Sarbanes-Oxley: Where IT and Finance Meet

Norbert J. Kubilus   Today’s Top Stories   or  Other Legislation/Regulation Stories  

Google's Universal Search for Business Why SaaS is Vital to Email and Web Security Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management Extending COBOL to SOA, Web Services and Beyond Extend, Replace, or Convert: Which is the Best Way Forward for Extending COBOL to SOA, Web Services and Beyond? Executing on a Customer Engagement Model SaaS Solutions for Remote Systems Management Learn-Fast Guide: Software as a Service is Growing Up Mobility @ the Speed of Business Sign up to receive Legislation/Regulation Resource Alerts

June 30, 2003 (Computerworld) -- There's a giant sigh of relief rising in the executive suites and corporate boardrooms of large, publicly held companies around the country. Why? Because the U.S. Securities and Exchange Commission has postponed implementing certain key sections of the Sarbanes-Oxley Act for nine months. This gives the SEC more time to complete the regulations that all SEC-regulated companies will have to follow.
Postponing SarbOx (as it's affectionately called) will give CEOs, CFOs and external auditors more time to institute procedures for keeping track of all financial information, from the moment of inception to the final submission in an annual report to the SEC. It also delays the SarbOx mandate that every public company submit an annual report to the SEC that assesses the effectiveness of its internal controls for financial reporting.
Sounds like a purely financial issue, right? Not quite.
Yes, SarbOx is fundamentally financial legislation. Enacted in part as a reaction to Enron and other corporate financial scandals, the law's goal is for public companies to produce more complete and accurate financial reports. The emphasis on internal controls, however, goes far beyond policies, procedures and external audits.
The SEC still must define what "internal controls" means in terms of compliance regulations, but one thing is almost certain: Any public company that utilizes IT as part of its financial business processes will find that IT controls are included in the definition. SarbOx compliance could also mean an overhaul or upgrade of financial transaction and reporting systems for most companies, regardless of size, in order to meet regulatory requirements for more accurate, more detailed and speedier filings.
So far, CIOs have been warming the bench, while CEOs, CFOs, attorneys and auditors attempt to address known and anticipated SarbOx compliance issues. Now is the time for the CIO to get into the game and step up to take the lead on the IT control issue. The CIO should view the IT organization and infrastructure as if he were the CEO of a "business within the business." Would the CIO be comfortable putting his neck on the line during a SarbOx compliance audit? Probably not.
Although regulations haven't been defined for compliance with SarbOx Section 404 -- which mandates an audit of internal controls -- there are a number of areas where the CIO can apply common sense and best practices to comply with the act's goals.
Examining the control processes within the IT organization relating to financial systems is the logical place to start. For example, segregation of duties within the systems development staff is a widely recognized best practice that helps prevent errors and outright fraud. The people who code program changes should be different from the people who test them, and a separate team should be responsible for production change control.
Homegrown financial systems are fraught with potential data-integrity problems, but packaged systems aren't totally immune, either. Although leading ERP systems offer audit-trail functionality, customizations of these systems often bypass those controls. The CIO has to work with internal and external auditors to ensure that customizations can pass muster.
Closely related to development and change controls are project management methodologies. The leading cause of systems implementation failure continues to be poor project management. The CIO must ensure that the IT department has a process to ensure a successful selection and implementation of new or upgraded financial systems within defined schedules, budgets and acceptable levels of risk.
Records management is another area of concern for the CIO as the long-term custodian of corporate data. How a company stores and transmits electronic documents -- and whether or not they're deleted -- can have significant legal and financial consequences. The CIO should work with the CEO, CFO and corporate attorneys to create a document-retention-and-destruction policy that addresses what types of electronic documents should be saved -- and for how long.
Ultimately, SarbOx compliance will require a close working relationship involving the CEO, CFO and CIO. Getting into the game starts with running IT as a business and strengthening IT internal controls.
Norbert J. Kubilus is a partner at Tatum CIO Partners LLP in San Diego. He can be reached at
Norbert.Kubilus@tatumpartners.com.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Sarbanes-Oxley: Where IT and Finance Meet

"Mo' problems in Thursday's IT Blogwatch, as Microsoft and Novell extend their "deadly" embrace. Not to mention George Lucas's new..." Read more... "Here's a first: Microsoft faces an anti-trust investigation in Taiwan because it no longer sells XP. Microsoft has been targeted..." Read more... Read more Government & Regulation posts or See all Blogs

Vista users rush for SP1, XP owners dawdle on SP3 iPhone 3G owner sues Apple over dropped calls, slow speeds Microsoft eases use of Photosynth Facebook hopes new ad scheme can engage users Microsoft to buy up to $100M in Novell SUSE Linux support vouchers Ericsson, STMicro to form mobile chip venture Wi-Fi in-flight comes to some American routes How to turn a software pirate into a paying customer Yahoo Buzz poses serious threat to Digg, some users say Emergency notification displays to bolster Virginia Tech alert systems More top stories...

WSJ: Microsoft hires Seinfeld to bite Apple China blocks iTunes, users claim Amazon launches persistent storage in the EC2 cloud Mozilla names best Firefox 3 add-ons Apple's MobileMe lacks key security feature Get tough on telecommuting: 6 questions to ask before you say yes Comcast: New traffic management plan still in the works Online encyclopedia lists internal network security threats Microsoft seeds WSUS with Windows 7 Client Palm plans to sell Treo Pro without U.S. operator partner

Forgotten PC history: The true origins of the personal computer The x86's lineage can be traced back to 1968, to a design on a napkin drawn by Austin O. "Gus" Roche, an all-but-forgotten engineer in Texas who was obsessed with creating a personal computer. Make Leopard leap: Time-saving tips for OS X 10.5 Are you using the latest version of Mac OS X efficiently? Try our tips and watch your productivity soar. Free Windows XP tuneup: Put new life into an old workhorse Just because Microsoft's done with XP doesn't mean you have to be. Keep XP in the game with these downloads, tweaks and hacks. Opinion: Why the iPhone is Apple's Trojan horse Apple's new iPhone software is more significant for IT than the new iPhone itself, says Michael Gartenberg. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland Security Apple's iPhone Ask a Premier 100 IT Leader Bill Gates steps down BlackBerry Legal Battle Data Security Breaches Electronic Voting Firefox H-1B Visas HP's Boardroom Scandal Handheld Devices Hurricane Katrina Aftermath Microsoft Legal Issues Microsoft's Vista Open Source RFID Technology SCO's Linux Fight Sarbanes-Oxley Act Spam Voice Over IP Wi-Fi Windows Meta File Vulnerability Windows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class 2006 Computerworld Horizon Awards 2006 Premier 100 IT Leaders 2006 Salary Survey 2007 Best Places to Work in IT 2007 IT Forecast 2007 Premier 100 IT Leaders 40 Years of Computerworld ASPs, Take Two Best Places to Work in IT 2003 Best Places to Work in IT 2004 Best Places to Work in IT 2005 Best Places to Work in IT 2006 Business Intelligence Home Runs Business Intelligence: Smarter BI Business Intelligence: The Future of BI CRM Goes Vertical CRM: Sober CRM Career Planning Guide 2005 Careers: IT Profession 2010 Computerworld Horizon Awards 2005 Data Management: Mining for Gems Data Management: Taming Data Chaos Development: Hard-Workin' Web Sites Development: New Tools New Choices Development: The New World of Application Development Development: The Web Services Tsunami Development: Web Services Hurdles Disaster Recovery: Preparing for the Worst E-commerce Grows Up E-mail/Groupware: Big Decisions Faces of Mobile IT Forecast 2006 Global Mobile Hardware: Multiple Cores, Multiple Challenges Hardware: On-Demand Un-Hyped Hardware: The Shape of Things to Come Horizon Awards: 10 Cool Cutting Edge Technologies IT Management: Guide to Managing Vendors IT Management: Navigating Global IT IT Management: Recovery Ahead IT Management: The Future of IT IT Management: The Resourceful Project Manager Innovative Technology Awards 2004 Management: Reinventing IT Microsoft in Transition Mobile/Wireless Leaders and Laggards Mobile/Wireless: The Untethered Worker Mobile/Wireless: Tiny Gadgets, Huge Costs Network Management: Taking Control Networking: Turbulence Ahead! Networking: VoIP Goes Mainstream Operating Systems: In the Slow Lane Operating Systems: Linux Goes Global Operating Systems: Should You Nix Unix? Outsourcing: Offshore Buyer's Guide Outsourcing: Outsourcing Dangers Premier 100 IT Leaders 2004 Best in Class Premier 100 IT Leaders 2005 Best in Class ROI: Do the Math! Salary Survey 2003 Salary Survey 2004 Salary Survey 2005 Security Action Plan Security: Compliance Headaches Security: Proactive Security Security: Risk and Reward Security: Tips From Security Pros Souped-up Security Storage: Battling Complexity Storage: Cheap & Secure Data Stores Storage: Stretching Your Storage Dollars Storage: The Lean Storage Machine Storage: The New Rules of Storage Storage: The Ultimate Backup Guide Supply Chain: Missing Links Supply Chain: RFID Reality Check The Business of Security Web 2.0 Security Wireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone The File Data Management Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Business Intelligence and Analytics Zone Windows Protection Zone Identity & Security Management Zone See your link here

Computerworld Executive Briefing: The Compliance Era Get this briefing free (a $195 value), for a limited time, courtesy of VeriSign. The new Computerworld report, The Compliance Era, explains why regulatory compliance has zoomed to the top of the IT agenda and shows how real-world IT executives are dealing with the storage, security and privacy challenges. Get this briefing free (a $195 value), for a limited time, courtesy of VeriSign. Download this executive briefing  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Web Security SaaS: The Next Generation of Web Security Download this whitepaper, free for a limited time, compliments of Webroot Software! (Source: Webroot Software) The Web is the new threat vector of choice for hackers and cybercriminals to distribute malware and perpetrate identity theft, financial fraud, and corporate espionage. This paper outlines the challenges facing many SMBs and provides solutions for overall security effectiveness and reducing the burden on IT departments. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Extending COBOL to SOA, Web Services and Beyond Solution Brief: Reduce Energy Costs Gartner Paper: US Data Centers - The Calm Before the Storm View more whitepapers

• Sarbanes-Oxley: Where IT and Finance Meet

• Vista users rush for SP1, XP owners dawdle on SP3
• WSJ: Microsoft hires Seinfeld to bite Apple
• iPhone 3G owner sues Apple over dropped calls, slow speeds
• More top stories 

Since You Asked A weekly storage column from storage analyst, Steve Duplessie of the Enterprise Strategy Group Click here to read the latest column by Steve Duplessie

Eliminate SPAM, Gain Productivity Learn all about the dangers and the costs of spam in all its forms – from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses – and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper now!  See more Whitepapers

The Spy Files For Congress to do anything that helps protect consumers and the critical Internet infrastructure as a whole, it must pass laws that require proactive processes to protect computers, not that tell people how to deal with the resulting mess, says Ira Winkler. Click here to read the latest column by Ira Winkler

Customer Satisfaction with Email Archiving Systems Osterman Research conducted a primary survey asking organizations about a variety of archiving systems to understand the level of satisfaction that customers of Sunbelt Exchange Archiver (SEA) and other email archiving offerings report on a variety of metrics related to product and vendor performance. Download this white paper now!