SEC, SOX, and CIOs: Ramifications of the Sarbanes-Oxley Act

As the data owners for corporate financial reports, CIOs should begin preparing documentation for Sarbanes-Oxley compliance, says Compass America, even though the deadline is still nearly a year away.

By John Kopeck

July 01, 2003 — CSO —

The passage of the Sarbanes-Oxley Act (SOX) marks a new era of accountability for corporate officers. As of the end of the fiscal year ending on or after June 15, 2004, the annual reports of firms covered by the act must begin to comply with the financial reporting disclosure requirements of the SOX management report on internal control. Section 404 of SOX, moreover, requires every registered public accounting firm that prepares or issues an audit report on a client's annual financial statements to attest to, and report on, the assessment made by management.

In simplest terms, SOX requires that each principal executive and principal financial officer of SEC-registered firms sign a statement declaring that policies and procedures are in place and working effectively to ensure accuracy in asset disposition, transactions and internal reporting processes.

In real terms, firms will be scrambling to create policies and documentation to assign responsibility for "ownership" of all data used in consolidating financial statements for quarterly and annual reports. Should a misstatement occur, you can bet many CEOs will be looking for someone to join them in what could be a very uncomfortable conversation with SEC investigators. In many cases the data owner for financial reports will be the CIO. Are you ready?

CIOs might want to begin their readiness assessment with some basic questions:

• Does you firm have detailed documentation on how all transactions are handled within its financial application software?

• Are detailed policies and procedures in place to ensure security for all databases and data warehouses?

• Are asset management policies well documented and adhered to, including such details as procedures for capitalizing software development?

• Have legacy systems been fully integrated with newer systems? And have systems acquired via mergers or consolidations been completely aligned?

• Has risk been adequately addressed concerning outsourced operations, particularly those taken offshore?

A principal goal of the SOX legislation is to alert investors to creative financial engineering by management, and to hold management responsible when such financial engineering impacts the firm's value. Nowhere perhaps is the opportunity for such financial "creativity" more evident than in the area of outsourced services contracts - which in some cases can look an awful lot like off-balance sheet financing.

A popular way to reduce invested capital, and thus improve short-term Return on Capital Employed, is to sell corporate assets and then rent them back. Many companies have sold their headquarters buildings, real estate and even manufacturing complexes to REITs, other firms, or individuals to lighten their balance sheets of these assets. If capital freed up by such sales is reinvested in opportunities with higher returns, this makes sense from a value creation perspective. But the commitment to the assets remains in the form of rent payments, which many analysts capitalize and return to the ROCE equation.

• Print