• United States



by John Hagerty

Five Things IT Needs To Know About Sarbanes-Oxley Compliance

May 15, 20034 mins
CSO and CISOData and Information Security

For the last nine months, many CEOs and CFOs have been scrambling to understand and quickly comply with the rules and regulations of The Sarbanes-Oxley Act (SOA), the accounting reform and investor protection legislation passed by Congress last summer. The first round of compliance required significant policy and procedure checkpoints to ensure the independence of board members and audit committees, along with CEO/CFO certification of financial resultsin essence holding top executives personally responsible for misrepresentation of company performance.

With the Securities and Exchange Commission (SEC) SOA’s enforcercontinually issuing new rules, CEOs and CFOs are now putting their arms around information technology (IT), enlisting it to assess the impact of compliance on the Firm’s systems infrastructure. Depending on how it shakes out, the effect could be enormous.

As IT gets more involved with these time-critical regulations, you need to understand the following five points about SOA compliance and what it will mean to your company:

SOA governs publicly traded firms SOA rules apply only to publicly traded firms that list their stock on any U.S.-based financial exchange. Even if your company is not a U.S.-based firm, as long as its stock is traded in the

United States, it’s on the hook to comply. Private firms are not governed by these rules. Before you breathe a sigh of relief, many experts expect private companies will abide by the spirit, intent, and letter of the law.

Audit of internal controls and processes is mandated The next major hurdle, expected for FY03 year-end filings, will be the auditability of the internal control structure and processes involved in financial reporting. It’s no longer just the numbers you report, but how you got to those numbers. Your external auditors will be required to issue an opinion of how well these processes are followed. Many companies are manually implementing these

process controls today. In the longer term, most existing applications lack thorough enforcement of business process, and may be the place where a new application or IT-supported business process is required to pass muster

with auditors and let the CEO and CFO sleep better at night.

It will reach beyond financial processes Financial reporting is just the beginning. It assumes the business transactions recorded in Enterprise Resource Planning (ERP), supply chain, Customer Relationship Management (CRM), and other operational systems are not subject to unintentional lapses in process control. A broad-based review of business practicesespecially in decentralized firmscould reach back into the bowels of business operations, eventually requiring wholesale systemic change to some operational business processes and the systems that support them. Outside experts are helping companies uncover Grand Canyon-sized gaps, which will

take IT support to fill up.

Get ready for real-time disclosure The most ambiguous and potentially onerous regulation has to do with timely and accurate disclosure of material events to the business. Widely viewed as a call for real-time reporting, IT will need to keep a watchful eye on developments, as the firm’s data infrastructure could be in for serious revamping when companies are required to disclose events that affect the business within 48 hoursthe current interpretation of this regulation. Although there isn’t a stipulated timeframe for this one, leading companies are already beginning to implement an Enterprise Performance Management (EPM) framework to support

strategy-driven real-time analytics and decision-making.

SOA is a process, not an event A quick look at the SEC’s website shows a barrage of rules issued in response to SOA, refining the requirements of the Act. The SEC will continually issue pronouncements on what will be required and when rules will take effect. Because of this, organizations must remain fluid to respond to SOA. Regulatory requirements mandated by other government agenciesthe Food & Drug Administration (FDA) or the

Environmental Protection Agency (EPA) have had significant effect on firms, and may offer a view into where SOA may end up.

For certain, the SOA compliance picture is still blurry, but becoming clearer with each SEC ruling. You can’t hide; IT involvement starts now.

We’ll be researching the impact of SOA throughout 2003 as a continuum that will potentially affect all major sectors of the business. If you’ve started down this path, we’d love to talk to you about your experiences to date. Haven’t started yet? What issues do you need to wrestle to the ground soon? Will SOA raise any winners in the technology, applications, and consulting game? I welcome your comments. E-mail John Hagerty at