects offer a
hard-to-quantify upside. How can you afford them in this climate? Read SOX
sections 404 and 409, and you will find that the government has an answer.
SOX 404 -- Management Assessment of Internal Controls -- has launched a
frenzy of IT activity. Software vendors and service providers alike are
attempting to capitalize on the fears of management by offering pre-audit
preparation services and new features to ''support'' SOX. In general, a competent
professional, reading the literature and guided by the spirit of the legislation
and their auditor (who can no longer profit by recommending remediation
activities), will not require extensive and expensive new initiatives for 404.
They will need to map their processes and products to the requirements and
possibly upgrade them. Careful attention to Section 404 will give IT management
the experience and credibility to really benefit from Section 409.
Section 409 -- Real Time Issuer Disclosures -- mandates that firms disclose
to the public, on a rapid and current basis, information that reflects a
material change in financials or operating conditions. This wonderfully vague
paragraph is almost buried within 66 pages of regulations, but it is perhaps the
most significant clause to CIOs.
Where will the CEO and CFO find the information that reveals these changes?
It might be a trend first detected as an anomaly in your supply chain and
recorded in your ERP system. It might be an irregularity in the closing
activities in your general ledger system(s) or a new pattern uncovered by your
data mining software. Somewhere in the data are indicators that change is afoot,
and unless a firm can identify and disclose them appropriately, the firm and its
officers face severe penalties. Suddenly, investing in IT infrastructure and
architecture to improve flexibility might seem like a bargain to general
Although compliance deadlines have been extended -- most firms don't have to
comply with Section 404 until June 2004, for example -- the effort required
still indicates that a sense of urgency is warranted. One problem for IT
executives is that for practical purposes, they often can't lead SOX efforts,
but in some cases they are left out of the loop for so long that they are in
danger of becoming the scapegoats. The CIO who can approach a CFO and say, ''I
read SOX and think I have a way to limit your exposure'' will have a new best
friend. The CIO who waits for directions from an audit committee or CFO will
miss an opportunity, and likely miss a deadline.
Improving the quality of data, BI, records management and configuration
management are not only good business, they just might keep your CEO and CFO
from a long prison sentence. Would now be a good time to bring this to their
attention, along with your budget request for the necessary
Adrian J. Bowles is research director of the IT Compliance Institute (ITCI) and a research fellow with the Robert Frances Group. He can be reached at firstname.lastname@example.org.